The privacy-oriented browser Tor (The Onion Router) is researching ways “anonymous tokens” could counter Denial of Service (DoS) attacks – a pressing issue for the network.
Tor has been subject to DoS attacks, degrading its performance. While there are technical fixes Tor has worked to implement, the nature of the network and the anonymity of the traffic on it make it particularly susceptible to DoS attacks.
In August, Tor introduced the idea of using anonymous tokens to counter such attacks, allowing them to differentiate between “good” and “bad” traffic, and to avoid implementing user accounts, which most sites and networks use to identify traffic and bad actors.
During last week’s “State of the Onion” address, when the Tor team gave updates on projects and forecasted new developments for 2021, the team reinforced their interest in developing these anonymous tokens.
“Memory is an amazing thing,” said George Kadianakis, a Tor Network team developer. “It allows us to experience the world, remember the things we’ve been to and remember the nice food we ate.
A DoS attack is one such issue.
A DoS attack disrupts a website by initiating thousands of connections to it, overwhelming it and causing it to crash.
Tor is particularly vulnerable to such attacks because of its emphasis on anonymity. While a normal network would have your identity tied to an account or the like, Tor does not; therefore, it doesn’t have a great way of differentiating malicious traffic from non-malicious traffic.
The process of navigating the Tor network to secure a connection between a server and remote user also requires intensive work by a central processing unit (CPU), which can get to a state where it’s maxed out and unable to accept new traffic, a feature DoS attacks exploit.
“The attacks exploit the inherent asymmetric nature of the onion service rendezvous protocol, and that makes it a hard problem to defend against,” reads a post that examines solutions to DoS attacks..
“During the rendezvous protocol, an evil client can send a small message to the service while the service has to do lots of expensive work to react to it,” the post reads. “This asymmetry opens the protocol to DoS attacks, and the anonymous nature of our network makes it extremely challenging to filter the good clients from the bad.”
Rather than implementing accounts or cookies, both of which would undermine Tor’s mission, Kadianakis proposed tokens that could be included in a user’s traffic request. These tokens would allow websites accessible through the Tor network to “intelligently prioritize which requests it answers.”
“We could use anonymous tokens. Tokens are a part of the internet that use blockchains and other protocols like Cloudflare’s Privacy Pass,” saids Kadianakis during the presentation. “It’s basically like a train ticket. By having a train ticket you can show that you’ve done some effort to acquire it, but it doesn’t tie to your identity. So if you drop it on the floor and someone else picks it up they cannot impersonate you and they don’t know who you are.”
The scenario he envisioned is one where the onion service could issue these tokens and give them to clients who have already demonstrated their trustworthiness (in ways yet to be determined). These trusted clients would then give their tokens to the onion service when they connect and, in doing so, get service before an untrusted user (eg., a potential attacker).
Kadianakis said tokens could also be used to design a secure name system so people can register names for their own use with tickets, which could help encourage audience activities.
“The anonymous nature of our network makes it challenging to filter the good clients from the bad. There is no one established attacker, but rather an ongoing challenge,” according to Isabela Bagueros, executive director of the Tor Project.
“That is why we are focused on investigating methods to rate limit or otherwise reduce the ability of clients to make large numbers of connections to an onion service without violating a client or service’s privacy,” she said.
Users could also apply their tokens toward acquiring private bridges and exit nodes, which would potentially provide additional security. Private bridges are how users access the Tor network in places where censors have blocked access to public Tor relays by blocking their IP addresses. They have a collection of private bridges that are not publicly available; these can be handed out a few at a time to clients in order to impede enumeration and IP address-blocking by censors.
Another attack vector for hackers are “relays.” Relays route traffic and obscure traceable and identifiable IP addresses, with an exit relay being the final one that connects users to a site.
As CoinDesk reported in August, a hacker was using his or her position as a “major exit relay host to stage sophisticated person-in-the-middle attacks, stripping websites of encryption and giving her/him full unrestricted access to traffic passing through her/his servers.” The hacker was using this access to steal cryptocurrencies.
When asked what impact tokens might have on mitigating such an attack, Bagueros said a token-based approach could improve usability in a way that makes phishing attacks like this infeasible, but it all depends on the integration.
“Another approach to this issue, one that we’re already taking, is to strengthen the onion services ecosystem and encourage more service and sites to use onions, as onion services do not use exit nodes and therefore bypass this kind of attack completely,” she said in an email to CoinDesk.
For exits and exit safety, the Tor Project is investigating ways of creating a trusted set of exit relays with known and verified operators, to reduce the incidence of attack from exit usage, said Bagueros.
“We are also looking into requiring captcha-issued tokens in order to use these exits. In this way, these exits should be used less for automated scraping and spam, which should reduce the rate at which their IP addresses are banned from sites, and generally improve their IP address reputation,” she said.
The team is still researching tokens and does not have a timeline for development.
Another approach the original blog post lays out is a proof-of-work system to acquire tokens.
Onion services can ask the client to solve a proof-of-work puzzle before they’re allowed to connect.
“With the right proof-of-work algorithm and puzzle difficulty, this can make it impossible for an attacker to overwhelm the service, while still making it reachable by normal clients with only a small delay,” read the post.
In the case of DDoS attacks, Kadianakis said Tor could employ proof-of-work tokens created by the clients themselves and sent directly to the service.
“Proof-of-work is one way to make it more expensive for clients to consume service resources in bulk that we’re investigating,” said Bagueros. “We’re also looking into … a token that signifies the quantity of work spent compactly without impacting privacy.”
Tor has not yet found a privacy-oriented blockchain it sees as sufficient for this, but remains hopeful one will be found.
In terms of other ways of earning these tokens, Tor lays out a number of options, such as allowing connected sites to award tokens to trusted users or giving users tokens with every donation they make to the project. It is also in the midst of brainstorming what additional benefits tokens could offer, how they could interact with each other and what wallets for them might look like, including a Tor Browser wallet integration.
There is currently no discussion about monetizing tokens.