Presentation is loading. Please wait.

Presentation is loading. Please wait.

The Sniper Attack: Anonymously Deanonymizing and Disabling the Tor Network Rob Jansen et. al NDSS 2014 Presenter: Yue Li Part of slides adapted from R.

Published byJonathan Greeney Modified over 10 years ago

Similar presentations

Presentation on theme: "The Sniper Attack: Anonymously Deanonymizing and Disabling the Tor Network Rob Jansen et. al NDSS 2014 Presenter: Yue Li Part of slides adapted from R."— Presentation transcript:

1 The Sniper Attack: Anonymously Deanonymizing and Disabling the Tor Network Rob Jansen et. al NDSS 2014 Presenter: Yue Li Part of slides adapted from R. Jansen

2 Outline Background & Motivation Tor Network Sniper Attack Hidden Service Deanonymization Defense against Sniper Attack Defense against DoS-based Deanonymization

3 Outline Background & Motivation Tor Network Sniper Attack Hidden Service Deanonymization Defense against Sniper Attack Defense against DoS-based Deanonymization

4 Background & Motivation Large scale Internet censorship. Degree of Internet censorship by country

5 Background & Motivation Large scale Internet censorship. Degree of Internet censorship by country This is not what we want...

6 Background & Motivation As a result, people develop new privacy enhancing techniques that Increase the cost of detection.

7 Background & Motivation As a result, people develop new privacy enhancing techniques that Increase the cost of detection. The most popular deployed system: Tor

8 Outline Background & Motivation Tor Network Sniper Attack Hidden Service Deanonymization Defense against Sniper Attack Defense against DoS-based Deanonymization

9 Tor ●Application-layer overlay network ●Enables anonymous communication between clients and arbitrary Internet destination.

10 How does Tor work? ●Deploys Onion Routing - Like an Onion ●Transmit a package from the user to a destination

11 How does Tor work? ●Deploys Onion Routing - Like an Onion ●Transmit a package from the user to a destination

12 How does Tor work? ●Deploys Onion Routing - Like an Onion ●Transmit a package from the user to a destination

13 How does Tor work? ●Deploys Onion Routing - Like an Onion ●Transmit a package from the user to a destination

14 How does Tor work? ●Deploys Onion Routing - Like an Onion ●Transmit a package from the user to a destination

15 How does Tor work? ●Deploys Onion Routing - Like an Onion ●Transmit a package from the user to a destination

16 How does Tor work? ●Deploys Onion Routing - Like an Onion ●Transmit a package from the user to a destination Blue: Entry Red: Relay Yellow: Exit

17 Outline Background & Motivation Tor Network Sniper Attack Hidden Service Deanonymization Defense against Sniper Attack Defense against DoS-based Deanonymization

18 Sniper Attack Vulnerabilities in Tor: Tor relies on underlying TCP to guarantee reliability and in- order delivery. Tor is an application-layer system. ●Tor does not drop or reorder cells(packets in Tor).

19 Sniper Attack Vulnerabilities in Tor: Tor relies on underlying TCP to guarantee reliability and in- order delivery. Tor is an application-layer system. ●Tor does not drop or reorder cells.

20 Sniper Attack Sniper Basic Attack ●Attacker controls the client and the exit. ●Exit keeps sending cells ignoring package window limit. ●Client does not read cells from entry. ●The entry memory will be used up for queuing cells.

21 Sniper Attack Sniper Basic Attack - a second version ●Attacker controls the client and the server. ●Client keeps sending cells to server ignoring package window limit. ●Server does not read cells from exit. ●The exit memory will be used up for queuing cells.

22 Sniper Attack Recall how Tor does flow control ●Exit has a window size of 1000 cells ●Client sends SENDME signal to exit to increase the window by 100 cells. ●Vice versa when packages are from client to exit

23 Sniper Attack Sniper Basic Attack - Efficient Attack ●Attacker controls only the client. ●Client downloads a large file and keeps sending SENDME signal to exit. ●Client does not read cells from exit. ●The entry memory will be used up for queuing cells.

24 Sniper Attack - an illustration

25

26

27

28

29

30

31 Sniper Attack Avoid detection ●Tor detects protocol violation by checking the circuit window (>1000) ●If violation detected, close the circuit and send a DESTROY signal backward ●How to avoid detection? o Estimate the circuit throughput by probing o Send SENDME signal according to estimation

32 Sniper Attack ●The attack can be parallelized to accelerate memory consumption in target ●Hide the Sniper ●Use Tor itself exit1 will use up the 1000 cell limit and stops reading from entry 2 ●Other method (public wireless network, botnet, etc)

33 Sniper Attack ●Implemented Sniper Attack Prototype ●Tested in Shadow o simulated Tor network ●Measured o Victim Memory Consumption o Adversary Bandwidth Usage

34 Sniper Attack - Result Target Memory

35 Sniper Attack - Result Mean BW consumed at Adversary

36 Sniper Attack - Result Speed of Sniper Attack

37 Outline Background & Motivation Tor Network Sniper Attack Hidden Service Deanonymization Defense against Sniper Attack Defense against DoS-based Deanonymization

38 HS Deanonymization Hidden Service ●Allows users to hide their locations while offering various of services. (web publishing, instant messaging etc) Sniper Attack can be deployed to deanonymize hidden services.

39 Hidden Services Client chooses RP Service chooses IP Client and Service communicate through RP and IP

40 Hidden Services

41

42

43 Deanonymizing HS Three steps: ●Cause HS to build new rendezvous circuits to learn its guard ●Snipe HS guard to force reselection ●Repeat until HS chooses adversarial guard Guard = Entry

44 Deanonymizing HS Try establishing new connections until adversarial relay is chosen Identify HS entry using methods proposed by A. Biryukov from S&P 13. A.Biryukov, I. Pustogarov, and R.-P. Weinmann, “Trawling for Tor Hidden Services: Detection, Measurement, Deanonymization”, in SP ‘13, May 2013

45 Deanonymizing HS

46 A.Biryukov, I. Pustogarov, and R.-P. Weinmann, “Trawling for Tor Hidden Services: Detection, Measurement, Deanonymization”, in SP ‘13, May 2013

47 Deanonymizing HS - Result Speed of Deanonymization

48 Outline Background & Motivation Tor Network Sniper Attack Hidden Service Deanonymization Defense against Sniper Attack Defense against DoS-based Deanonymization

49 Defense against Sniper Attack How can we defend Sniper Attack?

50 Defense against Sniper Attack How can we defend Sniper Attack? Naturally… ●Authenticated SENDMEs o Sending SENDMEs without receiving the cells not allowed o However, each circuit is still able to queue 1000 cells in target ●Queue Length Limit o limit the queue length o Still can be attacked by parallel Sniper Attack

51 Defense against Sniper Attack How can we defend Sniper Attack? So... ●Adaptive Circuit Killing o Kill circuits when total memory consumption remains higher than a threshold o kill circuits with the earliest time or arrival o Attacker must read from the Tor network to avoid being killed since Tor is strictly FIFO

52 Outline Background & Motivation Tor Network Sniper Attack Hidden Service Deanonymization Defense against Sniper Attack Defense against DoS-based Deanonymization

53 Defende against Deanonymization Entry-guard Rate-limiting ●Limit the rate at which clients will add relays to their entry guard list. ●Hidden Services use 2 levels of guards. ●However, over time the DoS Deanonymization will eventually succeed unless the guards are limited to a set of trustworthy routers.

54 QUESTIONS?

Download ppt "The Sniper Attack: Anonymously Deanonymizing and Disabling the Tor Network Rob Jansen et. al NDSS 2014 Presenter: Yue Li Part of slides adapted from R."

Similar presentations

Switching Techniques In large networks there might be multiple paths linking sender and receiver. Information may be switched as it travels through various.

Switching Techniques In large networks there might be multiple paths linking sender and receiver. Information may be switched as it travels through various.
Tor: The Second-Generation Onion Router

Tor: The Second-Generation Onion Router
CISCO NETWORKING ACADEMY PROGRAM (CNAP)

CISCO NETWORKING ACADEMY PROGRAM (CNAP)
Predicting Tor Path Compromise by Exit Port IEEE WIDA 2009December 16, 2009 Kevin Bauer, Dirk Grunwald, and Douglas Sicker University of Colorado Client.

Predicting Tor Path Compromise by Exit Port IEEE WIDA 2009December 16, 2009 Kevin Bauer, Dirk Grunwald, and Douglas Sicker University of Colorado Client.
Memory-based DoS and Deanonymization Attacks on Tor DCAPS Seminar October 11 th, 2013 Rob Jansen U.S. Naval Research Laboratory

Memory-based DoS and Deanonymization Attacks on Tor DCAPS Seminar October 11 th, 2013 Rob Jansen U.S. Naval Research Laboratory
How Much Anonymity does Network Latency Leak? Paper by: Nicholas Hopper, Eugene Vasserman, Eric Chan-Tin Presented by: Dan Czerniewski October 3, 2011.

How Much Anonymity does Network Latency Leak? Paper by: Nicholas Hopper, Eugene Vasserman, Eric Chan-Tin Presented by: Dan Czerniewski October 3, 2011.
Denial-of-Service Resilience in Peer-to-Peer Systems D. Dumitriu, E. Knightly, A. Kuzmanovic, I. Stoica and W. Zwaenepoel Presenter: Yan Gao.

Denial-of-Service Resilience in Peer-to-Peer Systems D. Dumitriu, E. Knightly, A. Kuzmanovic, I. Stoica and W. Zwaenepoel Presenter: Yan Gao.
On Traffic Analysis in Tor Guest Lecture, ELE 574 Communications Security and Privacy Princeton University April 3 rd, 2014 Dr. Rob Jansen U.S. Naval Research.

On Traffic Analysis in Tor Guest Lecture, ELE 574 Communications Security and Privacy Princeton University April 3 rd, 2014 Dr. Rob Jansen U.S. Naval Research.
EE689 Lecture 5 Review of last lecture More on HPF RED.

EE689 Lecture 5 Review of last lecture More on HPF RED.
I NTERNET A NONYMITY By Esra Erdin. Introduction Types of Anonymity Systems TOR Overview Working Mechanism of TOR I2P Overview Working Mechanism of I2P.

I NTERNET A NONYMITY By Esra Erdin. Introduction Types of Anonymity Systems TOR Overview Working Mechanism of TOR I2P Overview Working Mechanism of I2P.
1 Internet Networking Spring 2003 Tutorial 11 Explicit Congestion Notification (RFC 3168)

1 Internet Networking Spring 2003 Tutorial 11 Explicit Congestion Notification (RFC 3168)
EE 4272Spring, 2003 Protocols & Architecture A Protocol Architecture is the layered structure of hardware & software that supports the exchange of data.

EE 4272Spring, 2003 Protocols & Architecture A Protocol Architecture is the layered structure of hardware & software that supports the exchange of data.
Traffic Characterization Dr. Abdulaziz Almulhem. Almulhem©20012 Agenda Traffic characterization Switching techniques Internetworking, again.

Traffic Characterization Dr. Abdulaziz Almulhem. Almulhem©20012 Agenda Traffic characterization Switching techniques Internetworking, again.
An Introduction to Internetworking. Why distributed systems - Share resources (devices & CPU) - Communicate people (by transmitting data)

An Introduction to Internetworking. Why distributed systems - Share resources (devices & CPU) - Communicate people (by transmitting data)
WXES2106 Network Technology Semester 1 2004/2005 Chapter 8 Intermediate TCP CCNA2: Module 10.

WXES2106 Network Technology Semester /2005 Chapter 8 Intermediate TCP CCNA2: Module 10.
Anonymizing Network Technologies Some slides modified from Dingledine, Mathewson, Syverson, Xinwen Fu, and Yinglin Sun Presenter: Chris Zachor 03/23/2011.

Anonymizing Network Technologies Some slides modified from Dingledine, Mathewson, Syverson, Xinwen Fu, and Yinglin Sun Presenter: Chris Zachor 03/23/2011.
Game-based Analysis of Denial-of- Service Prevention Protocols Ajay Mahimkar Class Project: CS 395T.

Game-based Analysis of Denial-of- Service Prevention Protocols Ajay Mahimkar Class Project: CS 395T.
Internet Relay Chat Security Issues By Kelvin Lau and Ming Li.

Internet Relay Chat Security Issues By Kelvin Lau and Ming Li.
Toward Understanding Congestion in Tor DC-area Anonymity, Privacy, and Security Seminar January 24 th, 2014 Rob Jansen U.S. Naval Research Laboratory *Joint.

Toward Understanding Congestion in Tor DC-area Anonymity, Privacy, and Security Seminar January 24 th, 2014 Rob Jansen U.S. Naval Research Laboratory *Joint.
Aaron Johnson U.S. Naval Research Laboratory CSci 6545 George Washington University 11/18/2013.

Aaron Johnson U.S. Naval Research Laboratory CSci 6545 George Washington University 11/18/2013.

Similar presentations

Ads by Google