[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

Re: peculiar server "bandwidth" posted by server "mnl" and possible new type of attack



     On Wed, 10 Sep 2008 07:46:51 -0600 "Kasimir Gabert" <kasimir.g@xxxxxxxxx>
wrote:
>On Wed, Sep 10, 2008 at 7:28 AM, Scott Bennett <bennett@xxxxxxxxxx> wrote:
>>>
>>>The fact of not being an exit node would make it a better corruped
>>>relay? I mean, if I would like to DOS the Tor network I would be better
>>
>>     No, or at least I don't think so.  What I was referring to is that most
>> of the trouble we've had from bad operators has taken the form of corrupted
>> exit servers, where what goes into or comes out of the exit is in the clear
>> and can be altered before it is sent where it is going.
>>
>>>to set the trojan node as internal?
>>>
>>     For this kind of attack, I suppose there might be some sort of advantage
>> to being only a relay and not an exit because route selection often prefers
>> non-exit relays for non-exit positions in a route, and a typical route has
>> two non-exit positions but only one exit position.  So the chances to bog
>> down performance might be a bit higher if the attacker focused on non-exit
>> usage.
>>     But Roger has already said that clients believe that no server really
>> handles more than 5 MB/s, so they trim any figures greater than that back to
>> 5 MB/s.  If you had a dozen or two tor servers falsely reporting high usages,
>> each at 5 MB/s or more, it might make a mess of things because they would
>> distort the networkwide statistics, especially if those servers did not
>> identify themselves as all being members of the same Family.

     A footnote to the above is that a real attacker of this sort could perhaps
avoid notice quite a while longer by running a somewhat larger number of slow
servers that published bogus rates in the 1 MB/s to 4 MB/s range.  The rates
would thus appear to be valid to tor and on the torstatus page would scatter
attacker servers in with a substantially larger group of high-bandwidth, good
servers.
>
>For reference, the reported bandwidth values from mnl hover around
>2000 KB/s, but are very flaky (I'll assume this is caused by the
>connection issues Domenico was talking about).

     Thanks.  I knew I had seen it frequently somewhere in the upper reaches
of the distribution.
>
>http://trunk.torstatus.kgprog.com/router_detail.php?FP=abd38668d3f476f50232fec0b6db6550ea43edd0
>
     Oh, wonderful!  The graphs spanning different time scales look great,
but naturally make me wish for more. :-)  Would it be feasible to be able
to request graphs covering specific (i.e., starting date to ending date)
time periods?  Thanks for the good work.  I assume the new version of the
torstatus scripts will let us get graphs like the ones you've shown at the
link above.


                                  Scott Bennett, Comm. ASMELG, CFIAG
**********************************************************************
* Internet:       bennett at cs.niu.edu                              *
*--------------------------------------------------------------------*
* "A well regulated and disciplined militia, is at all times a good  *
* objection to the introduction of that bane of all free governments *
* -- a standing army."                                               *
*    -- Gov. John Hancock, New York Journal, 28 January 1790         *
**********************************************************************