Attacking Tor: What it Takes to Disrupt the Popular Onion Routing Network

Launching denial-of-service (DoS) attacks against Tor’s most commonly used default bridges and flooding them would cost attackers around $17,000 per month, researchers have discovered. 

Tor has long become a target for disruption and censorship, as attackers aim to prevent users from reaching information, to identify Tor users’ communication content, or deanonymize users.

According to security researchers Rob Jansen from the U.S. Naval Research Laboratory, and Tavish Vaidya and Micah Sherr from Georgetown University, however, DoS attacks on Tor can be used to significantly degrade network performance and are actually not that expensive to perform. 

While launching DoS attacks against the entire Tor network would cost millions of dollars each month, assaults that intelligently utilize bandwidth to impact network performance and reliability are rather feasible, the researchers explain in a paper (PDF) presented at the 2019 USENIX Security Symposium. 

Although Tor relays do not publish their link capacities, the researchers estimate the total link capacity across the Tor network to range from 429 to 575 Gbit/s (Gigabits per second) over the year. 

For their study, the researchers used the average of 512.73 Gbit/s and estimated that an attacker would need one DoS stresser service to target each Tor relay, which would incur costs of around $10,000 per hour, or $7.2 million per month. 

An attack on Tor’s most commonly used default bridges and flooding those that are operational, on the other hand, would only cost around $17,000 per month. Such an attack, the researchers say, could reduce client throughput by 44% and more than double bridge maintenance costs. 

Attacks targeting all scanners in the Tor Flow bandwidth measurement system, on the other hand, would cost $2,800 per month and reduce the median client download rate by 80%. 

Lastly, the researchers estimate that an adversary could use Tor to congest itself and that targeting all Tor relays in such an attack would cost $1,600 per month, resulting in the median client download time increasing by 47%. 

As of version 8.0.3, Tor has 38 hard-coded default bridges, but the researchers focused on the 25 default bridges that use the obfs4 obfuscation protocol. They also requested 135 unlisted obfs4 bridges from the TorProject’s bridge authority, 95 of which were functional. 

The researchers estimate that the costs associated with employing stresser services to attack the full set of 38 default bridges could be of around $31,000 per month, which is “well within the budget of a nation-state adversary.” 

With 90% of bridge traffic traversing default bridges, any switch to unlisted bridges could significantly impact network performance, the researchers say. With a quarter of previously default bridge users switching to unlisted bridges, performance would drop by more than half, the researchers suggest. 

The study also compared the presented attack scenarios with launching a Sybil DoS attack, where the adversary could run Sybil relays and then arbitrarily degrade traffic performance or deny service by dropping circuits, or de-anonymize users by observing both the entry and exit points in a vulnerable circuit, and concludes that attacks on Tor bridges are more flexible and less expensive. 

“We find that Tor’s bridge infrastructure is heavily dependent on a small set of fixed default bridges, the operational of which can be disrupted at a cost of $17K/month. Additionally, Tor’s mechanism for measuring load is too centralized and brittle, […] attackers can saturate Tor’s capacity by constructing long paths in the network, and exploit protocol vulnerabilities to decrease the costs of such attacks,” the researchers conclude. 

Related: Internet Society Publishes Privacy Code of Conduct

Related: Cloudflare Launches Security Service for Tor Users