The Sniper Attack Anonymously Deanonymizing and Disabling the Tor Network Rob Jansen Florian - PDF document

muchas2187KiB/s(903KiB/sinthemedian),whiletheadversarialbandwidthcostsareatmost92KiB/supstreamand39KiB/sdownstream,(46KiB/supstreamand14KiB/sdownstreaminthemedians).Usingtheseresults,weestimatethatsequentiallydisablingeachofthefastest20exitrelaystakesacumulativetotalofonly29minutes.Inaddition,weexploreusingTortoanonymouslydisablerelaysbyutilizingaseparateanonymoustunnelthroughwhichwelaunchourattacks,andndthatdoingsodoesnotincreasetheadversarialbandwidthrequirements.WeanalyzethesecuritythreatthattheSniperAttackposesandpresentnoveltechniquesfordeanonymizinghiddenservices.WeutilizetheSniperAttack'sabilitytokillarbitraryrelaysinaselectivedenialofserviceattackagainsttheguardrelaysofhiddenservices,inuencingthepathschosenbythehiddenservicestothoseincontroloftheadversary.Wendthatitenablesthecompletedeanonymizationofhiddenser-viceswithindaysbyanadversarywithonlymodestresourcesorwithinhoursbyamorepowerfuladversary.ThispaperalsoexploresdefensestrategiesagainsttheSniperAttack.Wediscusshowsimplehard-codedqueuesizelimitsandend-to-endauthenticatedsignalsaffecttheadversary'sattackstrategy,butdonotcompletelypreventtheattack.Wethenpresentanalgorithmthatadaptivelyreactstohighmemorypressureindicativeoftheattack.Ouradaptivedefenseutilizesqueuingdelayasametrictoidentifyandkillmaliciouscircuitsinordertopreventtheprocessfrombeingkilled.Wederiveresourceboundswithourdefensemechanisminplace,showingthatitcannotreasonablybeleveragedbyattackerstocauserelaystodestroyhonestclients'circuits.OurevaluationshowsthatouradaptivecircuitkillingdefensedetectsandstopstheSniperAttackwithnofalsepositives.Finally,wepresentandanalyzepathrestrictionsthatmiti-giatethethreatofDoSdeanonymization.Byrestrictingtherelaysitusesforsensitivecircuitpositions,aclientwillfailclosedtoanunavailablebutsafestateinsteadofanavaliablebutpotentiallycompromisedone.Weanalyzethesecurityandavailabilitycostofsuchchangesunderavarietyofparametersandndacceptablesecurity/availabilitytrade-offs.Ourmaincontributionsmaybesummarizedasfollows:adangerousanddestructiveDoSattackcapableofdisablingarbitraryTorrelays(SectionII);anevaluationofaprototypeoftheattackandourdefensesinasafe,virtualTornetwork(SectionIII);asecurityanalysisshowinghowtheattackmaybeusedtodeanonymizehiddenservices(SectionIV);practicaldefensesagainsttheSniperAttackthatre-duceTor'svulnerabilitytoattacksthatexploitTor'squeuingmechanisms(SectionV);andpracticaldefensesagainstDoS-baseddeanonymizationattacksthatimprovesecuritybylimitingnetworkexposure(SectionVI).II.THESNIPERATTACKInthissection,wedevelopaDoSattackagainsttheTornetworkthatcanbeusedtoanonymouslydisablearbitraryTorrelaysbykillingtheTorprocessonitshostmachine.Tofacilitateanunderstandingoftheexploitedprotocolfeatures,werstdescribetwobasicattackvariantsthatrequiretheadversarytorunbothaTorclientandeitheraTorexitrelayoranInternetservice.WethendescribeamoreefcientvariantthatonlyrequiresaTorclientandthereforesignicantlyreducestheresourcesrequiredbytheadversary.Finally,wediscussstrategiesthatdisguisetheadversary'sidentity.A.BackgroundTorisanapplication-leveloverlaynetworkenablinganony-mouscommunicationbetweenclientsandarbitraryInternetdestinations.Torclientsareresponsibleforpathselectionattheoverlaylayer,andformvirtualcircuitsthroughtheoverlaynetworkbyselectingthreerelaysfromapubliclistforeach:anentry;amiddle;andanexit.Onceacircuitisestablished,theclientcreatesstreamsthroughthecircuitbyinstructingtheexittoconnecttothedesiredexternalInternetdestinations.EachpairofrelayscommunicateoverasingleonionroutingconnectionthatisbuiltusingtheTransmissionControlProtocol(TCP).TheapplicationlayerprotocolsrelyonthisunderlyingTCPconnectiontoguaranteereliabilityandin-orderdeliveryofapplicationdata,calledcells,betweeneachrelay.Asaresultofusinghop-by-hopTCPatthenetworklayer,Tordoesnotallowrelaystodroporre-ordercellsattheapplicationlayer.Streamsaremultiplexedovercircuits,whichthemselvesaremultiplexedoverconnections.Torimplementsanend-to-endslidingwindowmechanismtocontroltheamountofdatadirectedintothenetwork.Foreverycircuit,eachedgenode(i.e.clientandexit)managesapackagewindowcounterthatisinitializedto1000anddecrementedbyoneforeverydatacellitdirectsintothecircuit,andadeliverywindowcounterthatisinitializedto100anddecrementedbyoneforeverydatacellitremovesfromthecircuit.Analogouscountersalsoexistatthestreamlevel,respectivelyinitializedto500and50.Thepackagingedge(PE)ofacircuitwillstopinjectingcellsfromanymultiplexedstreamwhosepackagewindowreacheszero,andwillstopinjectingcellsfromallmultiplexedstreamswhenthecircuitpackagingwindowreacheszero.Thedeliveryedge(DE)ofacircuitwillsendafeedbacksignal,calledaSENDMEcell,tothePEwheneverthecircuitdeliverywindoworanystreamdeliverywindowreacheszero.TheseSENDMEcellscausetheDEtoincrementtheassociateddeliverywindowbyitsinitializedvalue,andthePEtoincrementitspackagingwindowbythesameamount.2Thus,therewillnotbemorethan500datacellsinightonastream,andnotmorethan1000onacircuit.B.BasicAttacksTheSniperAttackexploitsTor'sreliableapplication-levelqueuing.OurassertionisthataDEthatstopsreadingfromaconnectionwillcausethenexthopnodetobufferafullpackagewindowworthofdata(1000cells)fromthePEforeveryactivecircuitmultiplexedovertheconnection,undertheassumptionsthatthereareatleasttwostreamsmultiplexedoneachcircuitandthatthestreamstransferenoughdatainaggregatetoreducethePE'scircuitpackagewindowtozero.WhenaDEwithincomingdatastopsreadingfromitsTCPsocketontheconnectiontoanadjacentrelay,theDE'sTCPreceivebufferwillll,itsTCPowcontrolwindowwillempty,anditwillannounceazerowindowtotheotherendoftheTCPconnection.TheadjacentrelaywillthennolongerbeabletoforwardcellstotheDE,causingitsTCPsendbuffer 2Inpractice,circuitandstreamdeliverywindowsarerespectivelyinitializedto1000and500.Whentheyreach900and450,SENDMEsaresentandtheyareincrementedby100and50.Therefore,thedeliverywindowswillnotfallbelow900and450undernormaloperation.2 Fig.1:Inthebasicversion1oftheSniperAttack,theadversarycontrolstheclientandtheexit.(a)Theclientcreatesacircuitusingthetargetastheentry.(b)Theexitgenerates,packages,andsendsdatathroughthecircuit,ignoringpackagewindowlimits.(c)TheclientstopsreadingfromtheTCPconnectiontothetargetentry.(d)ThetargetentrybuffersthedatauntiltheTorprocessisterminatedbytheOS.toll.WithafullTCPsendbuffer,theadjacentrelaywillbuffercellsintheapplicationlayercircuitqueue(recallthatTordoesnotallowrelaystodropcellsintheapplicationlayer)untilthePE'sstreamorcircuitpackagewindowreacheszero.ThePEwillthenstopsendingdataintothecircuit,andstopreadingfromthedatasource.Usingthemechanismdescribedabove,anadversarythatcontrolsaclientandarelaymayattackatargetrelayasshowninFigure1.Theadversarialclientconstructsacircuitbyselectingthetargetrelayastheentryandtheadversarialrelayastheexit.3Theclientsignalstheexittostarttheattackbyissuinganarbitraryrequestoverthecustomattackcircuit,andthenstopsreadingfromtheTCPconnectiontothetargetentry.Theexitsimplyignorestheemptypackagewindowsandcontinuouslysendsdataitarbitrarilygenerates,increasingtheamountofmemoryconsumedbytheentrytoqueuethecells.NotethatitisnotnecessaryforthemaliciousexittoproducecorrectlyencryptedTorcellssincetheywillneverbefullydecryptedbytheclient(thoughcorrectcircuitIDsarerequired).Eventually,theTorprocessontheentrynodedepletesalloftheavailablememoryresourcesandisterminatedbytheoperatingsystem.OnLinuxsystems,thisjobishandledbytheout-of-memory(oom)killer[1].AvariationofthebasicattackdescribedaboveisshowninFigure2.Inthisvariant,theadversarycontrolsaclientandaleserver.Theclientgeneratesarbitrarydataandpackagesitfordeliverytothetargetexit.TheadversarialserveravoidsreadingfromtheTCPconnectiontothetargetexit,againresultinginmemoryexhaustionanddeathoftheTorprocessonthetargetrelay'shostmachine.Notethatthecellsmustbeencryptedinthisattackvariantbecausetheywillbedecryptedbyamachinewhichisnotundertheadversary'scontrol.Notethattheadversarymaychooseanyrelayasitstargetentryinversion1ofthebasicattack,andshouldchoosetheleserver'sportaccordingtotheexitrelay'sexitpolicyinversion2.However,choosingrelayswithouttheGuardagforacircuit'sentrypositionwillraisesuspicionsinceTor'sdefaultpathselectionalgorithmwillnotchooseentriesinthatmanner.Alternatively,basicversions1and2maybeslightlymodiedtotargetanymiddlenode:inversion1theadversarymayadditionallyrunanadversarialentryrelaythatstopsreadingfromtheconnectiontoatargetmiddlerelay;inversion2theadversarymayrunanadversarialexitthatstopsreadingfromtheconnectiontoatargetmiddlerelayinsteadofrunninganexternalleserver. 3TheTorsoftwareprovidesparameters,EntryNodesandExitNodes,tospecifyalistofnodesfortherespectiveroles;onecouldalsousetheTorcontrolprotocol[4]tobuildcustomcircuits. Fig.2:Inthebasicversion2oftheSniperAttack,theadversarycontrolstheclientandtheserver.(a)Theclientcreatesacircuitusingthetargetastheexit,andconnectstoacolludingserver.(b)Theclientgenerates,packages,andsendsdatathroughthecircuit,ignoringpackagewindowlimits.(c)TheserverstopsreadingfromtheTCPconnectiontothetargetexit.(d)ThetargetexitbuffersthedatauntiltheTorprocessisterminatedbytheOS.WeassertthattheTCPconnectionfromtheclienttothetargetmustremainopenfromthevictim'sperspectivetopreventtheattackcircuitfrombeingclosedanditsqueuecleared,butthecostofdoingsoisinsignicant(anditcanbedonewithoutmaintainingstate[26]).Also,theadversarymayslightlyreducetherequiredbandwidthbyminimizingthesizeofitsTCPreceivebuffer,e.g.,byusingsetsockopt.C.EfcientAttackWenowdescribeanefcientSniperAttackthateliminatesthenecessityofgeneratinganduploadingdata,therebysigni-cantlyreducingresourcedemands.ThisefcientversionoftheSniperAttackexploitsTor'send-to-endowcontrolsignals.OurassertionisthattheSENDMEowsignalsexpectedbythePE(sothatitmaycontinuepackagingdataandsendingitintothecircuit)onlyimplythataDEreceiveddataandaDEmaysendSENDMEstothePEwithoutactuallyreceivinganydata.TheefcientsniperattackworksbycombiningtheSENDMEsignalmechanismdescribedabovewiththestopreadingmechanismfromthebasicversionsoftheattack.AsshowninFigure3,theadversarymustonlycontrolasinglemaliciousclient.Thisclientrstbuildsacustomcircuitbyselectingthetargetasthecircuitentry,andtheninitiatesthedownloadoftwolargeles(e.g.,largeLinuxdistributions)overthecircuittoensurethatthetwostreamswillemptytheexit'scircuitpackagewindow.Theclientthenstopsreadingfromtheconnectiontothetargetentry,andbeginsmaliciouslysendingSENDMEstotheexittoensurethattheexit'spackagewindowdoesnotreachzeroanditcontinuesinjectingpack-ageddataintothecircuit.Thesepackagedcellswillcontinuetoowtoandbebufferedbytheentryinitsapplicationqueue,continuouslyconsumingmemoryuntiltheentry'sTorprocessisselectedandkilledbytheOS.1)AvoidingDetection:TolaunchasuccessfulSniperAt-tack,theadversarymustcircumventaprotectivemechanismthatToremploystopreventprotocolviolations,e.g.,byclientswhotrytocheatbysendingmoreSENDMEcellstogetmoredataearlier.WhentheexitrelayreceivesaSENDMEthatcausesitscircuitwindowtogoabove1000cells,itdetectstheviolation,closesthecircuit,andsendsaDESTROYcellbackwards.Themiddlehopconvertsthelink-levelDESTROYcellintoaRELAYcelloftypetruncateandsendsittotheentry,whojustpassesitbacktotheclient.WhentheclientextractstheDESTROYcell(thatoriginatedattheexit)fromtheRELAYcell,itclosesthecircuitandsendsaDESTROYcellforwardtotheentry.Theentryclosesthecircuit(clearingthecircuitqueue)andforwardstheDESTROYcelltothemiddle,whoalsoclosesthecircuit.3 Fig.3:IntheefcientversionoftheSniperAttack,theadversarycontrolsaclientonlyandrepeatsthefollowingseveraltimesinparallel.(a)Theclientcreatesacircuitusingthetargetastheentry.(b)Theclientinitiatesalargeledownloadfromanexternalleserverthroughthecircuit.(c)TheclientstopsreadingfromtheTCPconnectiontothetargetentry.(d)TheclientsendsSENDMEcellstotheexit,causingittocontinuesendingdatathroughthecircuit.TherateofSENDMEsislowenoughtoavoidexceedingtheexit'spackagewindowsize.(e)ThetargetentrybuffersthedatauntiltheTorprocessisterminatedbytheOS.Inorderfortheattacktosucceed,theadversaryideallywould(a)preventtheexit'spackagewindowlengthfromexceedingitssize;and(b)incaseitdoes,theclientwouldavoidsendingoutthenalDESTROYcelltoensuretheentrydoesnotclearitsqueue.Notethatsincethemaliciousclientwillnotbereadingfromthetargetentry,theadversarywillnotbeabletodetermineif(a)occurred,andthereforedoesnotneedtohandle(b)inpractice.However,wenoteithereforcompleteness.Alsonotethat,aswillbediscussedinthenextsection,eveniftheadversaryfailsat(a)andtheexitdetectsaprotocolviolation,theattackcircuitwillcontinuetoconsumethetarget'smemoryuntiltheTCPconnectionisdestroyed.Theadversarymayavoidtheexit'sprotectivemechanismbysendingSENDMEstotheexitataratelowenoughsothattheexit'spackagewindowneverexceeds1000cells.OneapproachtoestimatingsucharateistoconsulttheTormetricsportal[8]anduserecentrelaybytehistoriestoestimatethethroughputofthecustomcircuit.However,giventhedynamicsoftheTornetworkanditsusage,thisapproachwouldlikelyresultinahighfailurerate.Instead,amaliciousclientmayaccountforrealtimecongestionbyperformingledownloadprobesthroughthesamenodesthatwerechosenforthetargetcircuit.IfeachprobedownloadsKiBin
seconds,thenwecanestimatethecircuitthroughputas=
KiB/s,or2=
cells/s(allTorcellsare512bytesinsize).NowrecallthatstreamandcircuitlevelSENDMEsaresentforeach50and100downloadedcells,respectively.Thus,usingourprobeweestimatethatstreamandcircuitlevelSENDMEsbesenteveryTss=25
=secondsandTcs=50
=seconds,respectively.Themaliciousclientmayupdate
byperiodicallyperforminganadditionalprobe,andlargervaluesofaremorecostlybutwillproducemoreaccurateestimatesovertime.Probingrequiresadditionaladversarialbandwidth,butthiscostmaybesignicantlyreduced.2)ParallelizingtheAttack:Recallthattheexitwillcloseacircuitifthepackagewindowexceedsitssize,andthiscircuitclosurewillbeundetectablebytheclientonceitstopsreadingfromthetargetentry.Althoughacircuitclosedbytheexitwillnotcausethetargetentrytoclearitsapplicationqueue(andthereforefreeanymemoryconsumedbythatcircuit),thecircuitmaynolongerbeutilizedtoincreasememoryconsumedbythetargetentry.ThissituationmayoccureveniftheadversaryprobesthecircuittondagoodSENDMErate,sincerelaycongestionandpaththroughputarehighlydynamic.Toimprovetheattack'sresiliencetocircuitclosureswhileatthesametimespeedinguptherateatwhichthetarget'smemoryisconsumed,theadversarymayparallelizetheattackbyusingmultipleteamsofmultiplecircuits.Onecircuitineachteamisassignedthroughputprobingduties(inordertomeasure
asdescribedintheprevioussection),whiletheremainingcircuitsareassignedSENDMEsendingduties(tocausetheexittopushdatatowardthetarget).The
computedbyateam'sprobingcircuitisusedtodynamicallyinformtherateatwhichthatteam'ssendingcircuitssendSENDMEs.EachteamisassignedaTorpathusingthetargetastheentryrelayandusesthatpathtobuildeachofitscircuits.Wenowconsiderhowthesecircuitsareconstructed.Recallthatoncetheattackbeginsandtheadversaryhasstoppedreadingfromtheonion-routingTCPconnectiontothetarget,itwillbeunabletodeterminewhichcircuitsonthatconnectionhaveclosedandwhichoneshavenot,andwillalsobeunabletocreatenewcircuitsoverthatconnection.Sinceaseparateconnectionisrequiredfortheprobingcircuits(becauseitmustcommunicatebi-directionally),theadversarywillneedatleasttwoconnectionstotheentryforeachteamiftheattackistobesuccessful.Withthisinmind,weconsiderthreeviableattackstrategies:1)useoneTorclientinstanceforeachcircuitofeachteam;2)useoneTorclientinstanceperteamthatcreatesanewonion-routingconnectiontothetargetwheneveroneisneeded;and3)usetwoTorclientinstancesperteam:onethatcontrolstheprobingcircuitandonethatcontrolsthesendingcircuits.Notethatuniqueonion-routingconnectionsareguaranteedbyusingseparateTorclientinstances.Althougheachoftheabovestrategiesareviable,wereject1)becausethereisahighresourcecostassociatedwithrunningmanyTorinstances,andwereject2)becausemultipleconnectionsfromasingleTorclientinstancewouldbeeasyfortheentrytodetectandwouldrequiresignicantcodechanges.Therefore,weassumetheadversaryusesstrategy3)whereallcircuitsareoperatinginparallel.Theuseofmultiplecircuitswithineachteamwillincreasethethroughputacheivedbythatteamfromitsassignedpathduetothecircuitschedulingpoliciesemployedateachrelayandwillpreventasinglesendingcircuitfailurefromstallingtheattack.Usingaconsistentpathwithineachteamensuresthatthesendingrate
isaccurateforallofthatteam'smembers.AssigningmiddleandexitrelaysindepentlyforeachteamfurtherutilizesTor'sdistributedresourcesbyreducingtheeffectofthroughputbottleneckswhilealsoincreasingtherobustnesstonodefailures.Finally,asthereisnocircuitfeedback,theadversarymayalsopausetheattackonexistingteamsandrotatetonewonesovertimetoensurethatthetargetentry'smemoryconsumptioncontinuestoincrease.3)HidingtheSniper:Forsimplicity,wehavethusfardiscussedtheSniperAttackasiftheadversaryisdirectlyconnectingtothetargetentry.Here,Cdenotesclient,Gdenotesentry,Mdenotesmiddle,Edenotesexit,andSdenotesserver,whilethesubscriptsAandVdenoteadversaryandvictim,respectively.Thepathoftheattackaspreviouslydescribedmaythenberepresentedas:CA$GV$M$E$SInthissituation,thevictimGVknowstheadversaryCA'sIPaddresssincetheyaredirectlyconnected.GVmayhaveenoughinformationtoblameCA,eitherduringoraftertheattack,becauseoftheanomalousbehavior.Extraprotectionsmaybedesiredtoavoidthisexposure.4 a)StealthwithTor:Toritselfisausefultooltoprovidesuchprotections.OnewaytheadversarycoulduseTorisbyalsorunningaTorexitnode:EACA$GV$M$E$SThissituationprovidestheadversaryplausibledeniability:GVwillnotbeabletodistinguishanattackbyCAfromonelaunchedthroughacircuitinwhichEAismerelyservingastheexit.4However,drawbackstothisapproacharethatEAwillneedtoserveasanhonestexit,whichconsumesfarmoreresourcesthanrequiredbytheattackandalsoresultsintheadversaryappearinginthepublicTordirectory.TheadversarythenhastoensurethatEAhasthecharacteristicsofotherhonestexits(hastherightconsensusagsforitsactivities,hastherightamountoftrafcforitsconsensusweight,etc).Further,GVwillstillknowtheIPaddressandmayuseitasastartingpointwhenlookingforsomeonetoblame.Alternatively,theadversarymayuseafullTorcircuit:C2AC1A,G1,M1,E1$G2V$M2$E2$SThisprovidestheadversaryanonymity.ItwillpreventA'sIPaddressfrombeingknownbyanyoneexceptG1,whowillbeoblivioustotheattack.Inthisscenario,C1AstopsreadingontheconnectiontoG1butC2AsendsSENDMEstoE2throughtheC1Aproxytunnel.Adrawbacktousingaseparatecircuitinthiswayisthatitmayslightlyincreasethelatencyandlengthoftheattack,becauseG2VwillnotstartdepletingitsmemoryresourcesuntilE1'spackagewindowreacheszero.ItmayalsobemoredifculttoestimateagoodSENDMEratewhenconcatenatingtwocircuits,andtheadversarymustnowruntwiceasmanyTorclientinstancestoensurethateachteamhastwoanonymoustunnels.Finally,acircuitthatexitsbackintoTormaydrawunwantedsuspicion.b)StealthwithoutTor:AlternativestousingTortohideincludeusingpublicopenwirelessaccesspoints,brieyrentingasmallbotnet,orusingacloudcomputingsystem.However,moreentitieswillthenknowabouttheadversary'sactions,increasingtheriskofdiscovery:accesspointsandcloudserviceswillbecollectinglogs;andsomenumberofbotscouldbepartofahoneypot.TheadversarymaywanttoconnecttotheseservicesthroughToranywaytoremainanonymoustothem,andthecompositionofserviceswillmakeiteasiertomakeamistake.ByusingTorasdescribedabove,theadversarydoesnotneedknowledgeofbotnetsorcloudsystems,drasticallysimplifyingtheattack.III.EVALUATIONWeimplementedaprototypeoftheSniperAttackinordertoevaluateitsfeasibilityandefcacy.WeevaluateditusingShadow[28],adiscreteeventnetworksimulatorthatrunsTorcodeinaprivateTornetwork,aftertestingitsfunctionalityinaminimalprivateTornetworkinourlab.ShadowenablesasafedevelopmentandevaluationenvironmentthatdoesnotharmthesecurityandprivacyoftheoperationalTornetworkoritsusers,whilealsoprovidingrealisticresultssinceitrunsauthenticTorcode.Inthissection,wedetailourprivateTornetworkconguration,describeourprototypeimplementation, 4GVcandistinguishCREATEcellsfromEXTENDcells,butitisplausiblethataCREATEcelloriginatedfromsomeclientinaseparatecircuitterminat-ingatEAratherthanfromCA,e.g.,ifthatclientisusingTor'sSocks4ProxyorSocks5Proxyoptions.evaluatetheattack'sefciencyandresourcecosts,andanalyzeourresultsinthecontextoftheliveTornetwork.A.PrivateTorNetworkTornodesrunninginShadowcommunicateoverasimu-latednetwork.Therefore,Shadowrequiresmodelsofdown-streamandupstreamnodebandwidthsaswellaslinklatency,jitter,andpacketlossrates.TheShadowdistribution[3]in-cludesthesemodels,andalsoincludestoolstogenerateprivateTornetworkcongurationsforrunningShadowsimulations.UsingthesetoolsandrealnetworkdatapublishedbyTor5[8],wecongureaprivateTornetworkconsistingof4directoryauthorities,400relays,500leservers,and2800clients.Thisprivatenetworkconsumesroughly60GiBofmemoryonourLinuxhostduringeachexperiment.TheclientsgeneratebackgroundtrafcduringtheexperimentsbydownloadingvariouslysizedlesfromtheserversthroughourprivateTor,causingcongestionandperformancecharacteristicsindicativeofconditionsintheliveTornetwork.AllofthesenodesrunintheShadowsimulatorandcommunicateonlywithoneanother.OurcongurationfollowsthemethodologiesfromrecentlypublishedandvalidatedresearchonmodelingprivateTornetworks[27],whichdescribesindetailthemodelingchoicesmadebyShadow'scongurationgenerationtool.B.TheSniperAttackPrototypeWeimplementedtheparallelversionoftheefcientSniperAttackasdescribedinSectionII-C,includingmultipleparallelcircuitsbutwithouttherotatingcircuitsenhancement.InourCprototypeimplementation,amanagermanagesallworkers,eachofwhichusetheTorcontrolprotocol[4]tocommandandcontroltheassociatedTorclientinstanceanditscircuits.TheworkersrunamodiedTorclientinstance,basedonstablerelease0.2.3.25,thatadds:aSTOPREADINGcontrollercommandwhichinstructsTortostopreadingfromtheonionroutingconnectiontothetarget;SENDSTREAMSENDMEandSENDCIRCUITSENDMEcommandswhichinstructsTortosendastream-levelandcircuit-levelSENDMEsonthespec-iedstreamsandcircuits;andanIGNOREPACKAGEWINDOWcommandthatinstructstheclienttoignorepackagewindowswhensendingdataupstream.WeimplementedbothdirectandanonymousSniperAttackmodes.Indirectmode,eachworkerconnectstotheTorclientoverthecontrollerport,waitsforittobecomefullybootstrappedintotheTornetwork,andbuildsitscustomTorcircuitsusingthesamepathastheotherworkersonitsteam.Oncetheattackcircuitsareready,theprobingworkersbegincircuitmeasurementprobesbydownloadinglesthroughtheirattackcircuit;theremainingworkersrequestanextremelylargelethroughtheattackcircuit,commandTortostopreading,andsendtwostreamSENDMEsandonecircuitSENDMEforeverycompletedprobedownload.Inanonymousmode(seeSectionII-C3a),eachworkerrunstwoTorclientinstancesinsteadofone:therstisusedtocreateananonymoustunnelthroughTor;thesecondisusedasindirectmode,exceptthatallcommunicationwithrelaysisdoneovertheanonymoustunnelusingtheSocks4ProxyTorcongurationoption.NotethattheclientinstancesthatcreatetheanonymoustunnelsignoretheirpackagewindowsusingtheIGNOREPACKAGEWINDOWcommand,becauseotherwise 5Weusetheserverdescriptorsandextrainfodocumentsfrom2013-06,andtheTorconsensusfrom2013-06-30-23-00-005 (a)TargetMemoryoverTime (b)TargetMemoryConsumption (c)SniperBandwidthConsumptionFig.4:TheSniperAttackresourceconsumption.Shownin(a)isthetargetrelay'smemoryusageovertimeindirectandanonymousattackmodes.Comparedareattackswith1teamof5and10circuits,5teamsof10circuitseach(50circuitstotal),10teamsof10circuitseach(100circuitstotal),andnoattack.Theshadedareaindicatesthetimeduringwhichtheattackisactive.Shownin(b)and(c)arethedistributionsofthemeanconsumptionrateofthetargetrelay'sRAMperexperimentandmeansniper'sbandwidthcostperexperiment,respectively,over50experimentseachofdirectandanonymousSniperAttacks.Thesniperineachexperimentisconguredtouse10teamsof10circuitseach(100circuitstotal).consensusweights:thiswillhavethelargestimpactonuserssinceTor'sloadbalancingalgorithmistunedsothattheprobabilitythataclientchoosesarelayisinproportiontothebandwidthcapacitythatrelaycontributestothenetwork.However,sincerelaymemoryresourcesarenotpublic,wecon-sideranadversarythatchoosesrelaysbasedontheconsensusweightaloneandexplorethetimetodisablethemaccordingtovariouspotentialmemorycongurations.Becauseoftheloadbalancingalgorithmandthefactthatcurrentlytherelayswiththetop100weightsconstitute40percentoftheselectionprobability,theadversarymayhavesignicantimpactonthenetworkbydisablingarelativelysmallgroupofrelays.Weutilizetheresultsfromour100experimentsdiscussedabovetoestimatememoryconsumptionratesthatanadversarymayachieveonliveTornetworkrelays.Todothis,wecomputethecorrelationbetweentheobservedmeanmemoryconsumptionrateofeachtargetrelayinourexperimentsandthatrelay'sconsensusweightusingalinearregression.Thisresultsinparametersthatweusetoestimatethememoryconsumptionrateofanyrelayforwhichwehaveaconsensusweight.Negativerateestimateswerereplacedwiththemini-mumobservedrate.Wethenusetheseratestocomputethetimetodisablevariousgroupsofrelays:weconsiderthetop,median,andbottomguardandexitrelaybytheprobabilityofselectionbyclientsoutofthosewiththeFASTag,asrelayswithouttheFASTagareonlyselectedifnoFASTrelaysareavailable.Wealsoconsiderthetop5and20ofbothguardsandexitsasthoserelayswillbeselectedmostoftenbyclientsandrepresentthemostattractivetargetsfortheadversary.Weconsiderthe10directoryauthoritiesasthenalgroup,asthenetworkwillnotfunctionovertimewithouttheauthoritativedocumentstheycollectivelyproduceanddistribute.ShowninTableIIisthetotalselectionprobabilityforeachrelaygroup,andtheestimatedtotallengthoftimetodisableallrelaysinthegroupwhentheSniperAttackissynchronouslylaunchedonasinglerelayatatime.Weconsidermemoryconsumptionratesforbothdirectandanonymousattacks,andconsiderthelengthoftimetodisablerelayswith1and8GiBofRAMasexamplesofrelaymemorycapacities.NotethattheseresultsscalelinearlytootherRAMsizes.AlsonotethatTABLEII:CombinedPathSelectionProbabilityofandEx-pectedTimetoDisableSelectedGroupsofRelaysTime(H:M)toConsumeRAM Direct Anonymous Sel% 1GiB 8GiB 1GiB 8GiB RelayGroups TopFASTGuard 1.7 0:01 0:18 0:02 0:14 MedianFASTGuard 0.025 0:23 3:07 0:23 3:07 BottomFASTGuard 1.9e-4 1:45 14:03 1:45 13:58 TopFASTExit 3.2 0:01 0:08 0:01 0:12 MedianFASTExit 0.01 1:45 14:03 1:22 10:53 BottomFASTExit 6e-5 1:45 14:03 1:48 14:20 Top5Guards 6.5 0:08 1:03 0:12 1:37 Top20Guards 19 0:45 5:58 1:07 8:56 Top5Exits 13 0:05 0:37 0:07 0:57 Top20Exits 35 0:29 3:50 0:44 5:52 AllDirAuths N/A 17:34 140:32 17:44 141:49 althoughthelinearregressiondidnotresultinastrongcor-relation(direct:r2=0.164,anonymous:r2=0.237),webelieveitprovidesareasonablepredictionofRAMconsumptionforanalysispurposesasweexpecttheactualtimetodisablethegroupsofrelaysgiveninTableIItofallsomewherethetimesgiveninthe1GiBand8GiBcolumns.Ouranalysisshowsthatthefastestguardandfastestexitwith1GiBofRAMcanbedisabledinjustoneminutewhenusingthedirectattack,therebydisablinganexpected1.7and3.5percentofpathsintheTornetwork,respectively.Whenallotting8GiBofRAMfortheserelays,theycanbedisabledinunder20minutesinbothattackmodes.Perhapsmorestrikingly,theentiregroupofthefastest20exitscanbedisabledinjust29minutesifeachrelayhasonly1GiBofRAM,andinjustunder4hoursifeachrelayhas8GiBofRAM.(Theanonymousattacktakesslightlylongerinbothcases.)ThiswouldbeextremelydisruptfultotheTornetwork,causingroughly35percentofallpathstofailandincreasingloadandcongestionontheremainingrelays.Similarly,thegroupofthefastest20guardscanbedisabledinjust45minutesifallotting1GiBofRAMforeachrelay,andjustunder6hoursifallotting8GiBofRAMforeach(again,theanonymousattacktakesslightlylonger).Thiswouldcause19percentofTorpathstofail.Finally,theattacktakessignicantlylongeronthegroupofdirectoryauthorities,sincetheirlowerbandwidthweightsresultinlowerRAM7 consumptionratesthanthefastestrelaygroups.Notethatrelayswilllikelyberebootedbytheiroperatorssometimeaftergoingdown,however,allcircuitstheywerecarryingwillbelostandtheattackcouldberelaunchedagainstarelayassoonitisavailable.Thismayeffectivelycausearelaytobemarkedasunstableandnotchosenbyclientsfortheircircuits.IV.DEANONYMIZATIONINTORTheSniperAttackismorethanjustathreattoTor'savail-ability:itcanalsobeusedasanattackonanonymity.BecauseToracceptsanywillingrelayintothenetwork,anadversarythatrunsrelayscandeanonymizeavictimbycontrollingtheentryandexitrelaysandcorrelatingtheobservedtimingandvolumeofauser'strafcenteringthenetworkwiththatleavingthenetworkshortlyafterwards[11],[42].Topreventanadversaryrunningrelaysfromeventuallybeingchosenforthesepositions,auserchoosesasmallsetofentryguards(Tordefaultsto3guards),andbeginsallcircuitsatoneoftheseguards.Thisprotectstheuserfrombeingdirectlyobservedaslongasadversarialrelaysarenotchosenasguards.Aguardisusedfor30–60days,atwhichpointareplacementisselected[21].Thusauser'sguardsareanattractivetargetfortheSniperAttack.Iffewenoughofauser'sguardsareresponsive(atmost1inTor),theuserwillselectnewguardsasreplacements.Bydisablingtheuser'sguards,theadversarycancausetheusertochoosenewguardsandhopethatanadversarialrelayisamongthem.Thisprocesscanberepeateduntiltheadversarysucceeds.Thisattackrequirestheadversarytoidentifythetarget'sguardsandtoforcehertochoosenewonesassoonastheoldonesaredisabled.Doingsoisparticularlyeasywithhiddenservices[34]becausetheycreatecircuitsondemand.Therefore,wewilldescribeandanalyzetheattackappliedtohiddenservices.DeanonymizingTorclientsusingtheSniperAttackislessstraightforwardbecausetheygenerallydonotrespondondemand.However,insomesignicantcasesguardscouldbeidentiedandguardreselectioninitiated.Forexample,auserdownloadingalargelecouldgivetheadversaryenoughtimetodiscovertheguardusingacongestionsidechannel[23],[24],[33].Furthermore,downloadmanagersandBitTorrentclientsgenerallyautomaticallyrestartaninterrupteddownload,whichwouldpromptguardreselectionbyTor.Finally,wenotethatinadditiontodeanonymization,theadversarycouldusetheSniperAttacktoattackTorprivacyinotherways.Forexample,hecouldattacktheexitsoflong-livedcircuits,suchasIRCconnections,inordertobechosenasthereplacementexitanddiscoverthedestination.Hecouldalsoattackexitrelaysthatallowconnectionstocertainportsinorderforadversarialrelaystoobservealargerfractionofexittrafctosuchports.A.DeanonymizingHiddenServicesHiddenservicesprovideresponderanonymityforapersis-tentservice.UsersareabletoconnecttotheservicethroughTorwithoutknowingitslocation.LetHbeahiddenserviceandCbeaclient.HchoosesasetIofTorrelaysasintroductionpointsandcreatespersistantcircuitstothem.Theprotocolforusingahiddenserviceis(1)CchoosesaTorrelayRtoserveasarendezvouspointandcreatesacircuittoit;(2)CchoosesanintroductionpointI,createsaTorcircuittoit,andsendsRtoHthroughI;(3)HcreatesacircuittoR;and(4)CandHcommunicatetoeachotherovertheirrespectivecircuitstoR.Toperformtheanonymityattackonatargetedhiddenservice,theadversarywillneedtocontrolatleastonerelaythatcanserveasaguard,andhewillneedtocontrolanotherrelaythatcanserveasarendezvouspoint.Foranadversary'srelaytobeusedasaguard,itmustsatisfyminimumuptimeandbandwidthrequirements(roughly,itsuptimemustbeatleastthatofthemedianrelay,anditsbandwidthmustbeatleasttheminimumofthemedianbandwidthand250KB/s[7]).AnyrelayintheTornetworkcanserveasarendezvouspoint.Thedeanonymizationattackproceedsinthreephases:1)Identifytheguardsofthehiddenservice;2)DisabletheguardswiththeSniperAttack;and3)Testifthehiddenserviceselectedanadversarialrelayasareplacementguard,andrepeatfrom1)ifnot.Todescribethesephasesindetail,letGAbetheadversarialrelaythatcanbeusedasaguard,RAbetheadversarialrelayintendedtobeusedasarendezvouspoint,CAbeanadversarialTorclient,andHbethetargethiddenservice.Phase1(IdentifyGuards):AusercanforceHtoselectanewcircuitbyrequestinganewconnectionthrougharendezvouspoint.Hchoosesthecircuit'srelaysotherthantheguardroughlyatrandomweightedbybandwidth.Thus,byrequestingenoughconnections,theadversarywilleventuallycauseHtochoosecircuitssuchthat,foreveryguardofH,insomeofthosecircuitstheadversarialrelayGAisthehopafterthatguard.Forthesecircuits,theadversarycandirectlyobservetheguards'identities,althoughhemaynotrealizeit.Biryukovetal.describeanefcienttechniquefortheadversarytorecognizewhenheisinsuchasituation[12].TherendezvouspointRAsendsapatternof50PADDINGcellstoHdowntherendezvouscircuitfollowedbyaDESTROYcell.IfGAobservesapatternof2cellsonarendezvouscircuitfromahiddenserviceand52cellsonthesamecircuittothehiddenservice(thecellsinexcessof50arefromcircuitconstruction),followedbyaDESTROYcellshortlyafteroneissentbyRA,itconcludesthattherelayonehopclosertoHonthecircuitisaguardofH.DuringexperimentsontheliveTornetwork,Biryukovetal.observednofalseidenticationsusingthismethod.Theyalsonotethattheattackcouldbeperformedwithoutanadversarialrendezvouspoint,althoughitwouldslowtheattackbecausetherendezvouscircuitmustextendtoCA.Usingthismethod,theadversarycanquickly,efciently,andperfectlyidentifyallguardsofH.Moreover,thediscoveryprocesslooksfairlyinnocuoustoH,whichonlyseesaseriesofnormalrendezvousrequests.Ofcourse,allsuchrequestsaretothesamerendezvouspoint,theconnectionsmayappearabnormallyfast,andnodataisevercarriedonthecircuits.Ifstealthinessisagoal,theattackcouldbemountedfromCAwithnormalrendezvouspointselection,ataslowerrate,andincludingsometypicaldatarequestsascover.Thiswouldcomeatthecostofsomespeedandefciency.NotealsothatØverlierandSyverson[34]describealess-efcientmethodofguardidenticationthatdependsonperformingtrafccorrelationthatislessprecisebutismorerobusttocountermeasures.Phase2(DisableGuards):OnceH'sguardshavebeenidentied,theadversarycanusetheSniperAttacktocausetheTorprocessofeachguardtobekilled.Theattackcanberunagainstallguardsinparalleltoreducethetimeofthe8 attacktothetimetokilljustoneguard.Moreover,attackingtheguardsatthesametimeincreasesthelengthoftimethattheguardsremainsimultaneouslyunavailable.Eventually,wewouldexpecttherelayoperatortonoticethattheTorprocesswaskilledandrestartit.Phase3(TestforGuardSelection):Oncethehiddenservice'sguardsaredisabled,theadversarycaneasilycausenewonestobeselectedsimplybyconnectingnormallytotheservice.ThenhecandetermineifhisguardGAwasselectedbyHusingtechniquesverysimilartothoseusedtoidentifyguardsinPhase1.AdifferenceisthathewouldlookonthecircuitsofGAforthosewith3cellsfromthecircuitoriginand53cellstowardsitbeforedestruction.ThissteprequiresonlyenoughcircuitsthatanygivenguardofHissufcientlylikelytobeusedforatleastone(e.g.with35circuits,theprobabilityofsuchaselectionfailingtooccurisatmost(2=3)3510�6).B.EvaluationTheDoSDeanonymizationAttackexecutesanumberofthree-phaseroundsuntilitsucceeds.ToestimatethetimetocompleteroundioftheattackonhiddenserviceH,letti1bethetimetoidentifytheguardsofH(Phase1),ti2bethetimetodisabletheguardsofH(Phase2),andti3bethetimetotestifHselectedamaliciousrelayasaguard(Phase3).Letrbethenumberofroundsneededfortheattack.Thenthetotalattacktimetcanbeexpressedast=Pri=1ti1+ti2+ti3.WeestimatetfortheactualTornetworkandvarioussizesoftheadversary,anduserealTornetworkdatafromTorMetrics[8].1)TimeforPhase1(ti1):ToidentifytheguardsofH,theadversaryrunsamaliciousrelayMAandcreatesenoughconnectionstoHsuchthat,foreachguardG,aresultingcircuitfromHtotherendezvouspointusesMAasthemiddlerelayandGastheguard.TheconnectionstoHcanbecreatedinparalleltospeedupthisphase.LettcbethetimefrominitiatingaconnectiontoHuntilMAobservesthecellpatternthatindicatesitspresenceonarendezvouscircuitofH.LetcibethenumberofconnectionsthatareneededforMAtoobserveallguardsofH.Let`bethenumberofconnectionscreatedinparallel.Thetimeforthisphaseisthenti1=tcci=`.Toestimatetcandci,weranahiddenserviceexperimentinShadow.Duringtheexperiment,aclientrepeatedlycreatednewconnectionstoahiddenserviceandsentthe50-celltrafcsignatureusedtorecognizerelaysontheresultingcircuit.Notethatweusedtheversionoftheattackinwhichtheclientsendsthesecellsratherthantherendezvouspoint.Werecordedthepathsofthesecircuitsandthetimefrominitiationoftheconnectionuntiltheservicereceivedthetrafcsignature.Ourexperimentswereperformedintwosessions,eachwith10client-serverpairsruninparallelandwithbackgroundtrafc.Duringtheseexperiments,8319connectionstohiddenserviceswerecreated.Theaveragetimebetweenstartingaconnectionattheclientandreceivingtheinsertedcellpatternattheserverwas10.69s.Theminimumtimewas1.45sandthemaximumtimewas319.87s.Thusweexpectthattc=10:69.OurexpectationforcidependsonthebandwidthofMA.Thehigherthebandwidthis,themorelikelythatMAisselectedinacircuitandthelowerthatciis.ThusweconsiderarangeofcapacitiesforMA.TableIIIshowstheaveragenumberofconnectionsthatclientshadtomaketoidentifytheguardsofHwhenweconsiderrelaysofdifferentsizestobethemaliciousrelayMA.Therelaysweselectwerechosenmiddlerelayswithprobabilitiesthatrangefrom0.0026toTABLEIII:SpeedofGuardIdentication SelectionProb. TorBW Avg#ofCxnsto t1(min), asMiddle (MiB/s) IdentifyAllGuards `=10 0.0026 8.41 598.00 10.65 0.0052 16.65 357.33 6.37 0.010 31.97 227.94 4.06 0.021 66.04 141.74 2.53 0.030 96.61 118.40 2.11 0.030.WeestimatethebandwidthaTorrelaywouldneedtobetobeselectedwiththoseprobabilitiesusingalinearregressionontheconsensusweightsandtheestimatedrelaycapacity.Theregressionisonnetworkdatafrom6/30/13.Wecanseethatforrelayswithbandwidthintherangeof8–100MiB/s,theaveragenumberofconnectionscneededtoidentifyallguardsrangesfrom598to118.cisagoodestimateforc1,andastheattackprogressesthroughadditionalroundstheexpectationforcionlydecreasesasrelaysaredisabledandthemaliciousrelaybecomesalargerfractionoftheactivenetwork.Thuswecanconservativelyusecastheestimateforallci.Wecanthenuset1=tcc=`asaconservativeestimateforthetimeti1tocompletePhase1inroundi.TableIIIshowsthistimefor`=10parallelconnections.Weusethisvalueof`becauseourexperimentsconsistedof10clientssimultaneouslyconnectingtohiddenservices.However,weexpectthatmanymoreconnectionscouldbecreatedinparallelwithoutincreas-ingtheconnectiontimetcmuchbecausethetimeisdominatedbynetworklatencyandcreatingaconnectionusesrelativelylittlenetworkbandwidth.Thiscouldpotentiallydecreaset1toaslittleastc=10:96s.2)TimeforPhase2(ti2):Duringtheithroundofagivenattack,therelaywillhaveselectedasetofguards(Torusesatmost3).WesupposethattheSniperAttackcanberuninparallelonallofthese,andthusthetimeti2todisableallofthemisthelongesttimeittakestodisableanyoneofthem.Givenasetofguards,wecanusethelinearregressionofSectionIIItoestimatethememoryconsumptionratefromtheTorconsensusweight.Thenwecanconsiderthetimetolleachguard'smemoryforvaryingmemorycapacities.3)TimeforPhase3(ti3):DuringPhase3,theadversarycreatesenoughconnectionstoHthatifGAhasbeenchosenasaguardofH,itwillbedetectedonaresultingrendezvouscircuit.Wesupposethattheadversarycreates35connectionssothatifGAisaguarditfailstobeusedasaguardononeoftheresultingrendezvousconnectionswithprobabilitylessthan6:8710�7.Weuseourpreviousestimatefortheexpectedcircuitconstructiontimeof10.69sandsupposethattheadversarymakes10parallelcircuits.Wethusestimatethatti3=410:69=42:76sforalli.4)TimeforDoSDeanonymizationAttack(t):Toprovideanestimatefort,wesimulatetheselectionofguardsbyHduringtheattackusingtheTorPStool[5].AsinputtoTorPS,weuseaTorconsensusandserverdescriptorsfrom6/30/13.Weperform10,000simulationsoftheattack.Duringeachsimulation,guardsareselectedbyHineachrounduntilGAischosen.Weestimatethetotaltimetforasimulationbyaddingthegivenphaseestimatesineachround.TableIVshowstheresultsofthesesimulations.ForeachbandwidthcapacityofthemaliciousguardGA,wecanseetheresultingprobabilitypofbeingchosenduringanindividualguardselection.Thisdirectlyaffectstheexpectednumberofroundsneededfordeanonymization,whichwecanseeranges9 seematarstglance.Forinstance,themoststraightforwardapproachwouldbetokillthecircuitwiththelongestqueue.This,however,canbeleveragedforanewattack:anadver-sarycouldsetupalargenumberofcircuitswithrelativelyshortqueuesonagivenrelay,sothatthisrelay'smemoryconsumptionisveryclosetocritical.Wheneverabenigncircuittemporarilybuildsupalongqueue,thethresholdwillbeexceededandabenigncircuitwillbekilled,whiletheadversary's(shorter)circuitswillremaininplace.Therelayisthereforemanipulatedinsuchawaythatitwillregularlykillbenigncircuits—withoutanyneedfortheattackertospendresourcesbeyondinitiallysettingupthecircuits.Whiletherelaywillnotcrashduetorunningoutofmemory,thisisstillhighlyundesirable.Wemustthereforeaimforadecisioncriterionwhichcannotbeabusedbyanattackertomakearelaykillbenigncircuits.Here,weproposetousethetimeofarrivalofthefrontmostcellinthequeueasthebasisforourdecision:ifmemorybecomesscarce,thecircuitkillingmechanismwillkillthecircuitwiththecurrentlyoldestcellatthefrontofitsqueue.Werequirethateachincomingcellbetaggedwithatimestampuponarrivalatarelay,butnotethatthisalreadyhappensinthecurrentversionsofTorinordertocomputecelldelaystatistics.Therefore,thismechanismisalmosttrivialtoimplement.Intheremainderofthissection,wewillarguewhyitisalsoeffective.Togainanintuitiveunderstanding,observethatanattacker—inordertoavoidthathiscircuitiskilledwhenmemorybecomesscarce—willhavetokeepthefrontmostcellinthecircuit'squeue“fresh”.SinceTorcircuitqueuesarestrictFIFOqueues,thefrontmostcellinanygivencircuitqueuewillhavespentmoretimeinthisqueuethananyothercell.Theattackeristhereforeforcedtocontinuouslyreadfromallhiscircuits;otherwise,thecellattheattackcircuit'sheadwillsoonbeolderthanthefrontmostcellsinthequeuesofbenigncircuits.Thus,byderivingboundsontheshareoftherelay'savailablebandwidththatisrequiredinordertomakearelaykillabenigncircuit,wewillbeabletoprovetheeffectivenessofthedefensestrategy.2)ProofSketch:ConsideraspecicrelaywhichoffersatotalbandwidthBforrelayingTorcircuits.WeassumethatBisavailablebothinincomingandinoutgoingdirection(substantiallyimbalancedincomingandoutgoingbandwidthsdonotmakesenseforarelaywhichessentiallyforwardsallincomingdata).Furthermore,assumethatthisrelayiscurrentlyusedbyatotalofnactivecircuits.Wedeneanactivecircuitasacircuitwhichcurrentlyhasatleastonecellinitsqueue.Iftheoutgoingbandwidthoftherelaywereassignedtotheactivecircuitsinaperfectlyfairmanner,theneachcircuitwouldexperienceanoutgoingdatarateofrfair=B n:(1)Ofcourse,inpractice,thedistributionwillnotbeperfectlyfair;infact,therearecertainknownartifactswithrespecttointer-circuitfairness[43].ButTorrelaysincludemechanismswhichwillstillresultinbandwidthallocationstocircuitsthatarenotarbitrarilyunfair:thereisaround-robinschedulerwhichpickscellsfromcircuitqueuesfortransmission.Moreover,circuitsarecarriedoverTCPconnections,andTCP,too,strivesforafairdistributionofavailablebandwidthtomultipleconnections.Bothofthesemechanismsarecontrolledbytherelayandarethusoutsidethesphereofinuenceofanattacker.Wewilldiscussthecaseofanattackerwhoisabletoclaimahugefractionoftherelaybandwidthforhimselflater.Fornow,wemayreasonablyassumethatthereisafairnessfactor01suchthateachactivecircuitreceivesabandwidthshareofatleastrB n:(2)Aswewillsee,theexactvalueofisnotcriticalforourscheme,aslongasanactivecircuit'sbandwidthsharedoesnotbecomearbitrarilysmallforalongerperiodoftime.NowobservethatbenigncircuitswilltypicallyhavequeueswhichareboundedabovebyarelativelysmallsizeQ.Qis,asdiscussedbefore,intheorderof1000cellsinthecurrentTorprotocol.Evenifpossiblefutureprotocolversionsdonotenforceahardupperlimit,observethathighvaluesofQimplylongqueuesintherelaysandthuspoorcircuitperformance.Inpractice,anyreasonablefutureprotocoldesignwillthereforealsoresultinreasonablequeuelengths.NotethatwhileweassumethatsuchanupperboundQexistsinouranalysis,itsvalueneednotbeknownandisnotusedtodecidewhichcircuittokill.Theexactvalueisthusmuchlesscriticalthaninthepreviouslydiscussedqueuelengthdefense.Basedontheseassumptionswemakeacentralobservationforourargument:ifabenigncircuit'squeuelengthdoesnotexceedQanditsmeanrateisatleastr,thenthemaximumtimeforwhichacellcanremainqueuedisboundedabovebydmax=Q r=Qn B:(3)Therefore,iftnowisthecurrentpointintime,thecellsattheheadsofallbenigncircuits'queueswillhaveatimestamplaterthantnow�dmax.Notethatanattackerusingasinglecircuitwillthushavetomakesurethatthecellatthefrontofthequeuedoesnotbecomeolderthandmax,i.e.,thecellmusthavearrivedatapointintimelaterthantnow�dmax.Onlythencantheattackerhopethatabenigncircuitwillbekilledinsteadoftheattacker'scircuit.Iftheattackerusesmultiplecircuitsinparallel,thesamecriterionmustholdforallthesecircuits.Consequently,allthecellsintheattacker'scircuitsmusthavearrivedwithinatimeintervaloflengthdmax.LettheamountoffreememoryattherelaybedenotedbyM.Theattackermust(roughly)buildupqueueswithatotalsizeofMbytesinordertomaketherelaykillcircuits.Since,asseenbefore,theattackermustinjectallthesecellswithinatimespanoflengthdmax,theattackerneedstosendcellsintotherelayatameanrateofatleastra=M dmax=M Q
B n=M Q
r:(4)ThisisafactorofM=Qhigherthantheminimumoutgoingraterwhichweassumedforbenigncircuitsabovein(2).ObservethatM=Qcaneasilybemadeaverylargenumberifsufcientmemoryisprovided.Werecommendanorderofmagnitudeofafewhundredmegabytes,whichisnotaproblemontoday'srelays(alsoonmachineswitha32bitaddressspace)andresultsinafactorM=Qintheorderof1000.Theattackerwouldthereforehavetoclaimtheincomingrelaybandwidthvirtuallyentirelyforhimselfinordertomountasuccessfulattackthatresultsinabenigncircuitbeingkilled.Althoughsuchanattackispossibleifanadversaryhasenough11 developandnewrelaysarequicklyused.Middleguardsneedonlyslowdownguarddiscoverytothespeedofotherknownmethodsforidentifyingguards,suchasthroughputngerprinting[33]orthelong-pathcongestionattack[23],whichareeacheffectivewithinhours.Theircomplexityandresourcecostissignicantlyhigherthanpassiveobservationatarelay,however,andsothespeedsoftheattacksneednotbeequalized.Moreover,becausemostTortrafccontinuestobeload-balancedeffectively,thenetimbalancefrommiddleguardsseemslikelytobesmall.Thedefenseofferedbymiddleguardsisthatanadversaryrunningmaliciousrelayscannotquicklydiscoverhidden-serviceentryguardsbysendingtheservicemanyrendezvousrequests.Instead,anadversarytryingtodirectlyobservetheentryguardmustwaittobeselectedeitherastheentryguarditselforasamiddleguard.Withammiddleguardsandanaverageexpirationofe=(e0+e1)=2days,anadversarywithaprobabilitypofbeingselectedasarelaywillexpecttowait(1=(1�(1�p)agam)�1)edaysuntilbeingselectedasthemiddleguardofsomeentryguard.Supposethatag=1,am=2,e0=30ande1=60(i.e.middle-guardexpirationisthesameascurrententry-guardexpiration),andp=0:021(thelargestmiddle-relayselectionprobabilityon6/30/13).Thentheexpectedtimefortheadversarytobeselectedasamiddleguardis1037:79days.VII.RELATEDWORKInternetDoSattacks,thosethatmakeanInternetserviceunavailableforlongerthantheintendedwaitingtime[45],havebeenextensivelystudiedintheliterature.Althoughuniqueinthisspace,theSniperAttackismostcloselyrelatedtolowrateandslowreadDoSattacks,whicharevariantsofthewell-knownSYNoodDoSattack[20],[40].Thegoaloftheseattacksistoexhaustresourcesinordertopreventthevictimfromprocessingnewincomingconnectionrequests.Transportlayerlowrateattacks[30]exploitTCP'sretrans-missiontimeout(RTO)dynamics.Anattackerrepeatedlysendsshorthigh-ratepacketbursts,whichproducepacketlosses(i.e.,timeouts)andthusmakethevictimdoubletheRTOofotherTCPconnections[37].Transportlayerslowreadattacks[26]sendlegitimatedatarequests,advertiseasmallTCPreceivewindow,andthenslowlyemptythereceivebuffer.Asaresult,thevictim'ssendbufferremainsfulloveralongtimespan,thusblockingresources.Similarlowrateandslowreadtechniqueshavebeendescribedtoexploitwebserverweaknessesontheapplicationlayer[2],[14],[38]:sendingpartialHTTPrequestsorslowlyreadingresponsestorequestswillprolongtheHTTPsessionandextendsthetimeinwhichtheavailabilityofthewebserver'sconnectionpoolisreduced.AlthoughtheSniperAttacksharesthegeneralgoalofpreventingnewincomingconnectionswithlowrateandslowreadattacks,itisachievedasabyproductofthemoredirectgoalofexhaustingsystemmemoryresources.Inparticular,weconsumememoryfromtheapplicationlayerusingvalidoverlaynetworkprotocolmessageswithoutreadingfromthevictim.Therefore,ourattackmaybecharacterizedasanoreadattack.Anotherimportantdistinctionisthat,unliketheattacksdescribedabove,ourattackdoesnotrequireseveralsimultaneousconnectionstothetargetandcontinuedeffortinordertomaintaintheeffectoftheattack.Finally,ourattackdestroysexistingestablishedconnectionsinadditiontopreventingnewones.TheSniperAttackmayalsobecategorizedasapermanentDoSattack,asitexploitsapplicationlayeroverlaynetworkprotocolsemanticstoconsumesystemmemoryandcrashtheprocess.Itisdistinguishedfromsimilarattacks,suchasthePingofDeath[29],inthatitutilizesvalidmessagestoexploittheprotocoldesign.Fixingitisthereforenotsimplyamatterofcorrectingabrokenprotocolimplementation.OurattackisalsosimilartothosethatrelyonmisbehavingreceiversandoptimisticACKstobypassowcontrolprotocolmechanisms[9],[39],[41].Inparticular,theopt-ACKattack[41]issimilarlychallengedtoadjustafeedbacksignalrateinsuchawaythatitstillappearslegitimatetothecommunicationpartner.Ourattackdiffersinthatwetargetapplicationlayerprotocolsofoverlaynetworksinordertoexhausttheavailablememory,ratherthantargetingnetworklayerprotocolsforthepurposesofconsumingtheavailablebandwidth.Assuch,theSniperAttackisanoreadmemoryexhaustionattack.DoSattacksagainsttheToroverlaynetworkhavebeenstudiedbefore,buildinguponafundamentalobservationrstmadebySyversonetal.[42]:iftherstandthelastrelayalongaTorpatharecompromised,anadversarycanlinkthesourceanddestinationbycorrelatingtrafcpatterns.ØverlierandSyversonrstdemonstratedhowanadversarycouldlieabouttheavailablebandwidthofcompromisedrelaysinordertoinatetheprobabilityofbeingselectedforahiddenservicecircuit[34],andBaueretal.extendedtheattacktoincreasetheprobabilityofend-to-endcompromiseofgeneralpurposecircuits[11].Borisovetal.[13]describeaselectiveDoSattackonTorwheremaliciousrelaysterminatecircuitsofwhichtheyareapartbutdonotcontrolbothends.Thisforcesclientstore-buildcircuitsandsimilarlyincreasestheprobabilityofend-to-endcompromisebytheadversary.Danneretal.showhowselectiveDoSattackscanbeprovablydetectedbyexhaustivelyprobingpotentialpaths[15],whileDasandBorisovreducethecostofdetectionusingprobabilisticinference[16].Resourceconsumptionattacksthatmayalsobeusedtoin-creaseanadversary'sprobabilityofend-to-endcircuitcompro-miseincludethePacketSpinningattack[36]andtheCellFloodattack[31].InthePacketSpinningattack,theadversarycraftsspecialpacketsthatcausethemtocontinuously“spin”throughcircularcircuitscomposedofthetargetrelays.IntheCellFloodattack,theadversaryusesspecialhandshakepacketstoefcientlybuildalargenumberofcircuitsthroughthetargetrelays.Bothoftheseattackseffectivelymakerelaysappearbusybyforcingthemtospendresourcesdoingunnecessarywork.Honestclients'circuitsthroughtheserelayswillthenbemorelikelytotimeout,causingthemtochoosenewcircuitscontainingmaliciousrelayswithhigherprobability.TheSniperAttackalsocausesrelaystoperformunnecessarywork,butfocusesonconsumingmemoryresourceratherthanbandwidthorcomputationalresources.Ourhiddenservicedeanonymizationattackbuildsupontechniquesdevelopedinpreviouswork.Inparticular,ØverlierandSyversonrstidentiedthathiddenservicescouldbelocatedquicklyandeasily[34]becauserendezvouscircuitsarecreatedondemandusingnewrelaysforeachcircuit.Theadversarycouldthereforecontinuetomakenewconnectionstoahiddenserveruntiltrafccorrelationindicatedthatthehiddenserverbuiltacircuitthatdirectlyconnectedtooneoftheadversary'snodes.Theyfurtherdescribedhowahiddenserverusingguardnodeswouldstillbeinsecureagainstanadversaryusingtheattacktoidentifythehiddenserver's14 guardsandthenDoSthem:thisprocesscouldberepeateduntiloneoftheadversary'snodeswaschosenasanewguard.Theyoutlinedlayeredguards,orguardnodesfortheguardnodes,tohelpdefendagainstsuchanattack.Biryukovetal.showedhowtheadversarymaydetectitspositiononarendezvouscircuitbysimplycountingcellsinsteadofperformingtrafccorrelation[12].Finally,ØverlierandSyversonintroducedValetServicenodestoimprovetheresilienceofintroductionpointsagainstDoSattacks[35].VIII.CONCLUSIONSANDFUTUREWORKInthispaperwepresentedanovelanddestructiveDoSattackagainstTorthatmaybeusedtoanonymouslydisablearbitraryTorrelaysbyexploitingtheprotocol'sreliableend-to-enddatatransport.WeoutlinedseveralwaystocarryouttheSniperAttackandassesseditsresourceandtimeprolesinlargescalesimulations.Weperformedanin-depthsecurityanalysis,showinghowtheattackmaybeusedtodeanonymizehiddenservices.Wedevelopedadefensethatidentiesandkillsmaliciouscircuitsinout-of-memory(oom)situationsandshowedthatitrenderstheattackineffective.Finally,wesuggestedalternativeguardandpathselectionpoliciesthatenhanceTorusers'security.AlthoughtheSniperAttackistunedforTor,ourmecha-nismsmaygeneralizetosystemsthatdohop-by-hopreliabilityandend-to-endowcontrol.Weleaveittofutureworktoanalyzetheextenttowhichthisgeneralizationapplies.Further,althoughourdefensespreventmemoryexhaustion,theydonotstoptheSniperAttackfromconsumingalargeamountofTor'sbandwidthcapacityatlowcost.Futureworkshouldconsiderthisandotherbandwidthconsumptionattacks,aswellasdefensesagainstthem.ACKNOWLEDGMENTSWethanktheanonymousreviewersfortheirfeedbackandsuggestions,DamonMcCoyfordiscussionsaboutmisbehavingreceiversandauthenticatedsignals,andRogerDingledinefordiscussionsaboutattackanddefensevariations.AaronJohnsonwassupportedbytheOfceofNavalResearch(ONR)andDARPA.Anyopinions,ndingsandconclusionsorrecom-mendationsexpressedinthismaterialarethoseoftheauthor(s)anddonotnecessarilyreecttheviewsofDARPAorONR.WearealsogratefulfortheDFGgrantsupportingthiswork.REFERENCES[1]“OOMKiller,”http://linux-mm.org/OOM Killer.[2]“R-U-Dead-Yet(RUDY),”https://code.google.com/p/r-u-dead-yet/.[3]“ShadowSourceCode,”https://github.com/shadow/shadow.[4]“TC:ATorcontrolprotocol(Version1),”https://gitweb.torproject.org/torspec.git?a=blob plain;hb=HEAD;f=control-spec.txt,Acc.June2013.[5]“TheTorPathSimulator,”http://torps.github.io/.[6]“TheTorProject,”https://www.torproject.org/.[7]“Tordirectoryprotocol,version3,”https://gitweb.torproject.org/torspec.git?a=blob plain;hb=HEAD;f=dir-spec.txt,Acc.July2013.[8]“TorMetricsPortal,”https://metrics.torproject.org.[9]F.Adamsky,S.A.Khayam,R.Jager,andM.Rajarajan,“SecurityAnalysisoftheMicroTransportProtocolwithaMisbehavingReceiver,”inCyberC'12,Oct.2012.[10]M.AlSabah,K.Bauer,I.Goldberg,D.Grunwald,D.McCoy,S.Savage,andG.Voelker,“DefenestraTor:ThrowingoutWindowsinTor,”inPETS'11,Jul.2011.[11]K.Bauer,D.McCoy,D.Grunwald,T.Kohno,andD.Sicker,“Low-ResourceRoutingAttacksAgainstTor,”inWPES'07,Oct.2007.[12]A.Biryukov,I.Pustogarov,andR.-P.Weinmann,“TrawlingforTorHid-denServices:Detection,Measurement,Deanonymization,”inSP'13,May2013.[13]N.Borisov,G.Danezis,P.Mittal,andP.Tabriz,“DenialofServiceorDenialofSecurity?”inCCS'07,Oct.2007.[14]T.Brenann,“OWASPHTTPPostTool,”https://www.owasp.org/index.php/OWASP HTTP Post Tool.[15]N.Danner,S.Defabbia-Kane,D.Krizanc,andM.Liberatore,“Ef-fectivenessandDetectionofDenial-of-ServiceAttacksinTor,”ACMTISSEC,vol.15,no.3,Nov.2012.[16]A.DasandN.Borisov,“SecuringAnonymousCommunicationChan-nelsundertheSelectiveDoSAttack,”inFC'13.[17]R.Dingledine,“#6252didn'tgofarenough,”https://trac.torproject.org/projects/tor/ticket/9063,June2013.[18]——,“#9063enablesGuarddiscoveryinaboutanhourbywebsites,”https://trac.torproject.org/projects/tor/ticket/9072,June2013.[19]R.Dingledine,N.Mathewson,andP.Syverson,“Tor:TheSecond-GenerationOnionRouter,”inUSENIXSecurity'04,Aug.2004.[20]W.Eddy,“TCPSYNFloodingAttacksandCommonMitigations,”RFC4987,IETF,Aug.2007.[21]T.Elahi,K.Bauer,M.AlSabah,R.Dingledine,andI.Goldberg,“ChangingoftheGuards:AFrameworkforUnderstandingandIm-provingEntryGuardSelectioninTor,”inWPES'12,Oct.2012.[22]T.ElahiandI.Goldberg,“CORDON–ATaxonomyofInternetCen-sorshipResistanceStrategies,”UniversityofWaterlooCACR2012-33,Tech.Rep.,2012.[23]N.S.Evans,R.Dingledine,andC.Grothoff,“APracticalCongestionAttackonTorUsingLongPaths,”inUSENIXSecurity'09,Aug.2009.[24]J.Geddes,R.Jansen,andN.Hopper,“HowLowCanYouGo:BalancingPerformancewithAnonymityinTor,”inPETS'13,Jul.2013.[25]D.M.Goldschlag,M.G.Reed,andP.F.Syverson,“HidingRoutingInformation,”inIHW'01,May1996.[26]ithilgore,“ExploitingTCPandthePersistTimerInniteness,”PhrackMagazine,vol.0x0d,no.0x42,Jun.2009.[27]R.Jansen,K.Bauer,N.Hopper,andR.Dingledine,“MethodicallyModelingtheTorNetwork,”inCSET'12,Aug.2012.[28]R.JansenandN.Hopper,“Shadow:RunningTorinaBoxforAccurateandEfcientExperimentation,”inNDSS'12,Feb.2012.[29]M.Kenney,“PingofDeath,”http://insecure.org/sploits/ping-o-death.html.[30]A.KuzmanovicandE.W.Knightly,“Low-rateTCP-targetedDenialofServiceAttacksandCounterStrategies,”IEEE/ACMTON,vol.14,no.4,2006.[31]V.P.MarcoValerioBarbera,VasileiosP.KemerlisandA.Keromytis,“CellFlood:AttackingTorOnionRoutersontheCheap,”inES-ORICS'13,Sep.2013.[32]N.Mathewson,“Weshouldhavebetter,fairerOOMhandling,”https://trac.torproject.org/projects/tor/ticket/9093,June2013.[33]P.Mittal,A.Khurshid,J.Juen,M.Caesar,andN.Borisov,“StealthyTrafcAnalysisofLow-LatencyAnonymousCommunicationUsingThroughputFingerprinting,”inCCS'11,Oct.2011.[34]L.ØverlierandP.Syverson,“LocatingHiddenServers,”inSP'06,May2006.[35]——,“ValetServices:ImprovingHiddenServerswithaPersonalTouch,”inPETS'06,Jun.2006.[36]V.Pappas,E.Athanasopoulos,S.Ioannidis,andE.P.Markatos,“CompromisingAnonymityUsingPacketSpinning,”inISC08,Sep.2008.[37]V.Paxson,M.Allman,J.Chu,andM.Sargent,“ComputingTCP'sRetransmissionTimer,”RFC6298,IETF,Jun.2011.[38]RSnake,“SlowlorisHTTPDoS,”http://ha.ckers.org/slowloris/.[39]S.Savage,N.Cardwell,D.Wetherall,andT.Anderson,“TCPCon-gestionControlwithaMisbehavingReceiver,”ACMSIGCOMMCCR,vol.29,no.5,1999.[40]S.Shalunov,“Netkill–genericremoteDoSattack,”http://seclists.org/bugtraq/2000/Apr/152,2000.[41]R.Sherwood,B.Bhattacharjee,andR.Braud,“MisbehavingTCPReceiversCanCauseInternet-wideCongestionCollapse,”inCCS'05,Nov.2005.[42]P.Syverson,G.Tsudik,M.Reed,andC.Landwehr,“TowardsanAnalysisofOnionRoutingSecurity,”inDIAU'00,Jul.2000.[43]F.TschorschandB.Scheuermann,“Torisunfair–andwhattodoaboutit,”inLCN'11,Oct.2011.[44]P.WinterandS.Lindskog,“HowtheGreatFirewallofChinaisblockingTor,”inFOCI'12,Aug.2012.[45]C.-F.YuandV.D.Gligor,“AFormalSpecicationandVericationMethodforthePreventionofDenialofService,”inSP'88,May1988.15