[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

Fwd: (Theory) The BGP exploit: Effects on Tor routing and overall anonymity?



Hi All,

I'm sorry for the cross-post, but I felt this was relevant (and an interesting thread!).

Alex Pilosov (one of the presenters for this BGP exploit) hangs out on our list, so I cross posted this thread to the NYC*BUG-talk list, and below is Alex's short response.

Best,
.ike


(For the record, the NYC*BUG Talk mailing list and archives can be found at: <http://www.nycbug.org/index.php?NAV=MailingLists>)

On Fri, 29 Aug 2008, Isaac Levy wrote:

Hi All,

So this is a bit of a cross-post, I thought it was relevant/
interesting, since we've all been buzzing about our very own Alex, and the wild Defcon demo on scary BGP re-routing; and many folks here have
an interest in the TOR network.

ike-summary:

- Essentially, the first poster asks if the BGP attack could be used to
break TOR anonynimity.

- The second poster explains a quick no, and then a sort of 'yes but
it's not in the realm of sanity', in good detail.
The second poster is correct.

-alex







Begin forwarded message:

From: "John Brooks" <aspecialj@xxxxxxxxx>
Date: August 29, 2008 1:46:30 AM EDT
To: or-talk@xxxxxxxxxxxxx
Subject: Re: (Theory) The BGP exploit: Effects on Tor routing and overall anonymity?
Reply-To: or-talk@xxxxxxxxxxxxx

The short answer is no, not much. The long answer is a lot longer than that, so get ready :P

This would serve the person intercepting the traffic in near exactly the same way it does the operator of the node - entry nodes know the client, middle nodes know the entry and exit nodes, exit nodes know the destination (and the traffic to that destination). You would still need to intercept a significant amount of nodes before being able to break anonymity and tell which users are responsible for what traffic - which is a problem because the entire reason this attack works is that it targets more specific IP blocks. That many announcements (for various nodes) would be pretty easy to see. If an attacker were able to intercept traffic on the entry and exit nodes, or the client and destination, they could use timing and bandwidth correlations to tell (with high probability) that this client is accessing this destination. But this is no different from an attacker with control of the entry node or exit/destination.

The only way to make use of it that doesn't involve guessing at what nodes are in use would be to start at one end and work backwards or forwards in realtime. Essentially, you start by intercepting traffic to a target destination, then intercept traffic to the exit node contacting that destination, then intercept traffic to the middle node contacting that exit, then the entry node contacting that middle node, and finally to the client. The problem here is that you'd need a consistant (and obvious) traffic pattern sustained throughout that time (which would be long, due to the large amount of traffic most nodes handle and that BGP is not instantaneous), which is not generally true of HTTP requests. The complexity of such an attack would be problematic, and it still involves quite a lot of guesswork.

So no, this isn't a significant risk to tor anonymity, it's at best a quicker way to intercept traffic and follow a node path to its source, and I would be amazed if that were pulled off successfully. Remember that this exploit only allows you to intercept traffic *to* a specific destination, and in that situation you have no more information than the real destination does (less, in fact, because you don't see the traffic going the other direction unless you intercept that too).

- John Brooks

On Thu, Aug 28, 2008 at 11:21 PM, F. Fox <kitsune.or@xxxxxxxxx> wrote:
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Once I read about the recent BGP exploit (
http://blog.wired.com/27bstroke6/2008/08/revealed-the-in.html ) - which has the potential to re-route the traffic of millions of users - I had a
question, from a theoretical standpoint:

If such siphoning drew in traffic passing in between Tor nodes, would
this have an effect on reducing anonymity for the users having their
traffic relayed by these nodes? If so, how?

- --
F. Fox
Owner of Tor node "kitsune"
http://fenrisfox.livejournal.com

Note 2008/08/19: I lost my old GPG keypair, and have generated a new
one. Authenticity can be verified by checking the ContactInfo on kitsune.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iQIcBAEBCAAGBQJIt4dHAAoJECxKjnsrYHNHl8AP/3U3VKRjmft8SADOPJtOPdIt
HCBbf60VSDTCPVnfKiDNQ7GmYDzUPeYX763qkPO6/yds/As6mwbIWYhtrMlGyX63
0JhvWVnQdNDHQ2begsX4tHVJwck1+e3jCawoo9Z5uydKomJbPL3JNkxQ1RYQ5aKD
sq1z5Ha27FpxB3kA9GjbcgrpIaQTCaBEY+vVtDtT+zQdmFSaBsWNuPhs/7Iq2Lum
8AZwXMKElGIZICjMjf76Otdevkday40bgjPohliRfG9Yz5v5OHQLNI95GuI4YCxr
aqLV7Q8aoqGEwkxkPYvBlMSV/F+0Q7Xwa9p+XgdSNtAhh4Q2dG7tdmOKPnOAEQzG
1aKtFFFwKJgOK0YsvutB/l5ePgqv4WtM/CUHmcQViUT/1EwvgTDxOMV2MAwHAAmz
TDSpnbgweWwbWy/BME76zECvJGJalOqXo2XOioKRGP2KAWjK4bQvtZaTvKCf3CVI
cvJ/we8eQmqKRuBiFU6yQNcgzpx3Q5XMvyQi5FYB8X+HWH9oFNBSVFpN4jRVf0Dm
RWNgx3XxejT1BzE7oRrQ19iAvT6q0jozhKayLbMWRlhE0NAeH9FuN7peAlS3CnGw
MEWSEaS1xTxw3+vWUbWpJSisELqI19xkFWO5y7ThsoQGuCbMxZ4Zut0z8MVciQ2v
yHquFwNAvmzRWYyOaamj
=cnNg
-----END PGP SIGNATURE-----