memory-based dos and deanonymization attacks on tor dcaps seminar october 11 th, 2013 rob jansen...
TRANSCRIPT
- Slide 1
- Memory-based DoS and Deanonymization Attacks on Tor DCAPS Seminar October 11 th, 2013 Rob Jansen U.S. Naval Research Laboratory [email protected] *Joint with Aaron Johnson, Florian Tschorsch, Bjrn Scheuermann
- Slide 2
- The Tor Anonymity Network torproject.org
- Slide 3
- How Tor Works
- Slide 4
- Slide 5
- Slide 6
- Slide 7
- Tor protocol aware
- Slide 8
- Tor Flow Control exit entry
- Slide 9
- Tor Flow Control One TCP Connection Between Each Relay, Multiple Circuits exit entry
- Slide 10
- Tor Flow Control One TCP Connection Between Each Relay, Multiple Circuits Multiple Application Streams exit entry
- Slide 11
- Tor Flow Control No end-to-end TCP! exit entry
- Slide 12
- Tor Flow Control Tor protocol aware exit entry
- Slide 13
- Tor Flow Control Packaging End Delivery End exit entry
- Slide 14
- Tor Flow Control Packaging End Delivery End exit entry
- Slide 15
- Tor Flow Control 1000 Cell Limit SENDME Signal Every 100 Cells exit entry
- Slide 16
- Outline The Sniper Attack Low-cost memory consumption attack that disables arbitrary Tor relays Deanonymizing Hidden Services Using DoS attacks for deanonymization Countermeasures
- Slide 17
- The Sniper Attack Start Download Request exit entry
- Slide 18
- The Sniper Attack Reply DATA exit entry
- Slide 19
- The Sniper Attack Package and Relay DATA DATA exit entry
- Slide 20
- The Sniper Attack DATA Stop Reading from Connection DATA R exitentry
- Slide 21
- The Sniper Attack DATA R exit entry Flow Window Closed
- Slide 22
- The Sniper Attack DATA Periodically Send SENDME SENDME R DATA exit entry
- Slide 23
- The Sniper Attack DATA Periodically Send SENDME SENDME R DATA exit entry Flow Window Opened
- Slide 24
- The Sniper Attack DATA R exit entry DATA Out of Memory, Killed by OS
- Slide 25
- The Sniper Attack DATA R exit entry DATA Use Tor to Hide
- Slide 26
- Memory Consumed over Time
- Slide 27
- Mean RAM Consumed, 50 Relays
- Slide 28
- Mean BW Consumed, 50 Relays
- Slide 29
- Speed of Sniper Attack DirectAnonymous Relay GroupsSelect %1 GiB8 GiB1 GiB8 GiB Top Guard1.7 Top 5 Guards6.5 Top 20 Guards19 Top Exit3.2 Top 5 Exits13 Top 20 Exits35 Path Selection Probability Network Capacity
- Slide 30
- Speed of Sniper Attack DirectAnonymous Relay GroupsSelect %1 GiB8 GiB1 GiB8 GiB Top Guard1.70:010:180:020:14 Top 5 Guards6.50:081:030:121:37 Top 20 Guards190:455:581:078:56 Top Exit3.20:010:080:010:12 Top 5 Exits130:050:370:070:57 Top 20 Exits350:293:500:445:52 Time (hours:minutes) to Consume RAM
- Slide 31
- Speed of Sniper Attack DirectAnonymous Relay GroupsSelect %1 GiB8 GiB1 GiB8 GiB Top Guard1.70:010:180:020:14 Top 5 Guards6.50:081:030:121:37 Top 20 Guards190:455:581:078:56 Top Exit3.20:010:080:010:12 Top 5 Exits130:050:370:070:57 Top 20 Exits350:293:500:445:52 Time (hours:minutes) to Consume RAM
- Slide 32
- Speed of Sniper Attack DirectAnonymous Relay GroupsSelect %1 GiB8 GiB1 GiB8 GiB Top Guard1.70:010:180:020:14 Top 5 Guards6.50:081:030:121:37 Top 20 Guards190:455:581:078:56 Top Exit3.20:010:080:010:12 Top 5 Exits130:050:370:070:57 Top 20 Exits350:293:500:445:52 Time (hours:minutes) to Consume RAM
- Slide 33
- Outline The Sniper Attack Low-cost memory consumption attack that disables arbitrary Tor relays Deanonymizing Hidden Services Using DoS attacks for deanonymization Countermeasures
- Slide 34
- Hidden Services HS User wants to hide service
- Slide 35
- Hidden Services entry IP HS chooses and publishes introduction point IP HS
- Slide 36
- Hidden Services entry IP HS Learns about HS on web
- Slide 37
- entry Hidden Services entry IP HS Builds Circuit to Chosen Rendezvous Point RP RP
- Slide 38
- entry Hidden Services entry IP HS Notifies HS of RP through IP RP entry RP
- Slide 39
- entry Hidden Services entry IP HS RP
- Slide 40
- entry Hidden Services entry IP HS Build New Circuit to RP RP entry RP
- Slide 41
- entry Hidden Services entry IP HS Communicate! RP entry RP
- Slide 42
- entry Deanonymizing Hidden Services HS RP
- Slide 43
- entry Deanonymizing Hidden Services HS RP Also runs a guard relay
- Slide 44
- entry Deanonymizing Hidden Services entry HS RP Build New Circuit to RP
- Slide 45
- entry Deanonymizing Hidden Services entry HS RP S&P 2006, S&P 2013
- Slide 46
- entry Deanonymizing Hidden Services entry HS RP S&P 2013 PADDIN G Send 50 Padding Cells
- Slide 47
- entry Deanonymizing Hidden Services entry HS RP Identify HS entry if cell count = 52 S&P 2013
- Slide 48
- entry Deanonymizing Hidden Services entry HS RP Sniper Attack, or any other DoS
- Slide 49
- entry Deanonymizing Hidden Services HS RP Choose new Entry Guard
- Slide 50
- entry Deanonymizing Hidden Services HS RP
- Slide 51
- entry Deanonymizing Hidden Services HS RP S&P 2006, S&P 2013
- Slide 52
- entry Deanonymizing Hidden Services HS RP Send 50 Padding Cells S&P 2013 PADDIN G
- Slide 53
- entry Deanonymizing Hidden Services HS RP Identify HS if cell count = 53 S&P 2013
- Slide 54
- Outline The Sniper Attack Low-cost memory consumption attack that disables arbitrary Tor relays Deanonymizing Hidden Services Using DoS attacks for deanonymization Countermeasures
- Slide 55
- Countermeasures Sniper Attack Defenses Authenticated SENDMEs Queue Length Limit Adaptive Circuit Killer Deanonymization Defenses Entry-guard Rate-limiting Middle Guards
- Slide 56
- Questions? cs.umn.edu/~jansen [email protected] think like an adversary
- Slide 57
- Speed of Deanonymization Guard BW (MiB/s) Guard Probability (%) Average # Rounds Average # Sniped Average Time (h) 1 GiB Average Time (h) 8 GiB 8.410.486613346279 16.650.97397923149 31.651.924481384 66.043.81326644 96.615.4919531 1 GiB/s Relay Can Deanonymize HS in about a day
- Slide 58
- Circuit Killer Defense
- Slide 59
- The Sniper Attack exit entry exitentry Single Adversary
- Slide 60
- The Sniper Attack exit entry exitentry Anonymous Tunnel
- Slide 61
- The Sniper Attack exit entry exitentry
- Slide 62
- The Sniper Attack exit entry exitentry DATA
- Slide 63
- The Sniper Attack exit entry exitentry DATA R
- Slide 64
- The Sniper Attack exit entry exitentry DATA R Flow Window Closed
- Slide 65
- The Sniper Attack exit entry exitentry DATA R R
- Slide 66
- The Sniper Attack exit entry exitentry DATA R R
- Slide 67
- The Sniper Attack exit entry exitentry DATA R R Killed by OS DATA