The Sniper Attack: Anonymously Deanonymizing and Disabling the Tor Network

The Sniper Attack: Anonymously Deanonymizing and Disabling the Tor

Network

Rob Jansen et. alNDSS 2014

Presenter: Yue LiPart of slides adapted from R. Jansen

Outline

Background & MotivationTor NetworkSniper AttackHidden Service Deanonymization Defense against Sniper AttackDefense against DoS-based Deanonymization

Background & Motivation

Large scale Internet censorship.

Degree of Internet censorship by country


Large scale Internet censorship.

Degree of Internet censorship by country This is not what we want...


As a result, people develop new privacy enhancing techniques that Increase the cost of detection.


As a result, people develop new privacy enhancing techniques that Increase the cost of detection.The most popular deployed system: Tor

Outline


Tor

Tor● Application-layer overlay network● Enables anonymous communication between clients

and arbitrary Internet destination.

How does Tor work?

● Deploys Onion Routing - Like an Onion● Transmit a package from the user to a destination

How does Tor work?

● Deploys Onion Routing - Like an Onion● Transmit a package from the user to a destination

Blue: EntryRed: RelayYellow: Exit

Outline


Sniper Attack

Vulnerabilities in Tor:Tor relies on underlying TCP to guarantee reliability and in-order delivery.Tor is an application-layer system.

● Tor does not drop or reorder cells(packets in Tor).

Sniper Attack

Vulnerabilities in Tor:Tor relies on underlying TCP to guarantee reliability and in-order delivery.Tor is an application-layer system.

● Tor does not drop or reorder cells.

Sniper Attack

Sniper Basic Attack● Attacker controls the client and the exit.● Exit keeps sending cells ignoring package window limit.● Client does not read cells from entry.● The entry memory will be used up for queuing cells.

Sniper Attack

Sniper Basic Attack - a second version● Attacker controls the client and the server.● Client keeps sending cells to server ignoring package window limit.● Server does not read cells from exit.● The exit memory will be used up for queuing cells.

Sniper Attack

Recall how Tor does flow control● Exit has a window size of 1000 cells● Client sends SENDME signal to exit to increase the window by 100 cells.● Vice versa when packages are from client to exit

Sniper Attack

Sniper Basic Attack - Efficient Attack● Attacker controls only the client.● Client downloads a large file and keeps sending SENDME signal to exit.● Client does not read cells from exit.● The entry memory will be used up for queuing cells.

Sniper Attack - an illustration

Sniper Attack

Avoid detection● Tor detects protocol violation by checking the circuit

window (>1000)● If violation detected, close the circuit and send a

DESTROY signal backward● How to avoid detection?

o Estimate the circuit throughput by probingo Send SENDME signal according to estimation

Sniper Attack

● The attack can be parallelized to accelerate memory consumption in target

● Hide the Sniper● Use Tor itself

exit1 will use up the 1000 cell limit and stops reading from entry 2

● Other method (public wireless network, botnet, etc)

Sniper Attack

● Implemented Sniper Attack Prototype● Tested in Shadow

o simulated Tor network

● Measuredo Victim Memory Consumptiono Adversary Bandwidth Usage

Sniper Attack - Result

Target Memory


Mean BW consumed at Adversary


Speed of Sniper Attack

Outline


HS Deanonymization

Hidden Service ● Allows users to hide their locations while offering

various of services. (web publishing, instant messaging etc)

Sniper Attack can be deployed to deanonymize hidden services.

Hidden Services

Client chooses RP

Service chooses IP

Client and Service communicate through RP and IP

Hidden Services

Deanonymizing HS

Three steps:● Cause HS to build new rendezvous circuits

to learn its guard● Snipe HS guard to force reselection● Repeat until HS chooses adversarial guard

Guard = Entry

Deanonymizing HS

Try establishing new connections until adversarial relay is chosenIdentify HS entry using methods proposed by A. Biryukov from S&P 13.

A.Biryukov, I. Pustogarov, and R.-P. Weinmann, “Trawling for Tor Hidden Services: Detection, Measurement, Deanonymization”, in SP ‘13, May 2013

Deanonymizing HS

Deanonymizing HS

A.Biryukov, I. Pustogarov, and R.-P. Weinmann, “Trawling for Tor Hidden Services: Detection, Measurement, Deanonymization”, in SP ‘13, May 2013

Deanonymizing HS - Result

Speed of Deanonymization

Outline


Defense against Sniper Attack

How can we defend Sniper Attack?


How can we defend Sniper Attack?Naturally…● Authenticated SENDMEs

o Sending SENDMEs without receiving the cells not allowedo However, each circuit is still able to queue 1000 cells in target

● Queue Length Limito limit the queue lengtho Still can be attacked by parallel Sniper Attack


How can we defend Sniper Attack?So...● Adaptive Circuit Killing

o Kill circuits when total memory consumption remains higher than a threshold

o kill circuits with the earliest time or arrival

o Attacker must read from the Tor network to avoid being killed since Tor is strictly FIFO

Outline


Defende against Deanonymization

Entry-guard Rate-limiting● Limit the rate at which clients will add relays to their

entry guard list. ● Hidden Services use 2 levels of guards.● However, over time the DoS Deanonymization will

eventually succeed unless the guards are limited to a set of trustworthy routers.

QUESTIONS?

The Sniper Attack: Anonymously Deanonymizing and Disabling the Tor Network

Documents

Transcript of The Sniper Attack: Anonymously Deanonymizing and Disabling the Tor Network