SnailLoad Side-Channel Attack

Hackers often monitor web activities to gather several types of confidential data.

By tracking your online activities, hackers can tailor phishing schemes and social engineering attacks, which will increase their chances of success.


The following cybersecurity researchers from Graz University of Technology discovered SnailLoad, a novel side-channel attack that exploits network latency to infer user activities without requiring JavaScript, code execution, or user interaction:-

  • Stefan Gast
  • Roland Czerny
  • Jonas Juffinger
  • Fabian Rauscher
  • Simone Franza
  • Daniel Gruss

Among other things, it detects which videos are watched or the websites are visited on a victim’s machine by measuring variations in latency from an attacker-controlled server.

During testing, SnailLoad showed 98% accuracy in identifying the YouTube videos and 62.8% accuracy in recognizing top 100 websites consequently expanding previous man-in-the-middle attacks to remote environments.

Join our free webinar to learn about combating slow DDoS attacks, a major threat today.

SnailLoad Side-Channel Attack

SnailLoad is different from previous attacks that require a person-in-the-middle scenario. It operates passively from any internet server and requires minimal network activity. 

By taking advantage of timing differences due to bufferbloat in the victim’s last-mile connection, SnailLoad can determine the sites visited by users with an accuracy of up to 98% for YouTube videos and 62.8% for top 100 websites over several internet technologies. 

This technique can extend numerous network side-channel attacks to remote non-PITM scenarios, which pose fresh security issues. 

Here below, we have mentioned the attack setup of SnailLoad:-

  • Victim-server communication occurs over varying network speeds.
  • The server has a high-speed connection, and the victim’s last mile is slower.
  • Attacker’s packets experience delays when the victim’s last mile is congested.
  • The attacker exploits packet delay patterns to infer the victim’s web activity.
Attack Setup (Source – SnailLoad)

SnailLoad varies in its effectiveness depending on network conditions and sampling rates. It can detect the download of files with a size above 512KB through any internet connection.

In video fingerprinting experiments conducted on ten home connections, a range of F1 scores between 37% and 98% was achieved, with fiber-based connections producing different results due to differences in bandwidths and shared infrastructures.

Website fingerprinting produced a macro-average F1 score of 62.8% for an open-world scenario, with performance that varied according to site attributes.

Moreover, SnailLoad is capable of finding out other user interactions like video calls consequently making it a possible tool for non-PITM network activity inference attacks.

SnailLoad proved to be 37-98% accurate in video fingerprinting during experiments on diverse internet connections, while its accuracy in website fingerprinting was 62.8%.

This indicates that multiple former network side channel attacks previously that were limited to man-in-the-middle settings could potentially be converted into remote, non-intrusive environments.

"Is Your System Under Attack? Try Cynet XDR: Automated Detection & Response for Endpoints, Networks, & Users!"- Free Demo

Gurubaran is a co-founder of Cyber Security News and GBHackers On Security. He has 10+ years of experience as a Security Consultant, Editor, and Analyst in cybersecurity, technology, and communications.