Tor Passive- Active -Directory Attacks on onion network

Tor Passive- Active -Directory Attacks on onion network

Passive attacks

Observing user traffic patterns. Observing a user’s connection will not reveal her destination or data, but it will reveal traffic patterns (both sent and received). Profiling via user connection patterns requires further processing, because multiple application streams may be operating simultaneously or in series over a single circuit.

Observing user content. While content at the user end is encrypted, connections to responders may not be (indeed, the responding website itself may be hostile). While filtering content is not a primary goal of Onion Routing, Tor can directly use Privoxy and related filtering services to anonymize application data streams.

Option distinguishability. We allow clients to choose configuration options. For example, clients concerned about request linkability should rotate circuits more often than those concerned about traceability. Allowing choice may attract users with different needs; but clients who are in the minority may lose more anonymity by appearing distinct than they gain by optimizing their behavior [1].

End-to-end timing correlation. Tor only minimally hides such correlations. An attacker watching patterns of traffic at the initiator and the responder will be able to confirm the correspondence with high probability. The greatest protection currently available against such confirmation is to hide the connection between the onion proxy and the first Tor node, by running the OP on the Tor node or behind a firewall. This approach requires an observer to separate traffic originating at the onion router from traffic passing through it: a global observer can do this, but it might be beyond a limited observer’s capabilities.

End-to-end size correlation. Simple packet counting will also be effective in confirming endpoints of a stream. However, even without padding, we may have some limited protection: the leaky pipe topology means different numbers of packets may enter one end of a circuit than exit at the other.

Website fingerprinting. All the effective passive attacks above are traffic confirmation attacks, which puts them outside our design goals. There is also a passive traffic analysis attack that is potentially effective. Rather than searching exit connections for timing and volume correlations, the adversary may build up a database of “fingerprints” containing file sizes and access patterns for targeted websites. He can later confirm a user’s connection to a given site simply by consulting the database. This attack has been shown to be effective against SafeWeb [29]. It may be less effective against Tor, since streams are multiplexed within the same circuit, and fingerprinting will be limited to the granularity of cells (currently 512 bytes). Additional defenses could include larger cell sizes, padding schemes to group websites into large sets, and link padding or long-range dummies.4

Active attacks

Compromise keys. An attacker who learns the TLS session key can see control cells and encrypted relay cells on every circuit on that connection; learning a circuit session key lets him unwrap one layer of the encryption. An attacker who learns an OR’s TLS private key can impersonate that OR for the TLS key’s lifetime, but he must also learn the onion key to decrypt create cells (and because of perfect forward secrecy, he cannot hijack already established circuits without also compromising their session keys). Periodic key rotation limits the window of opportunity for these attacks. On the other hand, an attacker who learns a node’s identity key can replace that node indefinitely by sending new forged descriptors to the directory servers.

Iterated compromise. A roving adversary who can compromise ORs (by system intrusion, legal coercion, or extralegal coercion) could march down the circuit compromising the nodes until he reaches the end. Unless the adversary can complete this attack within the lifetime of the circuit, however, the ORs will have discarded the necessary information before the attack can be completed. (Thanks to the perfect forward secrecy of session keys, the attacker cannot force nodes to decrypt recorded traffic once the circuits have been closed.) Additionally, building circuits that cross jurisdictions can make legal coercion harder—this phenomenon is commonly called “jurisdictional arbitrage.” The Java Anon Proxy project recently experienced the need for this approach, when a German court forced them to add a backdoor to their nodes [51].

Run a recipient. An adversary running a webserver trivially learns the timing patterns of users connecting to it, and can introduce arbitrary patterns in its responses. End-to-end attacks become easier: if the adversary can induce users to connect to his webserver (perhaps by advertising content targeted to those users), he now holds one end of their connection. There is also a danger that application protocols and associated programs can be induced to reveal information about the initiator. Tor depends on Privoxy and similar protocol cleaners to solve this latter problem.

Run an onion proxy. It is expected that end users will nearly always run their own local onion proxy. However, in some settings, it may be necessary for the proxy to run remotely— typically, in institutions that want to monitor the activity of those connecting to the proxy. Compromising an onion proxy compromises all future connections through it.

DoS non-observed nodes. An observer who can only watch some of the Tor network can increase the value of this traffic by attacking non-observed nodes to shut them down, reduce their reliability, or persuade users that they are not trustworthy. The best defense here is robustness.

Run a hostile OR. In addition to being a local observer, an isolated hostile node can create circuits through itself, or alter traffic patterns to affect traffic at other nodes. Nonetheless, a hostile node must be immediately adjacent to both endpoints to compromise the anonymity of a circuit. If an adversary can run multiple ORs, and can persuade the directory servers that those ORs are trustworthy and independent, then occasionally some user will choose one of those ORs for the start and another as the end of a circuit. If an adversary controls m > 1 of N nodes, he can correlate at most ????m N 2 of the traffic— although an adversary could still attract a disproportionately large amount of traffic by running an OR with a permissive exit policy, or by degrading the reliability of other routers.

Introduce timing into messages. This is simply a stronger version of passive timing attacks already discussed earlier.

Tagging attacks. A hostile node could “tag” a cell by altering it. If the stream were, for example, an unencrypted request to a Web site, the garbled content coming out at the appropriate time would confirm the association. However, integrity checks on cells prevent this attack. Replace contents of unauthenticated protocols. When relaying an unauthenticated protocol like HTTP, a hostile exit node can impersonate the target server. Clients should prefer protocols with end-to-end authentication.

Replay attacks. Some anonymity protocols are vulnerable to replay attacks. Tor is not; replaying one side of a handshake will result in a different negotiated session key, and so the rest of the recorded session can’t be used. Smear attacks. An attacker could use the Tor network for socially disapproved acts, to bring the network into disrepute and get its operators to shut it down. Exit policies reduce the possibilities for abuse, but ultimately the network requires volunteers who can tolerate some political heat.

Distribute hostile code. An attacker could trick users into running subverted Tor software that did not, in fact, anonymize their connections—or worse, could trick ORs into running weakened software that provided users with less anonymity. We address this problem (but do not solve it completely) by signing all Tor releases with an official public key, and including an entry in the directory that lists which versions are currently believed to be secure. To prevent an attacker from subverting the official release itself (through threats, bribery, or insider attacks), we provide all releases in source code form, encourage source audits, and frequently warn our users never to trust any software (even from us) that comes without source.

Directory attacks

Destroy directory servers. If a few directory servers disappear, the others still decide on a valid directory. So long as any directory servers remain in operation, they will still broadcast their views of the network and generate a consensus directory. (If more than half are destroyed, this directory will not, however, have enough signatures for clients to use it automatically; human intervention will be necessary for clients to decide whether to trust the resulting directory.)

Subvert a directory server. By taking over a directory server, an attacker can partially influence the final directory. Since ORs are included or excluded by majority vote, the corrupt directory can at worst cast a tie-breaking vote to decide whether to include marginal ORs. It remains to be seen how often such marginal cases occur in practice. Subvert a majority of directory servers. An adversary who controls more than half the directory servers can include as many compromised ORs in the final directory as he wishes. We must ensure that directory server operators are independent and attack-resistant.

Encourage directory server dissent. The directory agreement protocol assumes that directory server operators agree on the set of directory servers. An adversary who can persuade some of the directory server operators to distrust one another could split the quorum into mutually hostile camps, thus partitioning users based on which directory they use. Tor does not address this attack.

Trick the directory servers into listing a hostile OR. Our threat model explicitly assumes directory server operators will be able to filter out most hostile ORs.

Convince the directories that a malfunctioning OR is working. In the current Tor implementation, directory servers assume that an OR is running correctly if they can start a TLS connection to it. A hostile OR could easily subvert this test by accepting TLS connections from ORs but ignoring all cells. Directory servers must actively test ORs by building circuits and streams as appropriate. The tradeoffs of a similar approach are discussed in deny Bob service by flooding his introduction points with requests. Because the introduction points can block requests that lack authorization tokens, however, Bob can restrict the volume of requests he receives, or require a certain amount of computation for every request he receives.

Attack an introduction point. An attacker could disrupt a location-hidden service by disabling its introduction points. But because a service’s identity is attached to its public key, the service can simply re-advertise itself at a different introduction point. Advertisements can also be done secretly so that only high-priority clients know the address of Bob’s introduction points or so that different clients know of different introduction points. This forces the attacker to disable all possible introduction points.

Compromise an introduction point. An attacker who controls Bob’s introduction point can flood Bob with introduction requests, or prevent valid introduction requests from reaching him. Bob can notice a flood, and close the circuit. To notice blocking of valid requests, however, he should periodically test the introduction point by sending rendezvous requests and making sure he receives them.

Compromise a rendezvous point. A rendezvous point is no more sensitive than any other OR on a circuit, since all data passing through the rendezvous is encrypted with a session key shared by Alice and Bob.


History of DOS -Denial of Service Attack




History of DDoS – Distributed Denial of Service -

Information provided by -Richard Stiennon Chief Research Analyst
IT-Harves - Surviving Cyber War on Amazon! Cyber Defense: Countering Targeted Attacks


Victoria Secrets Self Inflicted DDoS

It was also a demonstration of an inherent weakness of the Internet Architectures employed to serve up data. So Many people attempted to view the Victoria Secrets models strut down the runway that the server failed and crashed.

Victoria’s Secret case could be considered friendly fire

Defining Moments in the development of DDoS as a weapon

Barett Lynon

Worked IT company who had a client that needed up-to-date sports info

The client in the business of gathering and disseminating sports information. They provided the up to the minute data used by Las Vegas casino in the book making operation where gamblers place bets on games scores and even detailed performance of individual athletes. Having reliable Internet access was critical to them. Agents in the field would report every detail of even amateur sports events. Every pitch, every play would be reported by an army of sports data specialist. These results would be displayed on the big board within the casino where gamblers could bet on any aspect of the game.

Gather and Disseminate

Online Gambling

First threat-encryption ransom

Received a threatening email, written convincingly in broken English, information them that hackers had infiltrated their system and encrypted their database of sport information, demanding that they pay thousands to obtain the key to decrypt the data.

Backing up data and had no problem at all just restoring the critical information.

Lyon re-design architect to resist 2nd threat of DDoS, which duly came.

Barrett helped his client quickly bolster their defensive posture. The key was to have robust web servers, gateway devices that could filter attacks, and lots and lots of available bandwidth. Within days the hacker did indeed attempt a DoS attack:and ,thanks to Barretts new architecture, the attack was thwarted.

reputation grew

began to get request from a very specific niche industry: online gaming sites

2003 there was some question about the legality of gambling online

There were dozen of companies providing such services, most of them hosted off shore in the caribbean or in Costa Rica


One small operations consisted of tele-operators and a closet of servers in an office in Costa Rica claimed to do $2 billion in annual revenue.

Being down for an even a day meant in lost revenue

BGP routing protocol

naked under the belly of the Internet

On 2/24/2008 an engineer at an ISP in Pakistan removed YouTube from the Internet. He did this in response to a government decree. His intention was to follow the letter of the law and block access to YouTube

He Choose to do this by playing with the protocol

Packets on the Internet flow through routers. These routers maintain a list of routers based on blocks of IP addresses. When a packet is received the router reads its intended destination, looks it up in a big table and forwards it to the next router. Where does that router get that big lookup table? From other routers, of course. The protocol used to transmit those route tables is Border Gateway Protocol (BGP)

BGP to announce which IP addresses it controls to the rest of the routers on the internet

The engineer at PIENet loaded a new route into his router that said the small block address that contained the IP address of YouTube.com were controlled by him.

The results was almost instantaneous. His upstream provider in Hong Kong picked up on the new route and broadcasted it to the world. Most routers treated those routes as authoritative because they were more granular than those announced by Google. Every attempt to watch YouTube video was routed from anywhere in the world to the small ISP in Pakistan

Those request were so numerous that it flooded the link to Pakistan to such an extent that Pakistan was effectively knocked off the Internet as well.

content delivery gave a person access to the backbone of the network to fix this is-scary


the Internet is a marvel of self organization with many components that work seamlessly on top of each other

layered architecture

Web servers, layers of protocols, social networks, and routing infrastructure, all work together to provide a communication, business and social platform that is fueling changes in society and the world of commerce. But those underlying components were designed and deployed before today threats were apparent

weak link in Internet Architect

This weak link is well known by aggressors but has not been exploited in overt malicious acts. YET

attackers have recognized and attacked-China diverted 15% of all Internet traffic in 2008



Hacktivist use DDoS to shut down the servers and networks of political, religious and corporate organizations.

Nations in conflict use crowd source denial of service attacks to shut off access to critical sites in a show of force but also to silence a vocal critical protesters and dissidents with a revolution.


Criminals attempt to extort cash payment from their target with the threat of shutting down their business.

Small business have been knows to hire botnets, collections of compromised computers to shut down a competitor.




Cyber criminals

Small Businesses

Achilles heel of web infrastructure DNS

attackers have recognized and attacked-China diverted 15% of all Internet traffic in 2008

what it does

The Internet is based on protocols that use source and destination packets to route traffic. When a web address, a URL, is entered into a web browser it has to translate www.yahoo.com to the IP, its IP address, before packets can be exchange and a visitor can see a web page

The DNS is a layer of servers all over the world that provide that function.

DNS Details

There are multiple tiers to DNS. The top level domains (TLD) are .com, .net, .gov, .edu, and the many country codes such as ee. for Estonia. Each top level domain is controlled by different organization. When you type in www.uscyberlabs.com in the URL windows you generate a request to the .com TLD server (hosted by Verisign in over 400 data centers around the world) . That server replies with the IP address of the server that is responsible for keeping track of all of the IP address associated with the uscyberlabs.com domain.

owner of the site may not own the DNS server that provides that critical information

In other words , an attacker could target the DNS server and effectively take down the web site. The problem is compounded because a DNS server often provides name services for hundreds, even thousand os separate domains.

helped some other online stores to prevent DNS attacks at Christmas

The problem is compounded because a DNS server often provides name services for hundreds, even thousand os separate domains.

Why does it Work

Ping Flood

The earliest denial of service attack was a ping flood. Anyone with a fast computer running Unix could execute a simple command that would generate a ping packets, small one-way communication used by the network monitoring product to check if a host is still responding-(PING)-to completely tie up the resources of the target computer or even completely clog its network connection. Ping floods are simple to defend against. A single rule in a router or firewall between the attacker and the target can block all pings.

This is an attack because no one though anyone would do that (PING)

easily dispatched with single firewall rule

Syn Attack

harder to stop since basis of many legit protocols

An attacker simply sends millions of SYN packets which tie up the server to the point where it cannot accept any more connections

have to block based on source, not service

once again, just block all traffic from specific IP address. Today most firewalls are capable of intercepting SYN requests

This is a dynamic rule

Bot Approach

many IP addresses

boils down to dueling bandwidths

also crowd-sourcing - Anonymous – LulzSec 

static rule blocking service request

2000: Denial-of-service and distributed denial-of-service attacks

Canadian hacker MafiaBoy launched a distributed denial-of-service attack that took down several high-profile Web sites, including Amazon, CNN and Yahoo!

A D(D)oS attack makes a computer resource, often a website, unavailable to its intended users. A common method of attack involves saturating the target machine with external communications requests, such that it cannot respond to legitimate traffic, or responds so slowly as to be rendered effectively unavailable

uscyberlabs - el gatoMalo




U.S. Grills China About Cyber Attacks — InformationWeek

Chinese IP addresses have been implicated in numerous, recent distributed denial of service attacks, which top State Department officials see as a human rights issue.

In another sign that the United States government is concerned with the threat of cyber attacks originating from China, a top State Department official recently raised the case of a hacked U.S. political site directly with the Chinese Ministry of Foreign Affairs, according to a letter released by the political group Change.org.

The site, which offers tools for online political campaigns, began to be victimized by distributed denial of service (DDOS) attacks in mid April, soon after it carried a petition for China to release Chinese artist Ai Weiwi, who helped design the centerpiece of the 2008 Summer Olympics, the “Bird’s Nest” National Stadium, and who was imprisoned earlier this year in the midst of a Chinese crackdown on political dissent.

The attacks raised the ire of congressional leadership, as both House minority leader Nancy Pelosi, D-Calif., and Rep. Rosa DeLauro, D-Conn., condemned the attacks and called on the State Department to take action and bring the hackers to justice.

In response, the State Department not only condemned DDOS attacks, like the one Change.org experienced, that are “designed to stifle free speech on the net,” but also raised the issue directly with the Chinese Ministry of Foreign Affairs in late April, according to a letter from the State Department to Rep. DeLauro that was released by Change.org. The letter indicates that deputy assistant secretary of state Dan Baker raised the issue of the attack with the Chinese government during a dialogue on human rights.

“The Department will continue to press China on the importance of an open and unrestricted Internet,” says the letter, written by acting assistant secretary of state for legislative affairs Joseph Macmanus. “As part of the State Department’s Internet freedom initiative, we support efforts to protect groups and individuals from such attacks.”

The attack is only one of a number of recent attacks said to originate from China. Google in late Mayannounced that hundreds of its Gmail users, including senior U.S. officials, had been the targets of a spear-phishing campaign that originated in China. A February attack on the G-20 was similarly traced to Chinese IP addresses, and China has also been reportedly eyed in recent attacks on the International Monetary Fund. Leaked State Department cables indicate that the Chinese have been attacking U.S. government agencies and companies since at least 2002.

via U.S. Grills China About Cyber Attacks — InformationWeek.


Interop: Cyberwar test runs yield information about defenses

Cyber warfare strategy is getting so sophisticated that network attacks suitable for major assaults are being used instead as trial runs meant solely to probe enemies with the aim of figuring out what their defenses are, an audience at an Interop security talk was told.

A distributed denial of service (DDoS) attack against South Korea earlier this year was delivered from a multilayered botnet that persisted for 10 days then halted with command and control servers flushing the bot software out of the zombie machines, according to Brian Contos, director of global security strategy for McAfee

The attack — McAfee called it 10 Days of Rain — came from a difficult to take down, multi-tiered botnet set up by North Korea, he says. Then the botnet suddenly stopped its attack and deleted itself from the systems it had taken over.

via Interop: Cyberwar test runs yield information about defenses.


DDoS Attacks by Contract on Sharp Rise

As I monitor these news articles N. Korea comes into the China picture. I will now add Korea Cyber information into the mix. -vet4life

The Korea Internet & Security Agency (KISA) has found that DDoS attacks from China, which are presumed to be made by contract, are on a sharp rise.

“Existing DDoS attacks stopped when the hackers received money from the site after attacking a site three or four times,” said an employee of the KISA. “Contract DDoS attacks, however, continue in the form of a long-term cyber battle until the demand of the client is met.”

The Lineage Community P Site, an online café for a popular online game, was attacked via an IP from China for four days last month. “We received an email which threatens to continue DDoS attacks from an intimidator presumed to be a Chinese hacker unless we stop advertizing a specific company,” said a manager of the site. “We are at a loss as we can neither stop the advertisement for keeping the site alive nor become a target of DDoS attacks.”

The cost of instigating Chinese hackers to launch DDoS attacks varies depending on the size of a target site. But it is not so high, generally ranged from several hundred of thousands won to several millions, which has increased such cyber attacks by Chinese hackers who are hired by those who want to disturb business of their rivals or bear a grudge.

via ???? IT??? ??! ????.

–  http://english.etnews.co.kr/news/detail.html?id=201105110008


Change.org victim of DDoS attack from China

Change.org, an online petitioning platform, has come under an ongoing distributed denial of service (DDoS) attack originating from China after the site hosted a call urging Chinese authorities to release artist Ai Weiwei from custody.

The attacks, which started late Sunday, have nearly brought down the site, according to Change.org founder Ben Rattray.

DDoS attacks work by using hundreds or thousands of hacked computers to send traffic to a website, overwhelming it with data so it becomes inaccessible to normal users.

ROUNDUP: The DDoS Hall of Shame

Related Content

PayPal CISO: DDoS one big security threat among many

WordPress: DDoS attacks came from China

Has progress been made in fighting DDoS attacks?

Cisco and NSS Labs still arguing firewall vulnerability test results

View more related content

Get Daily News by Email

Change.org said the current attack originates from an expanding group of computers primarily based in China, and has yet to stop. This is the first time the site has been hit with a DDoS attack.

Change.org has been hosting a online petition calling for the release of Chinese artist Ai Weiwei, who is currently under arrest. The petition has attracted almost 100,000 people from 175 countries, making it one of Change.org’s most successful international campaigns, Rattray said.

“It’s pretty clear the attack is in response to the campaign,” he added. “It’s extraordinary that somebody in China with a high-level of technical sophistication can impact the ability for people around the world to organize.”

The online call coincided with demonstrations across the world this past Sunday, which also called for the artist’s release. Ai, who is also known for his activism, has been detained as part of a Chinese government crackdown on political dissidents in the country.

Authorities in the country have arrested other human rights activists and clamped down on the information flow, following previous online postings that began in February calling for a “Jasmine revolution” against the Chinese government.

Change.org is currently blocked in China. Internet censors in the country regularly block sites that are deemed to politically sensitive.

Despite the block, the computers involved in the DDoS attack are managing to find a way around the country’s national Internet firewall, said Rattray.

In the past, other sites have been the victims of cyber attacks coming from China. This March, blog publishing platform WordPress.com also reported being hit with a DDoS attack originating from China.

Chinese hackers have also allegedly launched cyber attacks to steal data from foreign energy accompanies, according to security vendor McAfee. In 2009, Google was also the victim of an attack originating from China that was aimed at accessing the Gmail accounts of human rights activists

The Chinese government has previously responded to these reports by denying it is involved in any cyberattacks, adding that China has also been a victim of hacking attempts.

The true source of DDoS attacks is often unclear. Although Change.org has traced the current attack to servers in China, it is also possible the computers are under the control of hackers based in another country.

Change.org reports that both the FBI and U.S. State Department are looking into the DDoS attack.

“We won’t stop or take down anything because of this DDoS attack,” Rattray said. “We believe in the fundamental right of the people to organize around issues they care about it.”

via Change.org victim of DDoS attack from China.