tor: attacks and countermeasures
TRANSCRIPT
![Page 1: Tor: Attacks and Countermeasures](https://reader031.vdocuments.us/reader031/viewer/2022012113/61dcdbe4e0b559071841e5b5/html5/thumbnails/1.jpg)
Tor: Attacks and
CountermeasuresCountermeasures
Dr Gareth Owen
![Page 2: Tor: Attacks and Countermeasures](https://reader031.vdocuments.us/reader031/viewer/2022012113/61dcdbe4e0b559071841e5b5/html5/thumbnails/2.jpg)
Who am I?
• An academic
– My first Bsides!
• Course leader for the Forensic Computer BSc
• Teach everything from forensics, cryptography • Teach everything from forensics, cryptography
through to malware analysis.
• Research interests:
– Reverse engineering
– Memory forensics
![Page 3: Tor: Attacks and Countermeasures](https://reader031.vdocuments.us/reader031/viewer/2022012113/61dcdbe4e0b559071841e5b5/html5/thumbnails/3.jpg)
Overview
• How Tor works
• Attempts to block Tor
• How hidden services work
– Deanonymising visitors and servers– Deanonymising visitors and servers
• FBI Exploit
![Page 4: Tor: Attacks and Countermeasures](https://reader031.vdocuments.us/reader031/viewer/2022012113/61dcdbe4e0b559071841e5b5/html5/thumbnails/4.jpg)
Overview
• How Tor works
• Attempts to block Tor
• How hidden services work
– Deanonymising visitors and servers– Deanonymising visitors and servers
• FBI Exploit
![Page 5: Tor: Attacks and Countermeasures](https://reader031.vdocuments.us/reader031/viewer/2022012113/61dcdbe4e0b559071841e5b5/html5/thumbnails/5.jpg)
The problems
ANONYIMITYPRIVACY
CENSORSHIP
ANONYIMITYPRIVACY
![Page 6: Tor: Attacks and Countermeasures](https://reader031.vdocuments.us/reader031/viewer/2022012113/61dcdbe4e0b559071841e5b5/html5/thumbnails/6.jpg)
The problems
ANONYIMITYPRIVACY
CENSORSHIP
ANONYIMITYPRIVACY
Proxy/VPN/etc
USER 1
USER 2
USER 3
Wikileaks
Wikipedia
![Page 7: Tor: Attacks and Countermeasures](https://reader031.vdocuments.us/reader031/viewer/2022012113/61dcdbe4e0b559071841e5b5/html5/thumbnails/7.jpg)
Tor• Open source project
• Sponsored by a range of orgs including US Govt!
• Decentralised low latency mix network
• No single authority
![Page 8: Tor: Attacks and Countermeasures](https://reader031.vdocuments.us/reader031/viewer/2022012113/61dcdbe4e0b559071841e5b5/html5/thumbnails/8.jpg)
How Tor works
A B
User
Data Data Data Data
C
Data Data Data Data
GUARD RELAY EXIT
![Page 9: Tor: Attacks and Countermeasures](https://reader031.vdocuments.us/reader031/viewer/2022012113/61dcdbe4e0b559071841e5b5/html5/thumbnails/9.jpg)
The Tor Ecosystem
• tor core program
– One program does all
• Tor Browser bundle
• Vidalia
Tor program
SOCKS
Tor port
Dir port
• Vidalia
• Torify/torsocks
• Arm
• Orbot
• Exonerator
Control port
![Page 10: Tor: Attacks and Countermeasures](https://reader031.vdocuments.us/reader031/viewer/2022012113/61dcdbe4e0b559071841e5b5/html5/thumbnails/10.jpg)
How FVEYs deanonymises users
• Cookies e.g. doubleclick
– Seeding!
• Dumb users (aka opsec)
• Exploitation• Exploitation
• Traffic confirmation/correlation
– Aka fundamental weaknesses which we’ll focus on
– Unclear whether they’ve had much success due to
age of Snowden docs.
– Academia has had success
![Page 11: Tor: Attacks and Countermeasures](https://reader031.vdocuments.us/reader031/viewer/2022012113/61dcdbe4e0b559071841e5b5/html5/thumbnails/11.jpg)
Building circuits through Tor
• Every Tor node that relays traffic publishes a
descriptor to the “authorities”
• 10 Directory Authorities who maintain list of
routersrouters
– Public key for authorities embedded in client.
– Authorities test tor relays and sign their descriptors
– Authorities vote on relay properties and publish the
“consensus”
• Guard: 1731, Exit: 821, BadExit: 7
![Page 12: Tor: Attacks and Countermeasures](https://reader031.vdocuments.us/reader031/viewer/2022012113/61dcdbe4e0b559071841e5b5/html5/thumbnails/12.jpg)
Obvious attacks
• To deanonymise a user with certainty you need to control all three hops– Run lots of tor nodes and hope your target(s) choose your
three hops as a circuit.
• To deanonymise a user with high probability you need to control just the guard and exit.to control just the guard and exit.– “Traffic correlation attack”
– Works regardless of circuit length
– Can be used by a powerful adversary who can observe a large number tor nodes (but doesn’t run them).
• The probability of a relay being chosen for a circuit is proportional to its available bandwidth.
![Page 13: Tor: Attacks and Countermeasures](https://reader031.vdocuments.us/reader031/viewer/2022012113/61dcdbe4e0b559071841e5b5/html5/thumbnails/13.jpg)
Defending against such attacks
• Make it highly unlikely an attacker can control the guard or exit.– A Tor client chooses three guard
nodes on boot and sticks with them for a long period (months).
– Provided your guard choice is right,
GD GD GD
User
– Provided your guard choice is right, all your traffic is safe.
– Alternative: choose a random guard regularly: even a weak adversary has a high probability of deanonymisingsome of your traffic.
• High latency
• Padding
![Page 14: Tor: Attacks and Countermeasures](https://reader031.vdocuments.us/reader031/viewer/2022012113/61dcdbe4e0b559071841e5b5/html5/thumbnails/14.jpg)
Tor Censorship
• Tor can be used to bypass censorship.
• Problem: list of relays is available from the
authorities for anyone. Easily blockable.
• Enter: bridges
• China
![Page 15: Tor: Attacks and Countermeasures](https://reader031.vdocuments.us/reader031/viewer/2022012113/61dcdbe4e0b559071841e5b5/html5/thumbnails/15.jpg)
How China blocks Tor
• Great Firewall of China (GFC)
• Examined SSL/TLS cipher-suite to spot – then tried to talk Tor
Fragmentation• Fragmentation
• Pluggable transport
• AUTHENTICATE
![Page 16: Tor: Attacks and Countermeasures](https://reader031.vdocuments.us/reader031/viewer/2022012113/61dcdbe4e0b559071841e5b5/html5/thumbnails/16.jpg)
Tor Hidden Services
Alice<->Guard<->Relay<->RP<->Relay<->Relay<->Guard<->Bob
![Page 17: Tor: Attacks and Countermeasures](https://reader031.vdocuments.us/reader031/viewer/2022012113/61dcdbe4e0b559071841e5b5/html5/thumbnails/17.jpg)
Distributed Hash Tables
Hash space:
e.g. 000000->FFFFFF
![Page 18: Tor: Attacks and Countermeasures](https://reader031.vdocuments.us/reader031/viewer/2022012113/61dcdbe4e0b559071841e5b5/html5/thumbnails/18.jpg)
Distributed Hash Tables
• zqktlwi4fecvo6ri.onion
Hash space:
e.g. 000000->FFFFFF
![Page 19: Tor: Attacks and Countermeasures](https://reader031.vdocuments.us/reader031/viewer/2022012113/61dcdbe4e0b559071841e5b5/html5/thumbnails/19.jpg)
Distributed Hash Tables
• zqktlwi4fecvo6ri.onion
Hash space:
e.g. 000000->FFFFFF
![Page 20: Tor: Attacks and Countermeasures](https://reader031.vdocuments.us/reader031/viewer/2022012113/61dcdbe4e0b559071841e5b5/html5/thumbnails/20.jpg)
Distributed Hash Tables
• zqktlwi4fecvo6ri.onionRelay
Relay
Relay
Hash space:
e.g. 000000->FFFFFF
![Page 21: Tor: Attacks and Countermeasures](https://reader031.vdocuments.us/reader031/viewer/2022012113/61dcdbe4e0b559071841e5b5/html5/thumbnails/21.jpg)
Distributed Hash Tables
• zqktlwi4fecvo6ri.onionRelay
Desc ID
Relay
Relay
Hash space:
e.g. 000000->FFFFFF
![Page 22: Tor: Attacks and Countermeasures](https://reader031.vdocuments.us/reader031/viewer/2022012113/61dcdbe4e0b559071841e5b5/html5/thumbnails/22.jpg)
Our experiment
• Run 40 Tor nodes over several months
– Thanks to a generous student who donated huge server capacity. Each node must advertise >=50kb/sec BW.
• After 25 hrs, each is a node on the DHT.• After 25 hrs, each is a node on the DHT.
• Record:
– Published hidden service descriptors
– Requests for hidden service descriptors
• Crawl root HTML pages and record page titles and other misc stuff (html only, no images).
![Page 23: Tor: Attacks and Countermeasures](https://reader031.vdocuments.us/reader031/viewer/2022012113/61dcdbe4e0b559071841e5b5/html5/thumbnails/23.jpg)
Hidden Service popularity
![Page 24: Tor: Attacks and Countermeasures](https://reader031.vdocuments.us/reader031/viewer/2022012113/61dcdbe4e0b559071841e5b5/html5/thumbnails/24.jpg)
Hidden Service popularity
1. Botnet C&C servers
– Sefnit and Skynet
1. Abuse sites1. Abuse sites
2. Silk road
3. Hidden wiki
4. Forums
5. Search engines
6. Drugs, porn, etc
![Page 25: Tor: Attacks and Countermeasures](https://reader031.vdocuments.us/reader031/viewer/2022012113/61dcdbe4e0b559071841e5b5/html5/thumbnails/25.jpg)
Deanonymising Hidden Service users
• Traffic confirmation attacks are MUCH more
powerful.
HS Dir
Node
GDUserHidden
ServiceGDTor network
![Page 26: Tor: Attacks and Countermeasures](https://reader031.vdocuments.us/reader031/viewer/2022012113/61dcdbe4e0b559071841e5b5/html5/thumbnails/26.jpg)
Deanonymising Hidden Service users
• Traffic confirmation attacks are MUCH more
powerful.
HS Dir
Node
GDUserHidden
ServiceGDTor network
![Page 27: Tor: Attacks and Countermeasures](https://reader031.vdocuments.us/reader031/viewer/2022012113/61dcdbe4e0b559071841e5b5/html5/thumbnails/27.jpg)
Deanonymising Hidden Service users
• Traffic confirmation attacks are MUCH more
powerful.
HS Dir
NodeAttacker
controls
GDUserHidden
ServiceGDTor network
![Page 28: Tor: Attacks and Countermeasures](https://reader031.vdocuments.us/reader031/viewer/2022012113/61dcdbe4e0b559071841e5b5/html5/thumbnails/28.jpg)
Deanonymising Hidden Service users
• Traffic confirmation attacks are MUCH more
powerful.
HS Dir
NodeAttacker
controls
GDUserHidden
ServiceGDTor network
![Page 29: Tor: Attacks and Countermeasures](https://reader031.vdocuments.us/reader031/viewer/2022012113/61dcdbe4e0b559071841e5b5/html5/thumbnails/29.jpg)
Deanonymising Hidden Services
HS Dir
Node
GDUserHidden
ServiceGDTor network
![Page 30: Tor: Attacks and Countermeasures](https://reader031.vdocuments.us/reader031/viewer/2022012113/61dcdbe4e0b559071841e5b5/html5/thumbnails/30.jpg)
Deanonymising Hidden Services
HS Dir
Node
GDUserHidden
ServiceGDTor network
![Page 31: Tor: Attacks and Countermeasures](https://reader031.vdocuments.us/reader031/viewer/2022012113/61dcdbe4e0b559071841e5b5/html5/thumbnails/31.jpg)
Deanonymising Hidden Services
HS Dir
Node
GDUserHidden
ServiceGDTor network
Attacker
controls
![Page 32: Tor: Attacks and Countermeasures](https://reader031.vdocuments.us/reader031/viewer/2022012113/61dcdbe4e0b559071841e5b5/html5/thumbnails/32.jpg)
Silk Road• Silk Road hosted on Freedom Hosting servers
– Huge drug eBay
– $1.2 billion revenue since creation, $80m profit!
• Operated by a chap called “Dead Pirate Roberts” aka Ross Ulbricht.
• Arrested Oct 2013 in public library• Arrested Oct 2013 in public library
• Someone tried to blackmail him and he tried to get
them assassinated (charming!).
• Caught by his own foolishness
![Page 33: Tor: Attacks and Countermeasures](https://reader031.vdocuments.us/reader031/viewer/2022012113/61dcdbe4e0b559071841e5b5/html5/thumbnails/33.jpg)
Tor FBI/NSA/GCHQ Attack• Freedom hosting servers started serving up
some javascript
• Javascript performed a complex exploit
against firefox
• Is this legal?
![Page 34: Tor: Attacks and Countermeasures](https://reader031.vdocuments.us/reader031/viewer/2022012113/61dcdbe4e0b559071841e5b5/html5/thumbnails/34.jpg)
Tor FBI/NSA/GCHQ Attack• Freedom hosting servers started serving up
some javascript
• Javascript performed a complex exploit
against firefox
• Is this legal?
![Page 35: Tor: Attacks and Countermeasures](https://reader031.vdocuments.us/reader031/viewer/2022012113/61dcdbe4e0b559071841e5b5/html5/thumbnails/35.jpg)
The shellcode
• Used Stephen Fewer’s API resolver
http://ghowen.me/fbi-tor
![Page 36: Tor: Attacks and Countermeasures](https://reader031.vdocuments.us/reader031/viewer/2022012113/61dcdbe4e0b559071841e5b5/html5/thumbnails/36.jpg)
The shellcode
• Used Stephen Fewer’s API resolver
http://ghowen.me/fbi-tor
![Page 37: Tor: Attacks and Countermeasures](https://reader031.vdocuments.us/reader031/viewer/2022012113/61dcdbe4e0b559071841e5b5/html5/thumbnails/37.jpg)
The shellcode
• Used Stephen Fewer’s API resolver
http://ghowen.me/fbi-tor
![Page 38: Tor: Attacks and Countermeasures](https://reader031.vdocuments.us/reader031/viewer/2022012113/61dcdbe4e0b559071841e5b5/html5/thumbnails/38.jpg)
The shellcode
• Used Stephen Fewer’s API resolver
http://ghowen.me/fbi-tor
![Page 39: Tor: Attacks and Countermeasures](https://reader031.vdocuments.us/reader031/viewer/2022012113/61dcdbe4e0b559071841e5b5/html5/thumbnails/39.jpg)
How to help
• USE tor
• Run a tor relay (or even an exit!)
• Develop
• Donate• Donate
• Promote
• Do research
![Page 40: Tor: Attacks and Countermeasures](https://reader031.vdocuments.us/reader031/viewer/2022012113/61dcdbe4e0b559071841e5b5/html5/thumbnails/40.jpg)
Questions
Resources
•ghowen.me/git
•Modified tor client, scripts, crawler, etc
•ghowen.me/fbi-tor
•FBI exploit shellcode and walkthrough