[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

Re: [tor-talk] Retroactive traffic confirmation attacks on Tor through data retention records?

MAC addresses are used by layer 2 protocols (see https://en.wikipedia.org/wiki/OSI_model ). Once an IP packet traverses a layer 3 device (such as a router) the srcMac has been changed to that of the router's egress interface. Unless your ISP provided your router, srcMac identifies only which router the packet came from, not the particular client.

Decent routers randomize source ports to prevent traffic correlation (makes it harder to confirm that two streams from the same router came from the same client).

If you need deniability, don't use an ISP provided router, make sure your router randomizes source ports, and have an open guest wifi network (though obviously make sure the guest network can only access the Internet, not your LAN).


On 4/21/2012 1:05 PM, Ondrej Mikle wrote:
If the ISP's records store [srcIP, srcPort, srcMac, dstIP, dstPort, size,
startTime, endTime] for every TCP connection, then it's definitely doable; note
that srcMac is MAC of client visible from ISP's side of the router to internet
(so that clients behind NAT can be identified, though the srcPort gives that
away, too).
tor-talk mailing list