Image: Tor Project

Threat actors or nation-states looking into degrading the performance of the Tor anonymity network can do it on the cheap, for only a few thousands US dollars per month, new academic research has revealed.

According to researchers from Georgetown University and the US Naval Research Laboratory, threat actors can use tools as banale as public DDoS stressers (booters) to slow down Tor network download speeds or hinder access to Tor's censorship circumvention capabilities.

Academics said that while an attack against the entire Tor network would require immense DDoS resources (512.73 Gbit/s) and would cost around $7.2 million per month, there are far simpler and more targeted means for degrading Tor performance for all users.

In research presented this week at the USENIX security conference, the research team showed the feasibility and effects of three types of carefully targeted "bandwidth DoS [denial of service] attacks" that can wreak havoc on Tor and its users.

Researchers argue that while these attacks don't shut down or clog the Tor network entirely, they can be used to dissuade or drive users away from Tor due to prolongued poor performance, which can be an effective strategy in the long run.

I. Targeting Tor bridges

In the first DDoS attack scenario the research team has analyzed, academics said that a threat actor can target Tor bridges instead of attacking each and every Tor server.

Tor bridges are special servers that act as entry points into the Tor network, however, unlike Tor guard servers, they don't have their IP addressses listed in public directories, hence they can't be blocked with ease.

Users residing in countries where access to the public Tor guard servers has been blocked by the local government can configure the Tor Browser to use one of the tens of buit-in bridge servers as a way to go around any Tor censorship attempt.

But researchers said that not all of these Tor bridges are currently operational and that saturating traffic to all (currently 12 working Tor bridges) costs only about $17k/month.

In the case all 38 Tor bridges would be repaired and made operational again, the attack would cost $31k/month, which is still a price tag in the reach of any nation-state willing to prevent citizens and dissidents from being able to connect to the Tor network.

II. Targeting TorFlow

A second DDoS attack scenario would be if threat actors would target TorFlow, the Tor network's load balancing system, which measures Tor relay capacity and distributes traffic accordingly, to prevent some Tor servers from getting overcrowded and becoming slow.

Academics said that targeting all TorFlow servers with constant DDoS attacks using public DDoS booter services would only cost $2.8k/month, even less than the first attack they analyzed.

"Through high-fidelity network simulation [...], we find that such an attack reduces the median client download rate by 80%," researchers said.

III. Targeting Tor relays

And for the third type of DDoS attack, academics chose to target Tor relays, the most common type of Tor servers, and the ones which bounce Tor traffic between each other to help preserve user anonimity.

But instead of relying on DDoS stressers, which are mostly used for funneling large chunks of traffic at a target, academics tried a different approach by exploiting flaws in the Tor protocol itself.

These denial of service (DoS) bugs use logic faults to slow down the Tor protocol and reduce download times for Tor content.

Such flaws have existed for years, and have been successfully used in the past -- albeit the Tor Project team has recently began patching these issues.

However, during their simulations, academics have put a price on how much one of these attacks would cost to target the entire Tor network, and not just one Tor-based .onion domain at a time.

According to the research team, an attacker could increase the median download time of Tor traffic by 120% with just $6.3k/month, and by 47% with only $1.6k/month.

Certainly in the budget

Taking into account that most nation-states have budgets in the millions of US dollars, such attacks are more than feasible.

"Nation-states are known to sponsor DoS attacks, and the ease of deployment and low cost of our attacks suggest that state actors could reasonably run them to disrupt Tor over both short and long timescales," researchers said.

"We speculate that nation-states may, e.g., choose DoS as an alternative to traffic filtering as Tor continues to improve its ability to circumvent blocking and censorship."

Image: Jansen et al.

Furthermore, the research team also argues that the second and third attacks they analyzed also deliver better results for the money a threat actor invests, when compared to the older Sybil attacks (when a malicious threat actor introduces rogue servers on the Tor network in order to gain more visilibity into the traffic that passes through).

In other words, it's cheaper and a more reliable strategy to degrade Tor network performance than trying to deanonymize its traffic.

As for countering these threats for the Tor ecosystem, academics have also proposed some basic mitigations.

"We recommend additional financing for meek bridges, moving away from load balancing approaches that rely on centralized scanning, and Tor protocol improvements (in particular,the use of authenticated SENDME cells)," they said.

The problem with these mitigations is that they rely on increased financing of the Tor Project, a problem the organization has been trying to solve for yeas as Tor has become more popular.

Additional details about this research are available in a white paper named "Point Break: A Study of Bandwidth Denial-of-Service Attacks against Tor," which the research team has presented this week at the 28th USENIX Security Symposium in Santa Clara, US.

Related cybersecurity coverage: