Presentation is loading. Please wait.

Presentation is loading. Please wait.

Rob Jansen, U.S. Naval Research Laboratory

Published byOscar Dennis Modified over 5 years ago

Similar presentations

Presentation on theme: "Rob Jansen, U.S. Naval Research Laboratory"— Presentation transcript:

1 Point Break: A Study of Bandwidth Denial-of-Service Attacks against Tor
Rob Jansen, U.S. Naval Research Laboratory Tavish Vaidya, Georgetown University Micah Sherr, Georgetown University Rob Jansen Center for High Assurance Computer Systems U.S. Naval Research Laboratory 28th USENIX Security Symposium Hyatt Regency, Santa Clara, CA, USA August 16th, 2019

2 Most Exciting Contribution
Explore the costs and effects of bandwidth denial-of-service attacks on Tor 47% Slower 3 Gbit/s $140 - $1.6K / mo. U.S. Naval Research Laboratory

3

4 Tor Protects Users Anonymous Communication Tor is Popular
Separates identification from routing Provides unlinkable communication Protects user privacy and safety online Tor is Popular ~2-8 million daily active users ~6,500 volunteer relays Transferring ~200 Gbit/s U.S. Naval Research Laboratory

5 Anonymity Attacks against Tor
Website fingerprinting attacks CCSW’09, WPES’11, CCS’12, WPES’13, Sec’14, NDSS’16, Sec’16, NDSS’18, CCS’18 Traffic correlation attacks S&P’05, PET’07, Sec’09, CCS’09, TISSEC’10, CCS’11, PETS’13, CCS’13, CN’13, NDSS’14, CCS’18, Routing attacks WPES’07, CCS’07, Sec’15, PETS’16, S&P’17, PETS’18 U.S. Naval Research Laboratory

6 Anonymity Attacks against Tor
Website fingerprinting attacks CCSW’09, WPES’11, CCS’12, WPES’13, Sec’14, NDSS’16, Sec’16, NDSS’18, CCS’18 Traffic correlation attacks S&P’05, PET’07, Sec’09, CCS’09, TISSEC’10, CCS’11, PETS’13, CCS’13, CN’13, NDSS’14, CCS’18, Routing attacks WPES’07, CCS’07, Sec’15, PETS’16, S&P’17, PETS’18 U.S. Naval Research Laboratory

7 Our Focus: Denial-of-Service Attacks
U.S. Naval Research Laboratory

8 Our Focus: Denial-of-Service Attacks
2007 2008 2009 2013 2014 2019 U.S. Naval Research Laboratory

9 Our Focus: Denial-of-Service Attacks
Borisov et al. CCS’07 Selective service refusal Geddes et al. WPES’14 Socket Exhaustion 2007 2008 2009 2013 2014 2019 U.S. Naval Research Laboratory

10 Our Focus: Denial-of-Service Attacks
Borisov et al. CCS’07 Selective service refusal Geddes et al. WPES’14 Socket Exhaustion Barbera et al. ESORICS’13 Cell Flood Pappas et al. InfoSec’08 Packet Spinning 2007 2008 2009 2013 2014 2019 U.S. Naval Research Laboratory

11 Our Focus: Denial-of-Service Attacks
Borisov et al. CCS’07 Selective service refusal Geddes et al. WPES’14 Socket Exhaustion Evans et al. Sec’09 Long Paths Barbera et al. ESORICS’13 Cell Flood Pappas et al. InfoSec’08 Packet Spinning 2007 2008 2009 2013 2014 2019 U.S. Naval Research Laboratory

12 Our Focus: Denial-of-Service Attacks
Borisov et al. CCS’07 Selective service refusal Geddes et al. WPES’14 Socket Exhaustion Evans et al. Sec’09 Long Paths Barbera et al. ESORICS’13 Cell Flood Pappas et al. InfoSec’08 Packet Spinning Jansen et al. NDSS’14 Sniper Attack 2007 2008 2009 2013 2014 2019 U.S. Naval Research Laboratory

13 Our Focus: Denial-of-Service Attacks
Borisov et al. CCS’07 Selective service refusal Geddes et al. WPES’14 Socket Exhaustion Evans et al. Sec’09 Long Paths This Work Long Paths + Sniper Barbera et al. ESORICS’13 Cell Flood Pappas et al. InfoSec’08 Packet Spinning Jansen et al. NDSS’14 Sniper Attack 2007 2008 2009 2013 2014 2019 U.S. Naval Research Laboratory

14 DoS against Tor – A Realistic Threat
U.S. Naval Research Laboratory

15 Research Questions and Summary of Results
Component Cost Effect Bridges $17,000 / mo. 44% slower TorFlow BW Scanners $2,800 / mo. 80% slower Relays $140 - $1,600 / mo. or $6,300 / mo. 47% slower or 120% slower RQ1: How is Tor vulnerable to bandwidth-based DoS (BW DoS) attacks? RQ2: How costly are BW DoS attacks to carry out? RQ3: What effects does BW DoS have on Tor performance and reliability? U.S. Naval Research Laboratory

16 Research Questions and Summary of Results
Component Cost Effect Bridges $17,000 / mo. 44% slower TorFlow BW Scanners $2,800 / mo. 80% slower Relays $140 - $1,600 / mo. or $6,300 / mo. 47% slower or 120% slower Ethical research: No attacks on the public Tor network Analyzed performance effects with Shadow Conducted some Tor measurements as client, stored no information about users RQ1: How is Tor vulnerable to bandwidth-based DoS (BW DoS) attacks? RQ2: How costly are BW DoS attacks to carry out? RQ3: What effects does BW DoS have on Tor performance and reliability? U.S. Naval Research Laboratory

17 Research Questions and Summary of Results
Component Cost Effect Bridges $17,000 / mo. 44% slower TorFlow BW Scanners $2,800 / mo. 80% slower Relays $140 - $1,600 / mo. or $6,300 / mo. 47% slower or 120% slower RQ1: How is Tor vulnerable to bandwidth-based DoS (BW DoS) attacks? RQ2: How costly are BW DoS attacks to carry out? RQ3: What effects does BW DoS have on Tor performance and reliability? U.S. Naval Research Laboratory

18 Attack

19 How Tor Works = Circuit = Stream U.S. Naval Research Laboratory

20 The Relay Congestion Attack
Step 1: Build 8-hop circuit U.S. Naval Research Laboratory

21 The Relay Congestion Attack
Can be targeted or indiscriminate Step 1: Build 8-hop circuit U.S. Naval Research Laboratory

22 The Relay Congestion Attack
Step 1: Build 8-hop circuit Step 2: GET large files U.S. Naval Research Laboratory

23 The Relay Congestion Attack
Step 1: Build 8-hop circuit Step 2: GET large files Step 3: Stop reading U.S. Naval Research Laboratory

24 The Relay Congestion Attack
Step 1: Build 8-hop circuit Step 2: GET large files Step 3: Stop reading Step 4: Send flow control cells U.S. Naval Research Laboratory

25 The Relay Congestion Attack
Step 5: Repeat!!! New entry relays New sockets U.S. Naval Research Laboratory

26 Evaluation

27 Evaluation Setup Use Shadow for evaluation Explore network effects
Private Tor network for safety 634 relays (10% size, capacity of Tor) 15,000 clients and 2,000 servers generating traffic through Tor Explore network effects Attack strength (num. attack circuits) Network load, attacker resource usage, client performance U.S. Naval Research Laboratory

28 Bandwidth Used by Attacker and Tor Network
U.S. Naval Research Laboratory

29 Bandwidth Used by Attacker and Tor Network
Amplification Factors: 20k Circuits 6.7 U.S. Naval Research Laboratory

30 Bandwidth Used by Attacker and Tor Network
Amplification Factors: 20k Circuits 6.7 Stop Reading 26 U.S. Naval Research Laboratory

31 Effect on Client Performance
U.S. Naval Research Laboratory

32 Effect on Client Performance
20k Circuits TTFB: +138% 20k Circuits TTLB: +120% U.S. Naval Research Laboratory

33 Effect on Client Performance
20k Circuits TTFB: +138% 20k Circuits TTLB: +120% Stop Reading TTFB: +48% Stop Reading TTLB: +47% U.S. Naval Research Laboratory

34 Cost to Conduct Relay Congestion Attack
Requirements for “stop reading” attack 200,000 circuits 3 Gbit/s, 20 IP addresses Cost of Bandwidth and IP addresses 3 dedicated servers at 1 Gbit/s each, amortized cost of 0.70 $/hour/Gbit/s 17 additional IPs at $5 each, $85 total Total Cost Estimates Conservative: $1,647 per month Optimistic: $140 per month ($7 * 20 VPSes) U.S. Naval Research Laboratory

35 Comparison to Sybil Attacks
Comparison to relay Sybil attacks with the same bandwidth budget (3 Gbit/s) Sybil DoS Attack Sybil Deanonymization Attack U.S. Naval Research Laboratory

36 Comparison to Sybil Attacks
Comparison to relay Sybil attacks with the same bandwidth budget (3 Gbit/s) Sybil DoS Attack Goal: drop all circuits containing Sybil relays Exit BW is scarcest and gives highest probability of selection 3 Gbit/s = 4.5% dropped circuits Sybil Deanonymization Attack U.S. Naval Research Laboratory

37 Comparison to Sybil Attacks
Comparison to relay Sybil attacks with the same bandwidth budget (3 Gbit/s) Sybil DoS Attack Goal: drop all circuits containing Sybil relays Exit BW is scarcest and gives highest probability of selection 3 Gbit/s = 4.5% dropped circuits Sybil Deanonymization Attack Goal: appear on both ends of circuits to compromise anonymity 5:1 guard-to-exit BW allocation 2.8% guard * 0.8% exit = 0.02% total circuits compromised U.S. Naval Research Laboratory

38 Mitigation

39 Mitigations to Relay Congestion Attack
Ability to stop reading from circuits Authenticated SENDMEs, Tor Proposal 289, implemented in alpha Inject nonce in every 50 cells Must read and return nonce in SENDME cell U.S. Naval Research Laboratory

40 Mitigations to Relay Congestion Attack
Ability to stop reading from circuits Authenticated SENDMEs, Tor Proposal 289, implemented in alpha Ability to build 8 hop circuits Reduce to 4 hops to reduce BW amplification factor U.S. Naval Research Laboratory

41 Mitigations to Relay Congestion Attack
Ability to stop reading from circuits Authenticated SENDMEs, Tor Proposal 289, implemented in alpha Ability to build 8 hop circuits Reduce to 4 hops to reduce BW amplification factor Ability to use any relay as entry Privacy-preserving defense against Sybil attacks Detect, measure, and prevent such attacks U.S. Naval Research Laboratory

42 Summary Contributions Future Work Contact
Bridge congestion attack: $17K/mo., 44% slower Bandwidth authority attack: $2.6K/mo., 80% slower Relay congestion attack: $140-$1.6K/mo., 47% slower (or $6.3K/mo., 120% slower) Future Work Deploy simple mitigation techniques in short term Need research in Sybil attack detection, measurement, and prevention Contact U.S. Naval Research Laboratory

Download ppt "Rob Jansen, U.S. Naval Research Laboratory"

Similar presentations

Tor: The Second-Generation Onion Router

Tor: The Second-Generation Onion Router
Internetworking II: MPLS, Security, and Traffic Engineering

Internetworking II: MPLS, Security, and Traffic Engineering
Denial of Service in Sensor Networks Anthony D. Wood and John A. Stankovic.

Denial of Service in Sensor Networks Anthony D. Wood and John A. Stankovic.
The Sniper Attack: Anonymously Deanonymizing and Disabling the Tor Network Rob Jansen et. al NDSS 2014 Presenter: Yue Li Part of slides adapted from R.

The Sniper Attack: Anonymously Deanonymizing and Disabling the Tor Network Rob Jansen et. al NDSS 2014 Presenter: Yue Li Part of slides adapted from R.
Predicting Tor Path Compromise by Exit Port IEEE WIDA 2009December 16, 2009 Kevin Bauer, Dirk Grunwald, and Douglas Sicker University of Colorado Client.

Predicting Tor Path Compromise by Exit Port IEEE WIDA 2009December 16, 2009 Kevin Bauer, Dirk Grunwald, and Douglas Sicker University of Colorado Client.
Memory-based DoS and Deanonymization Attacks on Tor DCAPS Seminar October 11 th, 2013 Rob Jansen U.S. Naval Research Laboratory

Memory-based DoS and Deanonymization Attacks on Tor DCAPS Seminar October 11 th, 2013 Rob Jansen U.S. Naval Research Laboratory
ExperimenTor: A Testbed for Safe and Realistic Tor Experimentation Kevin Bauer 1 Micah Sherr 2 Damon McCoy 3 Dirk Grunwald 4 1 University of Waterloo 2.

ExperimenTor: A Testbed for Safe and Realistic Tor Experimentation Kevin Bauer 1 Micah Sherr 2 Damon McCoy 3 Dirk Grunwald 4 1 University of Waterloo 2.
Onion Routing Security Analysis Aaron Johnson U.S. Naval Research Laboratory DC-Area Anonymity, Privacy, and Security Seminar.

Onion Routing Security Analysis Aaron Johnson U.S. Naval Research Laboratory DC-Area Anonymity, Privacy, and Security Seminar.
On Traffic Analysis in Tor Guest Lecture, ELE 574 Communications Security and Privacy Princeton University April 3 rd, 2014 Dr. Rob Jansen U.S. Naval Research.

On Traffic Analysis in Tor Guest Lecture, ELE 574 Communications Security and Privacy Princeton University April 3 rd, 2014 Dr. Rob Jansen U.S. Naval Research.
Location-Aware Onion Routing Aaron Johnson U.S. Naval Research Laboratory IEEE Symposium on Security and Privacy May 19, 2015.

Location-Aware Onion Routing Aaron Johnson U.S. Naval Research Laboratory IEEE Symposium on Security and Privacy May 19, 2015.
Traffic Characterization Dr. Abdulaziz Almulhem. Almulhem©20012 Agenda Traffic characterization Switching techniques Internetworking, again.

Traffic Characterization Dr. Abdulaziz Almulhem. Almulhem©20012 Agenda Traffic characterization Switching techniques Internetworking, again.
Defense Against DDoS Presented by Zhanxiang for [Crab] Apr. 15, 2004.

Defense Against DDoS Presented by Zhanxiang for [Crab] Apr. 15, 2004.
Lecture 15 Denial of Service Attacks

Lecture 15 Denial of Service Attacks
Toward Understanding Congestion in Tor DC-area Anonymity, Privacy, and Security Seminar January 24 th, 2014 Rob Jansen U.S. Naval Research Laboratory *Joint.

Toward Understanding Congestion in Tor DC-area Anonymity, Privacy, and Security Seminar January 24 th, 2014 Rob Jansen U.S. Naval Research Laboratory *Joint.
Preventing Active Timing Attacks in Low- Latency Anonymous Communication The 10 th Privacy Enhancing Technologies Symposium July 2010 Joan Feigenbaum Yale.

Preventing Active Timing Attacks in Low- Latency Anonymous Communication The 10 th Privacy Enhancing Technologies Symposium July 2010 Joan Feigenbaum Yale.
Computer Security: Principles and Practice First Edition by William Stallings and Lawrie Brown Lecture slides by Lawrie Brown Chapter 8 – Denial of Service.

Computer Security: Principles and Practice First Edition by William Stallings and Lawrie Brown Lecture slides by Lawrie Brown Chapter 8 – Denial of Service.
Shadow: Simple HPC for Systems Security Research Invited Talk Kansas State University September 25 th, 2013 Rob Jansen U.S. Naval Research Laboratory

Shadow: Simple HPC for Systems Security Research Invited Talk Kansas State University September 25 th, 2013 Rob Jansen U.S. Naval Research Laboratory
University of Central Florida CAP 6135: Malware and Software Vulnerability Spring 2012 Paper Presentation Dude, where’s that IP? Circumventing measurement-based.

University of Central Florida CAP 6135: Malware and Software Vulnerability Spring 2012 Paper Presentation Dude, where’s that IP? Circumventing measurement-based.
VoIP Security in Service Provider Environment Bogdan Materna Chief Technology Officer Yariba Systems.

VoIP Security in Service Provider Environment Bogdan Materna Chief Technology Officer Yariba Systems.
Never Been KIST: Tor’s Congestion Management Blossoms with Kernel- Informed Socket Transport 23 rd USENIX Security Symposium August 20 th 2014 Rob JansenUS.

Never Been KIST: Tor’s Congestion Management Blossoms with Kernel- Informed Socket Transport 23 rd USENIX Security Symposium August 20 th 2014 Rob JansenUS.

Similar presentations

Ads by Google