Point Break: A Study of Bandwidth Denial-of-Service Attacks against Tor

As the Tor network has grown in popularity and importance as a tool for privacy-preserving online communication, it has increasingly become a target for disruption, censorship, and attack. A large body of existing work examines Tor's susceptibility to attacks that attempt to block Tor users' access to information (e.g., via traffic filtering), identify Tor users' communication content (e.g., via traffic fingerprinting), and de-anonymize Tor users (e.g., via traffic correlation). This paper focuses on the relatively understudied threat of denialof-service (DoS) attacks against Tor, and specifically, DoS attacks that intelligently utilize bandwidth as a means to significantly degrade Tor network performance and reliability. We demonstrate the feasibility of several bandwidth DoS attacks through live-network experimentation and highfidelity simulation while quantifying the cost of each attack and its effect on Tor performance. First, we explore an attack against Tor's most commonly used default bridges (for censorship circumvention) and estimate that flooding those that are operational would cost $17K/mo. and could reduce client throughput by 44% while more than doubling bridge maintenance costs. Second, we explore attacks against the TorFlow bandwidth measurement system and estimate that a constant attack against all TorFlow scanners would cost $2.8K/mo. and reduce the median client download rate by 80%. Third, we explore how an adversary could use Tor to congest itself and estimate that such a congestion attack against all Tor relays would cost $1.6K/mo. and increase the median client download time by 47%. Finally, we analyze the effects of Sybil DoS and deanonymization attacks that have costs comparable to those of our attacks.

[1]  Christian Huitema,et al.  SNI Encryption in TLS Through Tunneling , 2017 .

[2]  Ian Goldberg,et al.  Performance and Security Improvements for Tor , 2016, IACR Cryptol. ePrint Arch..

[3]  Nicholas Hopper,et al.  Throttling Tor Bandwidth Parasites , 2012, NDSS.

[4]  Nicholas Hopper,et al.  Privacy-Preserving Dynamic Learning of Tor Network Traffic , 2018, CCS.

[5]  Nicholas Hopper,et al.  IMUX: Managing Tor Connections from Two to Infinity, and Beyond , 2014, WPES.

[6]  Milad Nasr,et al.  DeepCorr: Strong Flow Correlation Attacks on Tor Using Deep Learning , 2018, CCS.

[7]  Carmela Troncoso,et al.  Dissecting Tor Bridges: A Security Evaluation of their Private and Public Infrastructures , 2017, NDSS.

[8]  Sotiris Ioannidis,et al.  Compromising Anonymity Using Packet Spinning , 2008, ISC.

[9]  Micah Sherr,et al.  Never Been KIST: Tor's Congestion Management Blossoms with Kernel-Informed Socket Transport , 2014, USENIX Security Symposium.

[10]  Nikita Borisov,et al.  EigenSpeed: secure peer-to-peer bandwidth evaluation , 2009, IPTPS.

[11]  Weijia Jia,et al.  A new cell counter based attack against tor , 2009, CCS.

[12]  Steven J. Murdoch,et al.  Sampled Traffic Analysis by Internet-Exchange-Level Adversaries , 2007, Privacy Enhancing Technologies.

[13]  Aiko Pras,et al.  Booters — An analysis of DDoS-as-a-service attacks , 2015, 2015 IFIP/IEEE International Symposium on Integrated Network Management (IM).

[14]  Mohsen Imani,et al.  Deep Fingerprinting: Undermining Website Fingerprinting Defenses with Deep Learning , 2018, CCS.

[15]  George Danezis,et al.  Low-cost traffic analysis of Tor , 2005, 2005 IEEE Symposium on Security and Privacy (S&P'05).

[16]  George Danezis,et al.  Denial of service or denial of security? , 2007, CCS '07.

[17]  Weijia Jia,et al.  Protocol-level attacks against Tor , 2013, Comput. Networks.

[18]  Nadia Heninger,et al.  Torchestra: reducing interactive traffic delays over tor , 2012, WPES '12.

[19]  George Danezis,et al.  k-fingerprinting: A Robust Scalable Website Fingerprinting Technique , 2015, USENIX Security Symposium.

[20]  Eric Wustrow,et al.  ZMap: Fast Internet-wide Scanning and Its Security Applications , 2013, USENIX Security Symposium.

[21]  Nick Mathewson,et al.  Tor: The Second-Generation Onion Router , 2004, USENIX Security Symposium.

[22]  Micah Sherr,et al.  KIST , 2018, ACM Trans. Priv. Secur..

[23]  Geir E. Dullerud,et al.  TightRope: Towards Optimal Load-balancing of Paths in Anonymous Networks , 2018, WPES@CCS.

[24]  Roger Dingledine,et al.  Methodically Modeling the Tor Network , 2012, CSET.

[25]  Nicholas Hopper,et al.  PeerFlow: Secure Load Balancing in Tor , 2017, Proc. Priv. Enhancing Technol..

[26]  Nicholas Hopper,et al.  How much anonymity does network latency leak? , 2007, TSEC.

[27]  Ian Goldberg,et al.  PCTCP: per-circuit TCP-over-IPsec transport for anonymous communication overlay networks , 2013, CCS.

[28]  Hannes Federrath,et al.  Website fingerprinting: attacking popular privacy enhancing technologies with the multinomial naïve-bayes classifier , 2009, CCSW '09.

[29]  Angelos D. Keromytis,et al.  CellFlood: Attacking Tor Onion Routers on the Cheap , 2013, ESORICS.

[30]  Micah Sherr,et al.  Users get routed: traffic correlation on tor by realistic adversaries , 2013, CCS.

[31]  Dirk Grunwald,et al.  Low-resource routing attacks against tor , 2007, WPES '07.

[32]  Björn Scheuermann,et al.  The Sniper Attack: Anonymously Deanonymizing and Disabling the Tor Network , 2014, NDSS.

[33]  Tao Wang,et al.  Effective Attacks and Provable Defenses for Website Fingerprinting , 2014, USENIX Security Symposium.

[34]  Brijesh Joshi,et al.  Touching from a distance: website fingerprinting attacks and defenses , 2012, CCS.

[35]  Micah Sherr,et al.  Understanding Tor Usage with Privacy-Preserving Measurement , 2018, Internet Measurement Conference.

[36]  Gene Tsudik,et al.  Towards an Analysis of Onion Routing Security , 2000, Workshop on Design Issues in Anonymity and Unobservability.

[37]  R. Dingledine,et al.  One Fast Guard for Life ( or 9 months ) , 2014 .

[38]  Vern Paxson,et al.  Blocking-resistant communication through domain fronting , 2015, Proc. Priv. Enhancing Technol..

[39]  Prateek Mittal,et al.  RAPTOR: Routing Attacks on Privacy in Tor , 2015, USENIX Security Symposium.

[40]  Prateek Mittal,et al.  Tempest: Temporal Dynamics in Anonymity Systems , 2018, Proc. Priv. Enhancing Technol..

[41]  Shuai Li,et al.  Measuring Information Leakage in Website Fingerprinting Attacks and Defenses , 2017, CCS.

[42]  Roger Dingledine,et al.  A Practical Congestion Attack on Tor Using Long Paths , 2009, USENIX Security Symposium.

[43]  Nicholas Hopper,et al.  How much anonymity does network latency leak? , 2010, ACM Trans. Inf. Syst. Secur..

[44]  Nick Mathewson,et al.  Anonymity Loves Company: Usability and the Network Effect , 2006, WEIS.

[45]  Vern Paxson,et al.  An Analysis of China's "Great Cannon" , 2015 .

[46]  Klaus Wehrle,et al.  Website Fingerprinting at Internet Scale , 2016, NDSS.

[47]  Aiko Pras,et al.  Quiet Dogs Can Bite: Which Booters Should We Go After, and What Are Our Mitigation Options? , 2017, IEEE Communications Magazine.

[48]  Nicholas Hopper,et al.  How Low Can You Go: Balancing Performance with Anonymity in Tor , 2013, Privacy Enhancing Technologies.

[49]  Nicholas Hopper,et al.  Shadow: Running Tor in a Box for Accurate and Efficient Experimentation , 2011, NDSS.

[50]  Thomas Engel,et al.  Website fingerprinting in onion routing based anonymization networks , 2011, WPES.

[51]  Micah Sherr,et al.  An Empirical Evaluation of Relay Selection in Tor , 2013, NDSS.

[52]  Tao Wang,et al.  Improved website fingerprinting on Tor , 2013, WPES.

[53]  Donald F. Towsley,et al.  Modeling TCP throughput: a simple model and its empirical validation , 1998, SIGCOMM '98.

[54]  Matthew Mathis,et al.  The macroscopic behavior of the TCP congestion avoidance algorithm , 1997, CCRV.

[55]  Mike Perry,et al.  TorFlow: Tor Network Analysis , 2009 .

[56]  Prateek Mittal,et al.  Stealthy traffic analysis of low-latency anonymous communication using throughput fingerprinting , 2011, CCS '11.

[57]  Micah Sherr,et al.  Data-plane Defenses against Routing Attacks on Tor , 2016, Proc. Priv. Enhancing Technol..