Denial Of Service, in short shutting down your internet connection.
Yes, but in the case of browsing using the whonix-* Qubes :
anon-whonix → sys-whonix → sys-firewall → sys-net
In this chain, only sys-net is “exposed” through its NIC.
All Qubes deny incoming request (except those who are from a previous outgoing request), and sys-whonix encapsulate network traffic to go through Tor (if it’s not the case directly in anon-whonix I’m not 100% sure), but the important part is that sys-firewall and sys-net only forward packet outgoing, so they can’t know what the content of the packet are.
This would also work with a sys-vpn, I think you could learn more about it here : Wireguard VPN setup - #2 by deeplow
It would look something like :
AppVM → sys-vpn-fw → sys-vpn → sys-firewall → sys-net
An attacker that would have gained access to sys-net, wouldn’t be able to send packets the other way (they would be denied by firewall rules from sys-firewall).
They could :
- Try to exploit some bug in Xen to escape the sys-net VM
- Disturb traffic (as reading encrypted/Tor packet wouldn’t be very useful)