Re: : Export END_CIRC_REASON_* to controler

[Paul Syverson <syverson@xxxxxxxxxxxxxxxx>]

On Fri, Oct 13, 2006 at 01:14:53AM -0500, Mike Perry wrote:
> 
> One issue I would like to guard against/watch for is an adversary
> destroying circuits if they do not detect one of their colluders at
> each end.  Adversaries doing this would be able to ensure that the
> only time they waste bandwidth on a connection is if they know they
> are able to determine its origin, thus gaining an advantage over the
> expected rate of O((c/n)^2).
> 
> For the scanner to detect this, there shouldn't be any way a node can
> make us mistake a malicious closure from one that should happen
> normally (ie was requested by us). Taking the reason right from the
> wire enables a node to do this.
> 

I'm probably not getting some key assumption here, but I don't see how
this can be prevented without some major developments.  This sort of
attack is roughly how the experiments to detect hidden servers were
conducted
(http://www.onion-router.net/Publications.html#locating-hidden-servers)
In that case we controlled the requesting client so could easily drop
the circuit without doing anything otherwise odd.  But I don't see why
any entry or exit node can't simply stop sending if a colluder is not
detected on the other end.  Then he can close the circuit or others
on the circuit will close it for him, and there will be no easy way to
recognize that node as the culprit.  One coud construct testing and
reputation mechanisms to recognize nodes that do this flagrantly and
repeatedly. But some of us have worked on that and it can get tricky
quickly, plus framing other nodes becomes a big issue.

aloha,
Paul
-- 
Paul Syverson                              ()  ascii ribbon campaign  
Contact info at http://www.syverson.org/   /\  against html e-mail