[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

Re: [tor-talk] Retroactive traffic confirmation attacks on Tor through data retention records?

To: tor-talk@xxxxxxxxxxxxxxxxxxxx
Subject: Re: [tor-talk] Retroactive traffic confirmation attacks on Tor through data retention records?
From: Pascal <Pascal666@xxxxxxxxxxxxxxxxxxxxx>
Date: Sat, 21 Apr 2012 13:41:21 -0500
Delivered-to: archiver@xxxxxxxx
Delivery-date: Sat, 21 Apr 2012 14:41:43 -0400
In-reply-to: <4F92F6FA.7080006@xxxxxxxxx>
List-archive: <http://lists.torproject.org/pipermail/tor-talk>
List-help: <mailto:tor-talk-request@lists.torproject.org?subject=help>
List-id: "This mailing list is for all discussion about theory, design, and development of Onion Routing." <tor-talk.lists.torproject.org>
List-post: <mailto:tor-talk@lists.torproject.org>
List-subscribe: <https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk>, <mailto:tor-talk-request@lists.torproject.org?subject=subscribe>
List-unsubscribe: <https://lists.torproject.org/cgi-bin/mailman/options/tor-talk>, <mailto:tor-talk-request@lists.torproject.org?subject=unsubscribe>
References: <4F92F6FA.7080006@xxxxxxxxx>
Reply-to: tor-talk@xxxxxxxxxxxxxxxxxxxx
Sender: tor-talk-bounces@xxxxxxxxxxxxxxxxxxxx
User-agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.28) Gecko/20120306 Thunderbird/3.1.20

MAC addresses are used by layer 2 protocols (seehttps://en.wikipedia.org/wiki/OSI_model ). Once an IP packet traversesa layer 3 device (such as a router) the srcMac has been changed to thatof the router's egress interface. Unless your ISP provided your router,srcMac identifies only which router the packet came from, not theparticular client.

Decent routers randomize source ports to prevent traffic correlation(makes it harder to confirm that two streams from the same router camefrom the same client).

If you need deniability, don't use an ISP provided router, make sureyour router randomizes source ports, and have an open guest wifi network(though obviously make sure the guest network can only access theInternet, not your LAN).


-Pascal


On 4/21/2012 1:05 PM, Ondrej Mikle wrote:

If the ISP's records store [srcIP, srcPort, srcMac, dstIP, dstPort, size,
startTime, endTime] for every TCP connection, then it's definitely doable; note
that srcMac is MAC of client visible from ISP's side of the router to internet
(so that clients behind NAT can be identified, though the srcPort gives that
away, too).

_______________________________________________
tor-talk mailing list
tor-talk@xxxxxxxxxxxxxxxxxxxx
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk

Follow-Ups:
- Re: [tor-talk] Retroactive traffic confirmation attacks on Tor through data retention records?
  - From: Ondrej Mikle
- Re: [tor-talk] Retroactive traffic confirmation attacks on Tor through data retention records?
  - From: Phillip

References:
- [tor-talk] Retroactive traffic confirmation attacks on Tor through data retention records?
  - From: Ondrej Mikle

Prev by Author: Re: [tor-talk] Problem with TransPort etc.
Next by Author: Re: [tor-talk] access sites
Previous by thread: [tor-talk] Retroactive traffic confirmation attacks on Tor through data retention records?
Next by thread: Re: [tor-talk] Retroactive traffic confirmation attacks on Tor through data retention records?
Index(es):
- Author
- Thread