Pierluigi Paganini August 22, 2019

Researchers explained that carrying out attacks against the most used default Tor bridges would cost threat actors $17,000 per month.

According to security researchers Rob Jansen from the U.S. Naval Research Laboratory, and Tavish Vaidya and Micah Sherr from Georgetown University, launching denial-of-service (DoS) attacks against most commonly used default Tor bridges would cost attackers $17,000 per month.

DoS attacks could be used for preventing users to access the popular anonymizing network or to carry out attacks to de-anonymize Tor users with techniques such as traffic correlation.

For a modest sum, threat actors could target Tor bridges saturating their resources and causing significant degradation of network performance.

In a research paper presented at the 2019 USENIX Security Symposium, the experts explained that targeting the entire Tor network with a DoS attack could be very expensive, it would cost millions of dollars each month, but targeted attacks against specific Tor bridges are economically feasible.

“First, we explore an attack against Tor’s most commonly used default bridges (for censorship circumvention) and estimate that flooding those that are operational would cost $17K/mo. and could reduce client throughput by 44% while more than doubling bridge maintenance costs. Second, we explore attacks against the TorFlow bandwidth measurement system and estimate that a constant attack against all TorFlow scanners would cost $2.8K/mo. and reduce the median client download rate by 80%.” reads the paper. “Third, we explore how an adversary could use Tor to congest itself and estimate that such a congestion attack against all Tor relays would cost $1.6K/mo. and increase the median client download time by 47%. Finally, we analyze the effects of Sybil DoS and deanonymization attacks that have costs comparable to those of our attacks.”

The experts estimate that the total link capacity across the Tor network ranged from 429 to 575 Gbit/s over the year; for their research, the experts used the average of 512.73 Gbit/s this means that the attacker would spend around $10,000 per hour to use a DoS stresser service to hit each Tor relay. Overall code per month is $7.2 million. 

An attack on Tor’s most commonly used default bridges and flooding them would only cost around $17,000 per month, in this way the attackers could reduce client throughput by 44% and more than double bridge maintenance costs. 

An attack aimed at all scanners in the Tor Flow bandwidth measurement system would cost $2,800 per month and reduce the median client download rate by 80%. 

The expert discovered that threat actors could use Tor to congest itself and such kind of attack would cost $1,600 per month, resulting in the median client download time increasing by 47%. 

In order to examine the performance of the network’s bridges the experts focused on 25 default bridges that use obfs4 obfuscation protocol2, because most of Tor bridge use default bridges and obfs4.

“To test their performance, we use a modified version of Tor to download a 6 MiB file through each bridge. Surprisingly, we find that only 48% (12/25) of the obfs4 default bridges included in Tor Browser Bundle (TBB) are operational.” continues the experts. “The Tor Browser Bundle (TBB) includes a set of 38 hard-coded default bridges (as of version 8.0.3). Users who cannot directly access Tor relays can configure TBB to connect via one of these default bridges “

To compare against the performance of unlisted bridges, the experts requested 135 unlisted obfs4 bridges from the Tor Project’s bridge authority via its web and email interfaces. 95 of the acquired unlisted bridges were found to be functional.

The researchers estimate that the costs to launch a DoS attack against the 38 default bridges could be of around $31,000 per month. Considering that nation-state actors could be interested in targeting these default Tor bridges, this budget could be a good investment for them.

Experts explained that considering that 90% of bridge traffic passes through default bridges, forcing it to unlisted bridges could have a significant impact on network performance.

The study also compared the presented attack scenarios with launching a Sybil DoS attack, where the adversary could run Sybil relays and then arbitrarily degrade traffic performance or deny service by dropping circuits, or de-anonymize users by observing both the entry and exit points in a vulnerable circuit, and concludes that attacks on Tor bridges are more flexible and less expensive. 

“On the positive side, we find that Tor’s growth has made it more resilient at least to simple attacks: disrupting the service by na¨ıvely flooding Tor relays using stresser services is an expensive proposition and requires $7.2M/month. Unfortunately, however, several aspects of Tor’s design and rollout make it susceptible to more advanced attacks.” the researchers conclude. “We find that Tor’s bridge infrastructure is heavily dependent on a small set of fixed default bridges, the operational of which can be disrupted at a cost of $17K/month”  

Further technical details on the attack techniques are reported in the interesting analysis published by the experts.

Pierluigi Paganini

(SecurityAffairs – Tor bridges, hacking)

[adrotate banner=”5″]

[adrotate banner=”13″]