The Sniper Attack: Anonymously Deanonymizing and Disabling the

The Sniper Attack: Anonymously
Deanonymizing and Disabling the Tor
Network
Rob Jansen et. al
NDSS 2014
Presenter: Yue Li
Part of slides adapted from R. Jansen
Outline
Background & Motivation
Tor Network
Sniper Attack
Hidden Service Deanonymization
Defense against Sniper Attack
Defense against DoS-based Deanonymization
Outline
Background & Motivation
Tor Network
Sniper Attack
Hidden Service Deanonymization
Defense against Sniper Attack
Defense against DoS-based Deanonymization
Background & Motivation
Large scale Internet censorship.
Degree of Internet censorship by country
Background & Motivation
Large scale Internet censorship.
Degree of Internet censorship by country
This is not what we want...
Background & Motivation
As a result, people develop new privacy
enhancing techniques that Increase the cost of
detection.
Background & Motivation
As a result, people develop new privacy
enhancing techniques that Increase the cost of
detection.
The most popular deployed system: Tor
Outline
Background & Motivation
Tor Network
Sniper Attack
Hidden Service Deanonymization
Defense against Sniper Attack
Defense against DoS-based Deanonymization
Tor
Tor
● Application-layer overlay network
● Enables anonymous communication between clients
and arbitrary Internet destination.
How does Tor work?
● Deploys Onion Routing - Like an Onion
● Transmit a package from the user to a destination
How does Tor work?
● Deploys Onion Routing - Like an Onion
● Transmit a package from the user to a destination
How does Tor work?
● Deploys Onion Routing - Like an Onion
● Transmit a package from the user to a destination
How does Tor work?
● Deploys Onion Routing - Like an Onion
● Transmit a package from the user to a destination
How does Tor work?
● Deploys Onion Routing - Like an Onion
● Transmit a package from the user to a destination
How does Tor work?
● Deploys Onion Routing - Like an Onion
● Transmit a package from the user to a destination
How does Tor work?
● Deploys Onion Routing - Like an Onion
● Transmit a package from the user to a destination
Blue: Entry
Red: Relay
Yellow: Exit
Outline
Background & Motivation
Tor Network
Sniper Attack
Hidden Service Deanonymization
Defense against Sniper Attack
Defense against DoS-based Deanonymization
Sniper Attack
Vulnerabilities in Tor:
Tor relies on underlying TCP to guarantee reliability and inorder delivery.
Tor is an application-layer system.
● Tor does not drop or reorder cells(packets in
Tor).
Sniper Attack
Vulnerabilities in Tor:
Tor relies on underlying TCP to guarantee reliability and inorder delivery.
Tor is an application-layer system.
● Tor does not drop or reorder cells.
Sniper Attack
Sniper Basic Attack
●
●
●
●
Attacker controls the client and the exit.
Exit keeps sending cells ignoring package window limit.
Client does not read cells from entry.
The entry memory will be used up for queuing cells.
Sniper Attack
Sniper Basic Attack - a second version
●
●
●
●
Attacker controls the client and the server.
Client keeps sending cells to server ignoring package window limit.
Server does not read cells from exit.
The exit memory will be used up for queuing cells.
Sniper Attack
Recall how Tor does flow control
● Exit has a window size of 1000 cells
● Client sends SENDME signal to exit to increase the window by 100 cells.
● Vice versa when packages are from client to exit
Sniper Attack
Sniper Basic Attack - Efficient Attack
●
●
●
●
Attacker controls only the client.
Client downloads a large file and keeps sending SENDME signal to exit.
Client does not read cells from exit.
The entry memory will be used up for queuing cells.
Sniper Attack - an illustration
Sniper Attack - an illustration
Sniper Attack - an illustration
Sniper Attack - an illustration
Sniper Attack - an illustration
Sniper Attack - an illustration
Sniper Attack - an illustration
Sniper Attack
Avoid detection
● Tor detects protocol violation by checking the circuit
window (>1000)
● If violation detected, close the circuit and send a
DESTROY signal backward
● How to avoid detection?
o Estimate the circuit throughput by probing
o Send SENDME signal according to estimation
Sniper Attack
● The attack can be parallelized to accelerate
memory consumption in target
● Hide the Sniper
● Use Tor itself
exit1 will use up the 1000 cell limit and stops reading from entry 2
● Other method (public wireless network, botnet, etc)
Sniper Attack
● Implemented Sniper Attack Prototype
● Tested in Shadow
o
simulated Tor network
● Measured
o
o
Victim Memory Consumption
Adversary Bandwidth Usage
Sniper Attack - Result
Target Memory
Sniper Attack - Result
Mean BW consumed
at Adversary
Sniper Attack - Result
Speed of Sniper Attack
Outline
Background & Motivation
Tor Network
Sniper Attack
Hidden Service Deanonymization
Defense against Sniper Attack
Defense against DoS-based Deanonymization
HS Deanonymization
Hidden Service
● Allows users to hide their locations while offering
various of services. (web publishing, instant messaging
etc)
Sniper Attack can be deployed to deanonymize hidden
services.
Hidden Services
Client chooses RP
Service chooses IP
Client and Service
communicate
through RP and IP
Hidden Services
Hidden Services
Hidden Services
Deanonymizing HS
Three steps:
● Cause HS to build new rendezvous circuits
to learn its guard
● Snipe HS guard to force reselection
● Repeat until HS chooses adversarial guard
Guard = Entry
Deanonymizing HS
Try establishing new connections until adversarial relay is chosen
Identify HS entry using methods proposed by A. Biryukov from S&P 13.
A.Biryukov, I. Pustogarov, and R.-P. Weinmann, “Trawling for Tor Hidden Services: Detection, Measurement, Deanonymization”, in SP ‘13, May
2013
Deanonymizing HS
Deanonymizing HS
A.Biryukov, I. Pustogarov, and R.-P. Weinmann, “Trawling for Tor Hidden Services: Detection, Measurement, Deanonymization”, in SP ‘13, May
2013
Deanonymizing HS - Result
Speed of Deanonymization
Outline
Background & Motivation
Tor Network
Sniper Attack
Hidden Service Deanonymization
Defense against Sniper Attack
Defense against DoS-based Deanonymization
Defense against Sniper Attack
How can we defend Sniper Attack?
Defense against Sniper Attack
How can we defend Sniper Attack?
Naturally…
● Authenticated SENDMEs
o Sending SENDMEs without receiving the cells not allowed
o However, each circuit is still able to queue 1000 cells in target
● Queue Length Limit
o limit the queue length
o Still can be attacked by parallel Sniper Attack
Defense against Sniper Attack
How can we defend Sniper Attack?
So...
● Adaptive Circuit Killing
o Kill circuits when total memory consumption remains higher than a
threshold
o kill circuits with the earliest time or arrival
o Attacker must read from the Tor network to avoid being killed since
Tor is strictly FIFO
Outline
Background & Motivation
Tor Network
Sniper Attack
Hidden Service Deanonymization
Defense against Sniper Attack
Defense against DoS-based Deanonymization
Defende against Deanonymization
Entry-guard Rate-limiting
● Limit the rate at which clients will add relays to their
entry guard list.
● Hidden Services use 2 levels of guards.
● However, over time the DoS Deanonymization will
eventually succeed unless the guards are limited to a
set of trustworthy routers.
QUESTIONS?