Mitigating Distributed Denial of Service Attacks in an Anonymous Routing Environment: Client Puzzles and Tor THESIS Nicholas A. Fraser, Captain, USAF AFIT/GCS/ENG/06-06 DEPARTMENT OF THE AIR FORCE AIR UNIVERSITY AIR FORCE INSTITUTE OF TECHNOLOGY Wright-Patterson Air Force Base, Ohio APPROVED FOR PUBLIC RELEASE; DISTRIBUTION UNLIMITED. The views expressed in this thesis are those of the author and do not reflect the official policy or position of the United States Air Force, Department of Defense, or the U.S. Government. AFIT/GCS/ENG/06-06 Mitigating Distributed Denial of Service Attacks in an Anonymous Routing Environment: Client Puzzles and Tor THESIS Presented to the Faculty Department of Electrical and Computer Engineering Graduate School of Engineering and Management Air Force Institute of Technology Air University Air Education and Training Command In Partial Fulfillment of the Requirements for the Degree of Master of Science Nicholas A. Fraser, B.S. Captain, USAF March 2006 APPROVED FOR PUBLIC RELEASE; DISTRIBUTION UNLIMITED. AFIT/GCS/ENG/06-06 Mitigating Distributed Denial of Service Attacks in an Anonymous Routing Environment: Client Puzzles and Tor Nicholas A. Fraser, B.S. Captain, USAF Approved: /signed/ 21 Feb 2006 Dr. Richard A. Raines (Chairman) date /signed/ 21 Feb 2006 Dr. Rusty O. Baldwin (Member) date /signed/ 21 Feb 2006 Dr. Kenneth M. Hopkinson (Member) date AFIT/GCS/ENG/06-06 Abstract Network-centric intelligence collection operations use computers and the Inter- nettoidentifythreatsagainstDepartmentofDefense(DoD)operationsandpersonnel, to assess the strengths and weaknesses of enemy capabilities and to attribute network events to sponsoring organizations. The security of these operations are paramount and attention must be paid to countering enemy attribution efforts. One way for U.S. information operators to avoid being linked to the DoD is to use anonymous communication systems. One such anonymous communication system, Tor, provides a distributed overlay network that anonymizes interactive TCP services such as web browsing, secure shell, and chat. Tor uses the Transport Layer Security (TLS) proto- col and is thus vulnerable to a distributed denial-of-service (DDoS) attack that can significantly delay data traversing the Tor network. This research is the first to explore DDoS mitigation in the anonymous routing environment. Defending against DDoS attacks in this environment is challenging as mitigation strategies must account for the distributed characteristics of anonymous communication systems and for anonymity vulnerabilities. In this research, the TLS DDoS attack is mitigated by forcing all clients (malicious or legitimate) to solve a puzzle before a connection is completed. A novel puzzle protocol, the Memoryless Puzzle Protocol (MPP), is conceived, implemented, and analyzed for anonymity and DDoSvulnerabilities. Consequently,fournewsecondaryDDoSandanonymityattacks are identified and defenses proposed. Furthermore, analysis of the MPP identified and resolved two important shortcomings of the generalized client puzzle technique. The MPP is a suitable solution for increasing the robustness and reliability of Tor–a critical information operations tool. Attacks that normally induce victim CPU utilization rates of 80-100% are reduced to below 70%. Also, the puzzle im- plementation allows for user-data latency to be reduced by close to 50% during a iv large-scale attack. Finally, experimental results show successful mitigation can occur without sending a puzzle to every requesting client. By adjusting the maximum puz- zle strength, CPU utilization can be capped at 70% even when an arbitrary client has only a 30% chance of receiving a puzzle. v Acknowledgements Thank you to my wife and my baby girl for their patience and encouragement during our AFIT experience. Thank you also to my fellow section members. The friendships formed while at this institution, I hope, will be long lasting. Thank you to my advisor, Dr. Richard Raines, who’s guidance, patience, con- fidence, and encouragement made completing this research one of my most enjoyable and challenging experiences. I would also like to thank Dr. Rusty Baldwin and Dr. Kenneth Hopkinson for their support and confidence. Finally, I would like to thank Major (Dr.) Robert Neher for his instruction and assistance on statistical issues. Nicholas A. Fraser vi Table of Contents Page Abstract . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . iv Acknowledgements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . vi List of Figures . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . x List of Tables . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xi I. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1 1.1 Motivation . . . . . . . . . . . . . . . . . . . . . . . . . 1 1.2 Background . . . . . . . . . . . . . . . . . . . . . . . . . 2 1.3 Research Focus . . . . . . . . . . . . . . . . . . . . . . . 3 1.4 Objectives . . . . . . . . . . . . . . . . . . . . . . . . . . 4 1.5 Approach . . . . . . . . . . . . . . . . . . . . . . . . . . 4 1.6 Summary . . . . . . . . . . . . . . . . . . . . . . . . . . 5 II. Literature Review . . . . . . . . . . . . . . . . . . . . . . . . . . 6 2.1 Introduction . . . . . . . . . . . . . . . . . . . . . . . . . 6 2.2 The Anonymous Routing Environment . . . . . . . . . . 6 2.2.1 Traffic Analysis . . . . . . . . . . . . . . . . . . 6 2.2.2 Fundamentals . . . . . . . . . . . . . . . . . . . 7 2.2.3 Tor and other Anonymous Routing Protocols . 15 2.3 Tor Vulnerabilities . . . . . . . . . . . . . . . . . . . . . 20 2.3.1 Common Attacks . . . . . . . . . . . . . . . . . 20 2.3.2 Low-Cost Traffic Analysis . . . . . . . . . . . . 20 2.3.3 Autonomous Networks . . . . . . . . . . . . . . 22 2.3.4 Distributed Denial of Service Attack . . . . . . 22 2.4 Defending Tor From A DDoS Attack . . . . . . . . . . . 23 2.4.1 Threat Assumptions . . . . . . . . . . . . . . . 24 2.4.2 Network Techniques . . . . . . . . . . . . . . . 24 2.4.3 Overlay Solutions . . . . . . . . . . . . . . . . . 26 2.4.4 Client Puzzles . . . . . . . . . . . . . . . . . . . 26 2.5 Summary . . . . . . . . . . . . . . . . . . . . . . . . . . 29 vii Page III. The Memoryless Puzzle Protocol . . . . . . . . . . . . . . . . . . 30 3.1 Introduction . . . . . . . . . . . . . . . . . . . . . . . . . 30 3.2 Puzzle Protocol . . . . . . . . . . . . . . . . . . . . . . . 30 3.3 Implementation . . . . . . . . . . . . . . . . . . . . . . . 32 3.3.1 OpenSSL . . . . . . . . . . . . . . . . . . . . . 32 3.3.2 Tor . . . . . . . . . . . . . . . . . . . . . . . . . 33 3.4 Testing . . . . . . . . . . . . . . . . . . . . . . . . . . . 34 3.5 Challenges . . . . . . . . . . . . . . . . . . . . . . . . . . 34 3.5.1 Secondary DDoS Attacks . . . . . . . . . . . . . 34 3.5.2 Anonymity Attacks . . . . . . . . . . . . . . . . 36 3.6 Summary . . . . . . . . . . . . . . . . . . . . . . . . . . 44 IV. Methodology . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 45 4.1 Introduction . . . . . . . . . . . . . . . . . . . . . . . . . 45 4.2 Problem Definition . . . . . . . . . . . . . . . . . . . . . 45 4.2.1 Goals and Hypothesis . . . . . . . . . . . . . . . 45 4.2.2 Approach . . . . . . . . . . . . . . . . . . . . . 46 4.3 System Boundaries . . . . . . . . . . . . . . . . . . . . . 46 4.4 System Services . . . . . . . . . . . . . . . . . . . . . . . 47 4.5 Workload . . . . . . . . . . . . . . . . . . . . . . . . . . 48 4.6 Performance Metrics . . . . . . . . . . . . . . . . . . . . 48 4.7 Parameters . . . . . . . . . . . . . . . . . . . . . . . . . 49 4.7.1 System . . . . . . . . . . . . . . . . . . . . . . . 49 4.7.2 Workload . . . . . . . . . . . . . . . . . . . . . 49 4.8 Factors . . . . . . . . . . . . . . . . . . . . . . . . . . . 51 4.9 Evaluation Technique . . . . . . . . . . . . . . . . . . . 51 4.9.1 Experimental Setup . . . . . . . . . . . . . . . . 51 4.10 Experimental Design . . . . . . . . . . . . . . . . . . . . 53 4.11 Summary . . . . . . . . . . . . . . . . . . . . . . . . . . 53 V. Experimental Results and Analysis . . . . . . . . . . . . . . . . . 55 5.1 Introduction . . . . . . . . . . . . . . . . . . . . . . . . . 55 5.2 Average CPU Utilization . . . . . . . . . . . . . . . . . . 55 5.2.1 Attack Sensitivity Analysis . . . . . . . . . . . . 55 5.2.2 Probability Analysis . . . . . . . . . . . . . . . 57 5.3 User-Data Latency . . . . . . . . . . . . . . . . . . . . . 62 5.3.1 Attack Sensitivity Analysis . . . . . . . . . . . . 63 5.3.2 Probability Analysis . . . . . . . . . . . . . . . 63 5.4 Summary . . . . . . . . . . . . . . . . . . . . . . . . . . 66 viii Page VI. Conclusions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 67 6.1 Introduction . . . . . . . . . . . . . . . . . . . . . . . . . 67 6.2 Research Impact . . . . . . . . . . . . . . . . . . . . . . 67 6.2.1 Why Client Puzzles? . . . . . . . . . . . . . . . 67 6.2.2 A Puzzle Protocol for Anonymous Routing . . . 67 6.2.3 Mitigation Accomplished . . . . . . . . . . . . . 68 6.3 Research Contributions . . . . . . . . . . . . . . . . . . 69 6.4 Future Work . . . . . . . . . . . . . . . . . . . . . . . . 69 6.5 Summary . . . . . . . . . . . . . . . . . . . . . . . . . . 70 Appendix A. Simulation Software For the Path Building Attack . . . 71 Appendix B. Experimental Data For the Path Building Attack . . . . 77 Appendix C. Tor, OpenSSL, and DDoS Attack Code and Scripts . . . 79 C.1 OpenSSL and Tor Code . . . . . . . . . . . . . . . . . . 79 C.2 Attack Program . . . . . . . . . . . . . . . . . . . . . . . 79 C.3 Attack Startup Script For 18 Process Attack . . . . . . . 82 C.4 Attack Shutdown Script . . . . . . . . . . . . . . . . . . 82 Appendix D. Experimental Data and Visual Tests For CPU Utilization 84 Appendix E. Experimental Data and Visual Tests For Latency . . . . 94 Bibliography . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 102 ix
Description: