The Sniper Attack: Anonymously Deanonymizing and Disabling the Tor Network
Sniper Attack is a memory-based denial of service exploit targeting Tor network, disrupting flow control protocol. Learn about threats to Tor's security and defense mechanisms against sophisticated attacks, enhancing network resilience. Explore how active attacks can undermine security objectives and escalate censorship arms race.
Download Presentation
Please find below an Image/Link to download the presentation.
The content on the website is provided AS IS for your information and personal use only. It may not be sold, licensed, or shared on other websites without obtaining consent from the author.If you encounter any issues during the download, it is possible that the publisher has removed the file from their server.
You are allowed to download the files provided on this website for personal or commercial use, subject to the condition that they are used lawfully. All files are the property of their respective owners.
The content on the website is provided AS IS for your information and personal use only. It may not be sold, licensed, or shared on other websites without obtaining consent from the author.
E N D
Presentation Transcript
The Sniper Attack: Anonymously Deanonymizing and Disabling the Tor Network Network and Distributed System Security Symposium February 25th, 2014 Rob Jansen1, Florian Tschorsch2, Aaron Johnson1, Bj rn Scheuermann2 1U.S. Naval Research Laboratory 2Humboldt University of Berlin
The Tor Anonymity Network torproject.org
Censorship Arms Race 2013 2014
Beyond the Finish Line As the cost to block access increases, a viable alternative is to degrade service Active attacks are increasingly pervasive Understanding the attack space and how to defend is vital to Tor s continued resilience: As adversaries become increasingly sophisticated When attacks subvert explicit security goals
Outline Background The Sniper DoS Attack Against Tor s Flow Control Protocol How DoS Leads to Hidden Service Deanonymization
Tor Background exit entry
Tor Background One TCP Connection Between Each Relay, Multiple Circuits exit entry
Tor Background exit entry No end-to-end TCP!
Tor Flow Control Delivery End Packaging End exit entry
Tor Flow Control Delivery End Packaging End exit entry
Tor Flow Control SENDME Signal Every 100 Cells 1000 Cell Limit exit entry
The Sniper Attack Memory-based denial of service (DoS) attack Exploits vulnerabilities in Tor s flow control protocol Can be used to disable arbitrary Tor relays
The Sniper Attack Start Download exit entry Request
The Sniper Attack Reply DATA exit entry
The Sniper Attack Package and Relay DATA DATA DATA exit entry
The Sniper Attack Stop Reading from Connection DATA DATA R DATA entry exit
The Sniper Attack Flow Window Closed DATA DATA DATA DATA DATA DATA R exit entry
The Sniper Attack DATA DATA DATA DATA DATA DATA R exit entry Periodically Send SENDME SENDME
The Sniper Attack DATA DATA DATA DATA DATA Flow Window Opened DATA DATA DATA DATA DATA DATA DATA R DATA exit entry Periodically Send SENDME SENDME
DATA DATA DATA DATA DATA The Sniper Attack DATA DATA DATA DATA DATA DATA DATA DATA DATA DATA DATA DATA DATA DATA DATA DATA DATA R DATA exit entry Out of Memory, Killed by OS
DATA DATA DATA DATA DATA The Sniper Attack DATA DATA DATA DATA DATA DATA DATA DATA DATA DATA DATA DATA DATA DATA DATA DATA DATA R DATA exit entry Use Tor to Hide
The Sniper Attack: Results Implemented Sniper Attack Prototype Control Sybils via Tor Control Protocol Tested in Shadow (shadow.github.io) Measured: Victim Memory Consumption Rate Adversary Bandwidth Usage
Speed of Sniper Attack Direct Anonymous 1 GiB Relay Groups Top Guard Top 5 Guards Top 20 Guards Top Exit Top 5 Exits Top 20 Exits Select % 1.7 6.5 19 3.2 13 35 1 GiB 8 GiB 8 GiB Path Selection Probability Network Capacity
Speed of Sniper Attack Direct Anonymous 1 GiB 0:02 0:12 1:07 0:01 0:07 0:44 Relay Groups Top Guard Top 5 Guards Top 20 Guards Top Exit Top 5 Exits Top 20 Exits Select % 1.7 6.5 19 3.2 13 35 1 GiB 0:01 0:08 0:45 0:01 0:05 0:29 8 GiB 0:18 1:03 5:58 0:08 0:37 3:50 8 GiB 0:14 1:37 8:56 0:12 0:57 5:52 Time (hours:minutes) to Consume RAM
Speed of Sniper Attack Direct Anonymous 1 GiB 0:02 0:12 1:07 0:01 0:07 0:44 Relay Groups Top Guard Top 5 Guards Top 20 Guards Top Exit Top 5 Exits Top 20 Exits Select % 1.7 6.5 19 3.2 13 35 1 GiB 0:01 0:08 0:45 0:01 0:05 0:29 8 GiB 0:18 1:03 5:58 0:08 0:37 3:50 8 GiB 0:14 1:37 8:56 0:12 0:57 5:52 Time (hours:minutes) to Consume RAM
Speed of Sniper Attack Direct Anonymous 1 GiB 0:02 0:12 1:07 0:01 0:07 0:44 Relay Groups Top Guard Top 5 Guards Top 20 Guards Top Exit Top 5 Exits Top 20 Exits Select % 1.7 6.5 19 3.2 13 35 1 GiB 0:01 0:08 0:45 0:01 0:05 0:29 8 GiB 0:18 1:03 5:58 0:08 0:37 3:50 8 GiB 0:14 1:37 8:56 0:12 0:57 5:52 Time (hours:minutes) to Consume RAM
Speed of Sniper Attack Direct Anonymous 1 GiB 0:02 0:12 1:07 0:01 0:07 0:44 Relay Groups Top Guard Top 5 Guards Top 20 Guards Top Exit Top 5 Exits Top 20 Exits Select % 1.7 6.5 19 3.2 13 35 1 GiB 0:01 0:08 0:45 0:01 0:05 0:29 8 GiB 0:18 1:03 5:58 0:08 0:37 3:50 8 GiB 0:14 1:37 8:56 0:12 0:57 5:52 < 1 GiB RAM Time (hours:minutes) to Consume RAM < 50 KiB/s Downstream BW < 100 KiB/s Upstream BW
Deanonymizing Hidden Services 1. Cause HS to build new rendezvous circuits to learn its guard 2. Snipe HS guard to force reselection 3. Repeat until HS chooses adversarial guard
Hidden Services Rendezvous Point RP entry RP Introduction Point IP HS entry IP
Hidden Services Notifies HS of RP via IP entry RP entry RP HS entry IP
Hidden Services entry RP HS entry IP RP
Hidden Services entry RP Build New Circuit to RP entry HS entry IP RP
Deanonymizing Hidden Services entry RP Build New Circuit to RP entry HS RP S&P 2006, S&P 2013
Deanonymizing Hidden Services PADDIN G Send 50 Padding Cells entry RP entry HS RP S&P 2013
Deanonymizing Hidden Services PADDIN G Send 50 Padding Cells entry RP entry Identify HS entry if cell count == 52 HS RP S&P 2013
Deanonymizing Hidden Services Sniper Attack, or any other DoS entry HS RP
Deanonymizing Hidden Services PADDIN G Send 50 Padding Cells entry RP Identify HS if cell count == 53 HS RP S&P 2013
Speed of Deanonymization Guard Probability (%) 0.48 0.97 1.9 3.8 5.4 Average Time (h) 1 GiB Average Time (h) 8 GiB Guard BW (MiB/s) Average # Rounds Average # Sniped 8.41 16.65 31.65 66.04 96.61
Speed of Deanonymization Guard Probability (%) 0.48 0.97 1.9 3.8 5.4 Average Time (h) 1 GiB 46 23 13 6 5 Average Time (h) 8 GiB 279 149 84 44 31 Guard BW (MiB/s) Average # Rounds Average # Sniped 8.41 16.65 31.65 66.04 96.61 66 39 24 13 9 133 79 48 26 19
Speed of Deanonymization Guard Probability (%) 0.48 0.97 1.9 3.8 5.4 Average Time (h) 1 GiB 46 23 13 6 5 Average Time (h) 8 GiB 279 149 84 44 31 Guard BW (MiB/s) Average # Rounds Average # Sniped 8.41 16.65 31.65 66.04 96.61 66 39 24 13 9 133 79 48 26 19 1 GiB/s Relay Can Deanonymize HS in about a day
Countermeasures Sniper Attack Defenses Authenticated SENDMEs Queue Length Limit Adaptive Circuit Killer Countermeasure deployed in Tor! Deanonymization Defenses Entry-guard Rate-limiting Middle Guards
Questions? cs.umn.edu/~jansen rob.g.jansen@nrl.navy.mil think like an adversary
How Tor Works Tor protocol aware
Sniper Attack Experimental Results
Sniper Resource Usage Direct Tx (KiB/s) Anonymous Tx (KiB/s) Config RAM (MiB) Rx RAM (MiB) Rx (KiB/s) (KiB/s) 1 team, 5 circuits 1 team, 10 circuits 5 teams, 50 circuits 10 teams, 100 circuits 28 4.0 2.3 56 3.6 1.8 28 6.1 2.6 57 9.4 2.1 141 30.0 9.5 283 27.7 8.5 283 56.0 20.9 564 56.6 17.0
Memory Consumed over Time 10 teams 100 circs 5 teams 50 circs 1 team 10 circs 1 team 5 circs no attack RAM Consumed (MiB) direct anonymous Time (m)
