Lowcost and Stealthy DoS Attack on Tor

1
Low-cost and Stealthy DoS Attack on Tor

• Jing Dong

2
Tor A System for Anonymity

• A system for low latency anonymous communications
• Anonymous from
• Correspondent
• External observers
• Network infrastructures

3
How Tor Works

• Circuit Establishment
• Client proxy selects a set of intermediate nodes
  (onion routers)
• Client proxy establishes session key circuit
  with onion router 1
• Client proxy tunnels through the circuit to
  extend to onion router 2
• etc until the whole circuit is established
• Circuit usage
• Client proxy communicates over the circuit with
  correspondent

4
Tor Circuit Illustration
5
Key Circuit Property

• Circuit property
• No router has complete knowledge of the whole
  path of the circuit
• Each router only knows its previous and next hop
• Key property for guaranteeing anonymity

6
Adversary Models

• No global observers
• Allow individual router failures and subversions
• Allow directory server failures and subversions
• Allow DoS from clients
• Safe in the presence traffic analysis

7
Existing Attacks and Defenses

• Network congestion
• Attack send massive data into network but refuse
  to accept the data
• Defense use congestion control to limit the
  number of pending packets in the network for each
  connection.
• DoS against individual routers and links
• Attack
• CPU consumption on routers through fake TLS
  handshake
• DoS the links between routers
• Defense
• Robustness resilient against individual router
  or link failures
• End-to-end acknowledgement
• DoS/subvert directory servers
• Attack
• DoS directory server
• Malicious directory server
• Defense
• Directory server redundancy and caching

8
Proposed DoS Attack

• Goal
• DoS through consuming network bandwidth
• Low cost moderate resource requirement on the
  attacker
• Stealthy difficult to be discovered
• Assumption
• Controls a single onion router
• Easy to achieve
• In Tor, anybody can be an onion router

9
Main Idea Circular Circuit

• Build circular circuit among the target routers
• Push packets to the circular circuit
• Packets will flow indefinitely, consuming network
  bandwidth
• The more packets, the larger portion of bandwidth
  is consumed

10
Attack Details

• Select target routers
• Easy all router info is available at directory
  servers
• Select all active routers to maximize damage
• Order target routers
• Order in the order of decreasing bandwidth to
  maximize damage
• Bandwidth info available at directory server
• Build circular circuit
• Build circuit with normal circuit creation
  protocol
• Make sure the last hop of the circuit is the
  attacker itself
• Splice the end and beginning of the circuit
  together at the attacker controlled router
  circular circuit is formed
• Push packets down the circular circuit

11
Low-cost

• Assume the bandwidth of the attacker is B
• The attack consumes bandwidth B from all the
  routers in the network
• Even a small B can cause large bandwidth
  consumption
• If B is larger than the largest bandwidth among
  all the routers
• All the bandwidth of the whole network is consumed

12
Stealthy

• Each router only knows the previous and next hop
• No router can realize the circuit is circular
• Cannot even realize its under attack
• Only notice large amount of traffic
• The attacker appears just like any other router
• Cannot pin-point where the attack starts

13
Mitigation and Prevention

• Prevent circular circuit being formed
• Use Trusted Third Party to maintain circuit info
• Consult the TTP when circuit is extended
• Detect circular packet flow
• Use dummy packets that is detectable only by the
  origin
• Circular circuit is present if dummy packets from
  itself is received

14
Implementation and Evaluation

• Need to evaluate the attack impact in real
  network
• Implementation is partial
• Set up experimental Tor network
• Removed some randomness in Tor for consistency of
  attack result
• Fixed some bugs in the latest Tor source code
• Narrowed down to a few key functions

15
Anonymity vs. DoS

• Observation
• Key property used for anonymity is used for DoS
• Question
• Is anonymity inherently contradictory to
  resiliency to DoS?
• Answer
• No, but without careful design, anonymity can be
  used to mount DoS that is difficult to defend

16
Contributions

• Identified a low-cost, stealthy DoS against Tor
• Identified possible defense mechanisms
• Gained some insight on the relationship between
  anonymity and DoS
• Made partial implementation and fixed some bugs
  in the Tor source code

17
Future Work

• Finish implementation and evaluation of the
  attack
• Investigate defense mechanisms
• Investigate other DoS
• DoS from external client?
• DoS by simple flooding?