A team of researchers from Georgetown University and the US Naval Research Laboratory resilience of the anonymous Tor network to denial of service (DoS) attacks. Research in the field of Tor network compromise is mainly built around censoring (blocking access to Tor), identifying requests through Tor in transit traffic, and analyzing the correlation of traffic flows before the entry node and after the Tor exit node to deanonymize users. The present study shows that Tor DoS attacks are overlooked and at a cost of several thousand dollars a month, it is possible to create conditions for Tor disruption that could force users to stop using Tor due to poor performance.
The researchers proposed three scenarios for conducting DoS attacks: creating congestion between bridge nodes, unbalancing the load, and creating congestion between relays, which require the attacker to have a bandwidth of 30, 5 and 3 Gbit/s. In monetary terms, the cost of conducting an attack during the month will be 17, 2.8 and 1.6 thousand dollars, respectively. In comparison, a brute-force DDoS attack to disrupt Tor would require 512.73 Gbps of bandwidth and cost $7.2 million per month.
The first method, at a cost of $17 per month, will reduce client download speeds by 44% through flooding a limited set of bridge nodes with an intensity of 30 Gbit/s. During the tests, only 12 of the 38 obfs4 bridge nodes remained operational (not included in the public lists). servers Directories and are used to bypass guard node blocking), which allows for the selective flooding of remaining bridge nodes. Tor developers can double their maintenance costs and restore the missing nodes, but an attacker would only need to increase their costs to $31 per month to attack all 38 bridge nodes.
The second method, which requires 5 Gbit / s for the attack, is based on disrupting the centralized TorFlow bandwidth measurement system and can reduce the average download speed of data by clients by 80%. TorFlow is used for load balancing, which allows, as part of an attack, to disrupt the distribution of traffic and organize its passage through a limited number of servers, causing them to be overloaded.
The third method, for which 3 Gbit/s is enough, is based on using a modified Tor client to create a parasitic load, which can reduce the speed of client downloads by 47% at a cost of 1.6 thousand dollars per month. With an increase in the cost of an attack to 6.3 thousand dollars, you can achieve a decrease in the speed of client downloads by 120%. The modified client, instead of building a regular chain of three nodes (input, intermediate and output nodes), uses a chain of 8 nodes allowed by the protocol with a maximum number of hops between nodes, after which it requests the download of large files and suspends reading operations after sending requests, but continues to send control SENDME commands instructing input nodes to continue sending data.
It is noted that initiating a denial of service is much more effective than organizing a DoS attack using the Sybil method at similar costs. The Sybil method involves placing a large number of own relays on the Tor network, on which you can drop chains or cut bandwidth. With an attack budget of 30, 5, and 3 Gbit/s, the Sybil method achieves performance degradations of 32%, 7.2%, and 4.5% of exit nodes, respectively. While the DoS attacks proposed in the framework of the study cover all nodes.
If we compare the costs with other types of attacks, then carrying out an attack to deanonymize users with a budget of 30 Gbit / s will allow us to control 21% of incoming and 5.3% of outgoing nodes and achieve coverage of all nodes in the chain in 1.1% of cases. For budgets of 5 and 3 Gbit / s, the efficiency will be 0.06% (4.5% incoming, 1.2% outgoing nodes) and 0.02% (2.8% incoming, 0.8% outgoing nodes).
Source: opennet.ru
