Presentation is loading. Please wait.

Presentation is loading. Please wait.

Memory-based DoS and Deanonymization Attacks on Tor DCAPS Seminar October 11 th, 2013 Rob Jansen U.S. Naval Research Laboratory

Published byGavin Bishop Modified over 9 years ago

Similar presentations

Presentation on theme: "Memory-based DoS and Deanonymization Attacks on Tor DCAPS Seminar October 11 th, 2013 Rob Jansen U.S. Naval Research Laboratory"— Presentation transcript:

1 Memory-based DoS and Deanonymization Attacks on Tor DCAPS Seminar October 11 th, 2013 Rob Jansen U.S. Naval Research Laboratory rob.g.jansen@nrl.navy.mil *Joint with Aaron Johnson, Florian Tschorsch, Björn Scheuermann

2 The Tor Anonymity Network torproject.org

3 How Tor Works

4

5

6

7 Tor protocol aware

8 Tor Flow Control exit entry

9 Tor Flow Control One TCP Connection Between Each Relay, Multiple Circuits exit entry

10 Tor Flow Control One TCP Connection Between Each Relay, Multiple Circuits Multiple Application Streams exit entry

11 Tor Flow Control No end-to-end TCP! exit entry

12 Tor Flow Control Tor protocol aware exit entry

13 Tor Flow Control Packaging End Delivery End exit entry

14 Tor Flow Control Packaging End Delivery End exit entry

15 Tor Flow Control 1000 Cell Limit SENDME Signal Every 100 Cells exit entry

16 Outline ● The Sniper Attack – Low-cost memory consumption attack that disables arbitrary Tor relays ● Deanonymizing Hidden Services – Using DoS attacks for deanonymization ● Countermeasures

17 The Sniper Attack Start Download Request exit entry

18 The Sniper Attack Reply DATA exit entry

19 The Sniper Attack Package and Relay DATA DATA exit entry

20 The Sniper Attack DATA Stop Reading from Connection DATA R exitentry

21 The Sniper Attack DATA R exit entry Flow Window Closed

22 The Sniper Attack DATA Periodically Send SENDME SENDME R DATA exit entry

23 The Sniper Attack DATA Periodically Send SENDME SENDME R DATA exit entry Flow Window Opened

24 The Sniper Attack DATA R exit entry DATA Out of Memory, Killed by OS

25 The Sniper Attack DATA R exit entry DATA Use Tor to Hide

26 Memory Consumed over Time

27 Mean RAM Consumed, 50 Relays

28 Mean BW Consumed, 50 Relays

29 Speed of Sniper Attack DirectAnonymous Relay GroupsSelect %1 GiB8 GiB1 GiB8 GiB Top Guard1.7 Top 5 Guards6.5 Top 20 Guards19 Top Exit3.2 Top 5 Exits13 Top 20 Exits35 Path Selection Probability ≈ Network Capacity

30 Speed of Sniper Attack DirectAnonymous Relay GroupsSelect %1 GiB8 GiB1 GiB8 GiB Top Guard1.70:010:180:020:14 Top 5 Guards6.50:081:030:121:37 Top 20 Guards190:455:581:078:56 Top Exit3.20:010:080:010:12 Top 5 Exits130:050:370:070:57 Top 20 Exits350:293:500:445:52 Time (hours:minutes) to Consume RAM

31 Speed of Sniper Attack DirectAnonymous Relay GroupsSelect %1 GiB8 GiB1 GiB8 GiB Top Guard1.70:010:180:020:14 Top 5 Guards6.50:081:030:121:37 Top 20 Guards190:455:581:078:56 Top Exit3.20:010:080:010:12 Top 5 Exits130:050:370:070:57 Top 20 Exits350:293:500:445:52 Time (hours:minutes) to Consume RAM

32 Speed of Sniper Attack DirectAnonymous Relay GroupsSelect %1 GiB8 GiB1 GiB8 GiB Top Guard1.70:010:180:020:14 Top 5 Guards6.50:081:030:121:37 Top 20 Guards190:455:581:078:56 Top Exit3.20:010:080:010:12 Top 5 Exits130:050:370:070:57 Top 20 Exits350:293:500:445:52 Time (hours:minutes) to Consume RAM

33 Outline ● The Sniper Attack – Low-cost memory consumption attack that disables arbitrary Tor relays ● Deanonymizing Hidden Services – Using DoS attacks for deanonymization ● Countermeasures

34 Hidden Services HS User wants to hide service

35 Hidden Services entry IP HS chooses and publishes introduction point IP HS

36 Hidden Services entry IP HS Learns about HS on web

37 entry Hidden Services entry IP HS Builds Circuit to Chosen Rendezvous Point RP RP

38 entry Hidden Services entry IP HS Notifies HS of RP through IP RP entry RP

39 entry Hidden Services entry IP HS RP

40 entry Hidden Services entry IP HS Build New Circuit to RP RP entry RP

41 entry Hidden Services entry IP HS Communicate! RP entry RP

42 entry Deanonymizing Hidden Services HS RP

43 entry Deanonymizing Hidden Services HS RP Also runs a guard relay

44 entry Deanonymizing Hidden Services entry HS RP Build New Circuit to RP

45 entry Deanonymizing Hidden Services entry HS RP S&P 2006, S&P 2013

46 entry Deanonymizing Hidden Services entry HS RP S&P 2013 PADDIN G Send 50 Padding Cells

47 entry Deanonymizing Hidden Services entry HS RP Identify HS entry if cell count = 52 S&P 2013

48 entry Deanonymizing Hidden Services entry HS RP Sniper Attack, or any other DoS

49 entry Deanonymizing Hidden Services HS RP Choose new Entry Guard

50 entry Deanonymizing Hidden Services HS RP

51 entry Deanonymizing Hidden Services HS RP S&P 2006, S&P 2013

52 entry Deanonymizing Hidden Services HS RP Send 50 Padding Cells S&P 2013 PADDIN G

53 entry Deanonymizing Hidden Services HS RP Identify HS if cell count = 53 S&P 2013

54 Outline ● The Sniper Attack – Low-cost memory consumption attack that disables arbitrary Tor relays ● Deanonymizing Hidden Services – Using DoS attacks for deanonymization ● Countermeasures

55 Countermeasures ● Sniper Attack Defenses – Authenticated SENDMEs – Queue Length Limit – Adaptive Circuit Killer ● Deanonymization Defenses – Entry-guard Rate-limiting – Middle Guards

56 Questions? cs.umn.edu/~jansen rob.g.jansen@nrl.navy.mil think like an adversary

57 Speed of Deanonymization Guard BW (MiB/s) Guard Probability (%) Average # Rounds Average # Sniped Average Time (h) 1 GiB Average Time (h) 8 GiB 8.410.486613346279 16.650.97397923149 31.651.924481384 66.043.81326644 96.615.4919531 1 GiB/s Relay Can Deanonymize HS in about a day

58 Circuit Killer Defense

59 The Sniper Attack exit entry exitentry Single Adversary

60 The Sniper Attack exit entry exitentry Anonymous Tunnel

61 The Sniper Attack exit entry exitentry

62 The Sniper Attack exit entry exitentry DATA

63 The Sniper Attack exit entry exitentry DATA R

64 The Sniper Attack exit entry exitentry DATA R Flow Window Closed

65 The Sniper Attack exit entry exitentry DATA R R

66 The Sniper Attack exit entry exitentry DATA R R

67 The Sniper Attack exit entry exitentry DATA R R Killed by OS DATA

Download ppt "Memory-based DoS and Deanonymization Attacks on Tor DCAPS Seminar October 11 th, 2013 Rob Jansen U.S. Naval Research Laboratory"

Similar presentations

Tor: The Second-Generation Onion Router

Tor: The Second-Generation Onion Router
The Sniper Attack: Anonymously Deanonymizing and Disabling the Tor Network Rob Jansen et. al NDSS 2014 Presenter: Yue Li Part of slides adapted from R.

The Sniper Attack: Anonymously Deanonymizing and Disabling the Tor Network Rob Jansen et. al NDSS 2014 Presenter: Yue Li Part of slides adapted from R.
Predicting Tor Path Compromise by Exit Port IEEE WIDA 2009December 16, 2009 Kevin Bauer, Dirk Grunwald, and Douglas Sicker University of Colorado Client.

Predicting Tor Path Compromise by Exit Port IEEE WIDA 2009December 16, 2009 Kevin Bauer, Dirk Grunwald, and Douglas Sicker University of Colorado Client.
Tor – The Onion Router By: David Rollé. What is Tor?  Second generation Onion Routing  Aims to improve on first generation issues  Perfect Forward.

Tor – The Onion Router By: David Rollé. What is Tor?  Second generation Onion Routing  Aims to improve on first generation issues  Perfect Forward.
LIRA: Lightweight Incentivized Routing for Anonymity Rob Jansen Aaron Johnson Paul Syverson U.S. Naval Research Laboratory 20th Annual Network & Distributed.

LIRA: Lightweight Incentivized Routing for Anonymity Rob Jansen Aaron Johnson Paul Syverson U.S. Naval Research Laboratory 20th Annual Network & Distributed.
Trust-based Anonymous Communication: Models and Routing Algorithms Aaron Johnson Paul Syverson Roger Dingledine Nick Mathewson U.S. Naval Research Laboratory.

Trust-based Anonymous Communication: Models and Routing Algorithms Aaron Johnson Paul Syverson Roger Dingledine Nick Mathewson U.S. Naval Research Laboratory.
Onion Routing Security Analysis Aaron Johnson U.S. Naval Research Laboratory DC-Area Anonymity, Privacy, and Security Seminar.

Onion Routing Security Analysis Aaron Johnson U.S. Naval Research Laboratory DC-Area Anonymity, Privacy, and Security Seminar.
How Much Anonymity does Network Latency Leak? Paper by: Nicholas Hopper, Eugene Vasserman, Eric Chan-Tin Presented by: Dan Czerniewski October 3, 2011.

How Much Anonymity does Network Latency Leak? Paper by: Nicholas Hopper, Eugene Vasserman, Eric Chan-Tin Presented by: Dan Czerniewski October 3, 2011.
On Traffic Analysis in Tor Guest Lecture, ELE 574 Communications Security and Privacy Princeton University April 3 rd, 2014 Dr. Rob Jansen U.S. Naval Research.

On Traffic Analysis in Tor Guest Lecture, ELE 574 Communications Security and Privacy Princeton University April 3 rd, 2014 Dr. Rob Jansen U.S. Naval Research.
By: Bryan Carey Randy Cook Richard Jost TOR: ANONYMOUS BROWSING.

By: Bryan Carey Randy Cook Richard Jost TOR: ANONYMOUS BROWSING.
A New Replay Attack Against Anonymous Communication Networks Xinwen Fu June 30, 2015.

A New Replay Attack Against Anonymous Communication Networks Xinwen Fu June 30, 2015.
Anonymizing Network Technologies Some slides modified from Dingledine, Mathewson, Syverson, Xinwen Fu, and Yinglin Sun Presenter: Chris Zachor 03/23/2011.

Anonymizing Network Technologies Some slides modified from Dingledine, Mathewson, Syverson, Xinwen Fu, and Yinglin Sun Presenter: Chris Zachor 03/23/2011.
1 Lecture 20: Firewalls motivation ingredients –packet filters –application gateways –bastion hosts and DMZ example firewall design using firewalls – virtual.

1 Lecture 20: Firewalls motivation ingredients –packet filters –application gateways –bastion hosts and DMZ example firewall design using firewalls – virtual.
Toward Understanding Congestion in Tor DC-area Anonymity, Privacy, and Security Seminar January 24 th, 2014 Rob Jansen U.S. Naval Research Laboratory *Joint.

Toward Understanding Congestion in Tor DC-area Anonymity, Privacy, and Security Seminar January 24 th, 2014 Rob Jansen U.S. Naval Research Laboratory *Joint.
Preventing Active Timing Attacks in Low- Latency Anonymous Communication The 10 th Privacy Enhancing Technologies Symposium July 2010 Joan Feigenbaum Yale.

Preventing Active Timing Attacks in Low- Latency Anonymous Communication The 10 th Privacy Enhancing Technologies Symposium July 2010 Joan Feigenbaum Yale.
Aaron Johnson U.S. Naval Research Laboratory CSci 6545 George Washington University 11/18/2013.

Aaron Johnson U.S. Naval Research Laboratory CSci 6545 George Washington University 11/18/2013.
Tor (Anonymity Network) Scott Pardue. Tor Network  Nodes with routers within the network (entry, middle, exit)  Directory servers  Socket Secure (SOCKS)

Tor (Anonymity Network) Scott Pardue. Tor Network  Nodes with routers within the network (entry, middle, exit)  Directory servers  Socket Secure (SOCKS)
Class 13 Introduction to Anonymity CIS 755: Advanced Computer Security Spring 2014 Eugene Vasserman

Class 13 Introduction to Anonymity CIS 755: Advanced Computer Security Spring 2014 Eugene Vasserman
Operating Systems Networking for Home and Small Businesses – Chapter 2 – Introduction To Networking.

Operating Systems Networking for Home and Small Businesses – Chapter 2 – Introduction To Networking.
CSE 486/586, Spring 2012 CSE 486/586 Distributed Systems Case Study: TOR Anonymity Network Bahadir Ismail Aydin Computer Sciences and Engineering University.

CSE 486/586, Spring 2012 CSE 486/586 Distributed Systems Case Study: TOR Anonymity Network Bahadir Ismail Aydin Computer Sciences and Engineering University.

Similar presentations

Ads by Google