1 / 54

The Sniper Attack: Anonymously Deanonymizing and Disabling the Tor Network

The Sniper Attack: Anonymously Deanonymizing and Disabling the Tor Network. Rob Jansen et. al NDSS 2014 Presenter: Yue Li Part of slides adapted from R. Jansen. Outline. Background & Motivation Tor Network Sniper Attack Hidden Service Deanonymization Defense against Sniper Attack

ismet
Download Presentation

The Sniper Attack: Anonymously Deanonymizing and Disabling the Tor Network

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. The Sniper Attack: Anonymously Deanonymizing and Disabling the Tor Network Rob Jansen et. al NDSS 2014 Presenter: Yue Li Part of slides adapted from R. Jansen

  2. Outline Background & Motivation Tor Network Sniper Attack Hidden Service Deanonymization Defense against Sniper Attack Defense against DoS-based Deanonymization

  3. Outline Background & Motivation Tor Network Sniper Attack Hidden Service Deanonymization Defense against Sniper Attack Defense against DoS-based Deanonymization

  4. Background & Motivation Large scale Internet censorship. Degree of Internet censorship by country

  5. Background & Motivation Large scale Internet censorship. Degree of Internet censorship by country This is not what we want...

  6. Background & Motivation As a result, people develop new privacy enhancing techniques that Increase the cost of detection.

  7. Background & Motivation As a result, people develop new privacy enhancing techniques that Increase the cost of detection. The most popular deployed system: Tor

  8. Outline Background & Motivation Tor Network Sniper Attack Hidden Service Deanonymization Defense against Sniper Attack Defense against DoS-based Deanonymization

  9. Tor Tor • Application-layer overlay network • Enables anonymous communication between clients and arbitrary Internet destination.

  10. How does Tor work? • Deploys Onion Routing - Like an Onion • Transmit a package from the user to a destination

  11. How does Tor work? • Deploys Onion Routing - Like an Onion • Transmit a package from the user to a destination

  12. How does Tor work? • Deploys Onion Routing - Like an Onion • Transmit a package from the user to a destination

  13. How does Tor work? • Deploys Onion Routing - Like an Onion • Transmit a package from the user to a destination

  14. How does Tor work? • Deploys Onion Routing - Like an Onion • Transmit a package from the user to a destination

  15. How does Tor work? • Deploys Onion Routing - Like an Onion • Transmit a package from the user to a destination

  16. How does Tor work? • Deploys Onion Routing - Like an Onion • Transmit a package from the user to a destination Blue: Entry Red: Relay Yellow: Exit

  17. Outline Background & Motivation Tor Network Sniper Attack Hidden Service Deanonymization Defense against Sniper Attack Defense against DoS-based Deanonymization

  18. Sniper Attack Vulnerabilities in Tor: Tor relies on underlying TCP to guarantee reliability and in-order delivery. Tor is an application-layer system. • Tor does not drop or reorder cells(packets in Tor).

  19. Sniper Attack Vulnerabilities in Tor: Tor relies on underlying TCP to guarantee reliability and in-order delivery. Tor is an application-layer system. • Tor does notdrop or reorder cells.

  20. Sniper Attack Sniper Basic Attack • Attacker controls the client and the exit. • Exit keeps sending cells ignoring package window limit. • Client does not read cells from entry. • The entry memory will be used up for queuing cells.

  21. Sniper Attack Sniper Basic Attack - a second version • Attacker controls the client and the server. • Client keeps sending cells to server ignoring package window limit. • Server does not read cells from exit. • The exit memory will be used up for queuing cells.

  22. Sniper Attack Recall how Tor does flow control • Exit has a window size of 1000 cells • Client sends SENDME signal to exit to increase the window by 100 cells. • Vice versa when packages are from client to exit

  23. Sniper Attack Sniper Basic Attack - Efficient Attack • Attacker controls only the client. • Client downloads a large file and keeps sending SENDME signal to exit. • Client does not read cells from exit. • The entry memory will be used up for queuing cells.

  24. Sniper Attack - an illustration

  25. Sniper Attack - an illustration

  26. Sniper Attack - an illustration

  27. Sniper Attack - an illustration

  28. Sniper Attack - an illustration

  29. Sniper Attack - an illustration

  30. Sniper Attack - an illustration

  31. Sniper Attack Avoid detection • Tor detects protocol violation by checking the circuit window (>1000) • If violation detected, close the circuit and send a DESTROY signal backward • How to avoid detection? • Estimate the circuit throughput by probing • Send SENDME signal according to estimation

  32. Sniper Attack • The attack can be parallelized to accelerate memory consumption in target • Hide the Sniper • Use Tor itself exit1 will use up the 1000 cell limit and stops reading from entry 2 • Other method (public wireless network, botnet, etc)

  33. Sniper Attack • Implemented Sniper Attack Prototype • Tested in Shadow • simulated Tor network • Measured • Victim Memory Consumption • Adversary Bandwidth Usage

  34. Sniper Attack - Result Target Memory

  35. Sniper Attack - Result Mean BW consumed at Adversary

  36. Sniper Attack - Result Speed of Sniper Attack

  37. Outline Background & Motivation Tor Network Sniper Attack Hidden Service Deanonymization Defense against Sniper Attack Defense against DoS-based Deanonymization

  38. HS Deanonymization Hidden Service • Allows users to hide their locations while offering various of services. (web publishing, instant messaging etc) Sniper Attack can be deployed to deanonymize hidden services.

  39. Hidden Services Client chooses RP Service chooses IP Client and Service communicate through RP and IP

  40. Hidden Services

  41. Hidden Services

  42. Hidden Services

  43. Deanonymizing HS Three steps: • Cause HS to build new rendezvous circuits to learn its guard • Snipe HS guard to force reselection • Repeat until HS chooses adversarial guard Guard = Entry

  44. Deanonymizing HS Try establishing new connections until adversarial relay is chosen Identify HS entry using methods proposed by A. Biryukov from S&P 13. A.Biryukov, I. Pustogarov, and R.-P. Weinmann, “Trawling for Tor Hidden Services: Detection, Measurement, Deanonymization”, in SP ‘13, May 2013

  45. Deanonymizing HS

  46. Deanonymizing HS A.Biryukov, I. Pustogarov, and R.-P. Weinmann, “Trawling for Tor Hidden Services: Detection, Measurement, Deanonymization”, in SP ‘13, May 2013

  47. Deanonymizing HS - Result Speed of Deanonymization

  48. Outline Background & Motivation Tor Network Sniper Attack Hidden Service Deanonymization Defense against Sniper Attack Defense against DoS-based Deanonymization

  49. Defense against Sniper Attack How can we defend Sniper Attack?

  50. Defense against Sniper Attack How can we defend Sniper Attack? Naturally… • Authenticated SENDMEs • Sending SENDMEs without receiving the cells not allowed • However, each circuit is still able to queue 1000 cells in target • Queue Length Limit • limit the queue length • Still can be attacked by parallel Sniper Attack

More Related