1 / 67

Memory-based DoS and Deanonymization Attacks on Tor

Memory-based DoS and Deanonymization Attacks on Tor. DCAPS Seminar October 11 th , 2013. Rob Jansen U.S. Naval Research Laboratory rob.g.jansen@nrl.navy.mil. *Joint with Aaron Johnson, Florian Tschorsch , Björn Scheuermann. The Tor Anonymity Network. t orproject.org. How Tor Works.

bretti
Download Presentation

Memory-based DoS and Deanonymization Attacks on Tor

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Memory-based DoS and Deanonymization Attacks on Tor DCAPS Seminar October 11th, 2013 Rob Jansen U.S. Naval Research Laboratory rob.g.jansen@nrl.navy.mil *Joint with Aaron Johnson, Florian Tschorsch, BjörnScheuermann

  2. The Tor Anonymity Network torproject.org

  3. How Tor Works

  4. How Tor Works

  5. How Tor Works

  6. How Tor Works

  7. How Tor Works Tor protocol aware

  8. Tor Flow Control exit entry

  9. Tor Flow Control One TCP Connection Between Each Relay,Multiple Circuits exit entry

  10. Tor Flow Control One TCP Connection Between Each Relay,Multiple Circuits exit entry Multiple Application Streams

  11. Tor Flow Control exit entry No end-to-end TCP!

  12. Tor Flow Control Tor protocol aware exit entry

  13. Tor Flow Control Delivery End Packaging End exit entry

  14. Tor Flow Control Delivery End Packaging End exit entry

  15. Tor Flow Control SENDME Signal Every 100 Cells 1000 Cell Limit exit entry

  16. Outline • The Sniper Attack • Low-cost memory consumption attack that disables arbitrary Tor relays • Deanonymizing Hidden Services • Using DoS attacks for deanonymization • Countermeasures

  17. The Sniper Attack Start Download exit entry Request

  18. The Sniper Attack Reply DATA exit entry

  19. The Sniper Attack Package and Relay DATA DATA DATA exit entry

  20. The Sniper Attack R Stop Reading from Connection DATA DATA DATA entry exit

  21. The Sniper Attack R Flow Window Closed DATA DATA DATA DATA DATA DATA exit entry

  22. The Sniper Attack R DATA DATA DATA DATA DATA DATA exit entry Periodically Send SENDME SENDME

  23. The Sniper Attack R DATA DATA DATA DATA Flow Window Opened DATA DATA DATA DATA DATA DATA DATA DATA DATA exit entry Periodically Send SENDME SENDME

  24. DATA DATA The Sniper Attack DATA DATA DATA DATA DATA R DATA DATA DATA DATA DATA DATA DATA DATA DATA DATA DATA DATA DATA DATA DATA DATA exit entry Out of Memory, Killed by OS

  25. DATA DATA The Sniper Attack DATA DATA DATA DATA DATA R DATA DATA DATA DATA DATA DATA DATA DATA DATA DATA DATA DATA DATA DATA DATA DATA exit entry Use Tor to Hide

  26. Memory Consumed over Time

  27. Mean RAM Consumed, 50 Relays

  28. Mean BW Consumed, 50 Relays

  29. Speed of Sniper Attack Path Selection Probability ≈ Network Capacity

  30. Speed of Sniper Attack Time (hours:minutes) to Consume RAM

  31. Speed of Sniper Attack Time (hours:minutes) to Consume RAM

  32. Speed of Sniper Attack Time (hours:minutes) to Consume RAM

  33. Outline • The Sniper Attack • Low-cost memory consumption attack that disables arbitrary Tor relays • Deanonymizing Hidden Services • Using DoS attacks for deanonymization • Countermeasures

  34. Hidden Services HS User wants to hide service

  35. Hidden Services HS HS chooses and publishes introduction point IP entry IP

  36. Hidden Services HS Learns about HS on web entry IP

  37. Hidden Services HS Builds Circuit to Chosen Rendezvous Point RP entry entry IP RP

  38. Hidden Services HS RP Notifies HS of RP through IP entry entry entry RP IP

  39. Hidden Services HS RP entry entry RP IP

  40. Hidden Services HS RP Build New Circuit to RP entry entry entry RP IP

  41. Hidden Services HS RP Communicate! entry entry entry RP IP

  42. DeanonymizingHidden Services HS entry RP

  43. DeanonymizingHidden Services HS Also runs a guard relay entry RP

  44. Deanonymizing Hidden Services HS RP Build New Circuit to RP entry entry RP

  45. Deanonymizing Hidden Services HS RP entry entry RP S&P 2006, S&P 2013

  46. Deanonymizing Hidden Services HS RP Send 50 Padding Cells PADDING entry entry RP S&P 2013

  47. Deanonymizing Hidden Services HS RP Identify HS entry if cell count = 52 entry entry RP S&P 2013

  48. Deanonymizing Hidden Services HS Sniper Attack, or any other DoS entry entry RP

  49. Deanonymizing Hidden Services HS Choose new Entry Guard entry RP

  50. Deanonymizing Hidden Services HS RP entry RP

More Related