[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

Loops show DHS run Nodes, flood takeover

To: or-dev@xxxxxxxxxxxxx
Subject: Loops show DHS run Nodes, flood takeover
From: "Wilfred L. Guerin" <wilfredguerin@xxxxxxxxx>
Date: Sat, 20 Oct 2007 15:48:32 -0400
Delivered-to: archiver@xxxxxxxx
Delivered-to: or-dev-outgoing@xxxxxxxx
Delivered-to: or-dev@xxxxxxxx
Delivery-date: Sat, 20 Oct 2007 15:48:40 -0400
Dkim-signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=beta; h=domainkey-signature:received:received:message-id:date:from:reply-to:to:subject:mime-version:content-type; bh=x4r43KCnoMGKQ3alDkfJ2CSoc9zkHxYzpIKdCZAHVyQ=; b=ru7RSQAbs4uRp3iEMVPLqMHjeCGhyHjLFS02m4RKecRTfIFP8TJRkSh3vmWJYeB6NGYqV35A2J0Gh2ARD9iUsjPkhCQneaItsvwQY+D7W/Dxj74eaJ682BdoNGOwzdvLcgar58On8cnfltAIgtWlbMFIUSRKjydrA5j7dpw5DIk=
Domainkey-signature: a=rsa-sha1; c=nofws; d=gmail.com; s=beta; h=received:message-id:date:from:reply-to:to:subject:mime-version:content-type; b=trhbiLlBzCfiJH12UhWj9gn5MhW+h7xOCqd87B5NK92tBL25TLYmZXN/GeJdaO7WQaiwQeqbtM8xtdQnjpNZw/JLlmqHQCGp817bhRmTYDkkXVLs8jM4OBELxYEXK6lOxO1ZChboBPwQUgQ6F7aycK/yVsNwBascDhMLBrF4vgY=
Reply-to: or-dev@xxxxxxxxxxxxx
Sender: owner-or-dev@xxxxxxxxxxxxx

A brief cycle of loopbacks was run this past week and the models run against public databases.

There is a huge influx of new nodes with slightly-above-average characteristics over the last few weeks at most, all of which have close to identical processing and bandwith characteristics abnormal to real implementations.

Many of the highest correlations point at american DHS and USSS (cybercrime) counterparts in close physical proximity as well as a large set of British interpol spiders.

When the entire block is allocated to a specific client, it is only obvious when they assign one ip of the range to the tor node on many hundred client units using the public tor master list...

In short, someone has taken the que from the "spy nodes" issue of last month and is attempting to flood the TOR mixer out of service.

This is a little more problematic than such things as https key negotiation on the same wire, or million-bit encryption around a 56 or (much) less bit key like we saw in anguilla a decade ago, since it explicitly authorizes what is correlary to a denial of service attack against the operational mechanisms of the TOR system as defined.

Has anyone further analysis of this problem?

Flooding out the media is IBB and BBC's job, but since it is heirchial and structured from a single source, the MIM of google or mass media sources and quarentine/isolation is not beyond their authority, but a public source system that employs only donated elements should NOT be attacked in the same manner. No mention of ISP dns registrations for update.windows...

Please advise

-Wilfred L. Guerin
WilfredGuerin@xxxxxxxxx

Prev by Author: Comments on Proposal 105 -- handshake-revision
Previous by thread: Where do nodes change from bandwidth limited to CPU limited?
Index(es):
- Author
- Thread