Kitsune: Multi-tail Inflation Attack in Tor
Speaker
Alexandra Dmitrienko
University of Wuerzburg
Host
Srini Devadas
CSAIL
Abstract:
Tor, the anonymous communitarian network, relies on more than 7000 volunteer-run servers, also known as relays, to route traffic through a circuit of routers for approximately two million daily users. Anonymity is provided by including three relay nodes in between the source and the destination of the traffic, forming a communication circuit, and allowing the forwarding relays only to know their immediate neighbors in the circuit. Since many Tor relays are operated by honest parties and the assignment of relays for a circuit is proportional to the provided (and empirically measured) bandwidth, it is challenging even for a powerful (e.g., state-level) adversary to compromise the entire circuit. Hence, attackers exercise more sophisticated attack strategies, such as website fingerprinting, routing, end-to-end correlation, congestion, and side channels, to name some. Many of these attacks represent realistic threats for Tor users: Some attacks are reported to have been launched by state sponsors against Tor users. What all these attacks have in common is that the attacker needs to attract as much users' traffic as possible to their servers while using as few resources as possible, a strategy which is known as a bandwidth inflation attack.
In our work, we analyze the resilience of Tor network against bandwidth inflation attacks and design Kitsune, a new attack strategy (and the two distinct attack flavors), which enables malicious relays to report much higher bandwidth than they actually provide. Remarkably, this strategy can be combined with previously known inflation attacks, thus increasing their overall effectiveness to previously unseen levels. We evaluate our attack strategy using simulations and data collected from the Tor network, as well as using real relays in Tor. We also evaluate the resilience of alternative bandwidth measurement methods to establish their (in)effectiveness against Kitsune. Overall, our research calls for new bandwidth measurement methods that are more robust against bandwidth inflation attacks including Kitsune.
Tor, the anonymous communitarian network, relies on more than 7000 volunteer-run servers, also known as relays, to route traffic through a circuit of routers for approximately two million daily users. Anonymity is provided by including three relay nodes in between the source and the destination of the traffic, forming a communication circuit, and allowing the forwarding relays only to know their immediate neighbors in the circuit. Since many Tor relays are operated by honest parties and the assignment of relays for a circuit is proportional to the provided (and empirically measured) bandwidth, it is challenging even for a powerful (e.g., state-level) adversary to compromise the entire circuit. Hence, attackers exercise more sophisticated attack strategies, such as website fingerprinting, routing, end-to-end correlation, congestion, and side channels, to name some. Many of these attacks represent realistic threats for Tor users: Some attacks are reported to have been launched by state sponsors against Tor users. What all these attacks have in common is that the attacker needs to attract as much users' traffic as possible to their servers while using as few resources as possible, a strategy which is known as a bandwidth inflation attack.
In our work, we analyze the resilience of Tor network against bandwidth inflation attacks and design Kitsune, a new attack strategy (and the two distinct attack flavors), which enables malicious relays to report much higher bandwidth than they actually provide. Remarkably, this strategy can be combined with previously known inflation attacks, thus increasing their overall effectiveness to previously unseen levels. We evaluate our attack strategy using simulations and data collected from the Tor network, as well as using real relays in Tor. We also evaluate the resilience of alternative bandwidth measurement methods to establish their (in)effectiveness against Kitsune. Overall, our research calls for new bandwidth measurement methods that are more robust against bandwidth inflation attacks including Kitsune.