An Overview of Sniper Attacks Against the Tor Network & Current Defenses
Wide scale internet censorship attempts by governments have catalyzed the creation of newer techniques to enhance the privacy of internet users and resist various censorship attempts. Tor represents the most widely used system for counteracting censorship and promoting the privacy of internet users. Currently, Tor serves hundreds of thousands of internet users all over the world and transfers approximately 3 GiB/s collectively every day. Tor utilizes onion routing to route users’ network traffic via a network of diverse relay nodes, preventing any relay node from matching a user to his/her final internet destination. Consequently, attacks against Tor are of pivotal importance to internet users who are highly concerned about the privacy of their online activities.
What is the Sniper Attack?
The sniper attack is a relatively new and devastating form of denial of service (DoS) attack against Tor that is being currently used to selectively knock out arbitrary Tor relay nodes anonymously with the use of minimum resources by the attacker. A successful sniper attack can disable, rather than block, Tor via inactivation of all relay nodes or selective targeting of pivotal subgroups of relay nodes such as relay nodes that provide high throughput or authoritative directory services. The attack can be performed using any machine with moderate processing and memory capabilities. Not only can the sniper attack threaten the availability of the network, it can be also utilized in deanonymization of hidden services via selective inactivation of relay nodes which would markedly influence paths controlled by the adversary launching the attack.
The sniper attack utilizes Tor’s flow and congestion control mechanism in a manner that forces a Tor relay node to buffer a capricious magnitude of data along the application queues, due to the fact that the adversary remains undetectable all through the attack. Technically, the attacker creates an ordinary Tor circuit with the target relay node presenting the entry, forces the exit node to download a large file via the circuit and then continues on sending SENDME cells to the exit node without reading any data from the targeted node, i.e. the entry node. The Tor process, which takes place on the target relay node, will be queuing the data which in the end will result in exhaustion of the memory of the host, leading to termination by the memory manager of its operating system (e.g. Linux oom-killer).
A research study used “Shadow” (a tool for performing Tor experiments on a simulation network) to demonstrate the destructive impact of the sniper attack . The study revealed that an attacker can consume the targeted relay node memory by 2187 KiB/s, while the attacker’s bandwidth costs would be around 39 KiB/s for downstream and 92 KiB/s for upstream.
Countermeasures Against Sniper Attacks:
There are currently three types of defenses to counteract sniper attacks; authenticated SENDMEs, adaptive circuit killing and queue length limit. Authenticated SENDMEs represent a solution to a problem that is exploited by the sniper attack which is that packaging edges fail to authenticate that the delivery edges have actually successfully received any cells. Queue length limits mitigate another problem that facilitates sniper attacks which is that the queues of Tor’s application can grow unchecked by the relay nodes. As such, a simple defense strategy is to enforce a limit for the queue size for each relay to limit the amount of memory consumed by each circuit. Adaptive circuit killing represents a more sophisticated defense against sniper attacks which has powerful security properties. A clever adversary who can overcome both of the aforementioned defenses can utilize a large number of parallel circuits to exhaust the memory of relay nodes. In order to avoid memory exhaustion, a relay node can kill circuits while keeping the overall memory consumption below a specific memory threshold. Adaptive circuit killing will make sure that the process of a relay node won’t terminate in response to an out-of-memory condition.
A recently published paper proposed a new defense approach for bandwidth, memory exhausted forms of sniper attacks, as well as deanonymization attacks targeting the Tor network. This new approach counteracts efficient forms of sniper attacks, e.g. bandwidth and memory consumption attacks, via the use of enhanced methods of adaptive circuit killing. Additionally, the approach involves improvement of defenses against deanonymization via consideration of the various anonymity metrics that are used in the selection of the guard nodes.