[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

Fwd: (Theory) The BGP exploit: Effects on Tor routing and overall anonymity?



Hi All,

I'm sorry for the cross-post, but I felt this was relevant (and an interesting thread!).
Alex Pilosov (one of the presenters for this BGP exploit) hangs out on  
our list, so I cross posted this thread to the NYC*BUG-talk list, and  
below is Alex's short response.
Best,
.ike


(For the record, the NYC*BUG Talk mailing list and archives can be found at: <http://www.nycbug.org/index.php?NAV=MailingLists>)
On Fri, 29 Aug 2008, Isaac Levy wrote:

Hi All,

So this is a bit of a cross-post, I thought it was relevant/
interesting, since we've all been buzzing about our very own Alex, and the wild Defcon demo on scary BGP re-routing; and many folks here have
an interest in the TOR network.

ike-summary:

- Essentially, the first poster asks if the BGP attack could be used to
break TOR anonynimity.

- The second poster explains a quick no, and then a sort of 'yes but
it's not in the realm of sanity', in good detail.
The second poster is correct.

-alex






Begin forwarded message:

From: "John Brooks" <aspecialj@xxxxxxxxx>
Date: August 29, 2008 1:46:30 AM EDT
To: or-talk@xxxxxxxxxxxxx
Subject: Re: (Theory) The BGP exploit: Effects on Tor routing and overall anonymity?
Reply-To: or-talk@xxxxxxxxxxxxx

The short answer is no, not much. The long answer is a lot longer than that, so get ready :P
This would serve the person intercepting the traffic in near exactly  
the same way it does the operator of the node - entry nodes know the  
client, middle nodes know the entry and exit nodes, exit nodes know  
the destination (and the traffic to that destination). You would  
still need to intercept a significant amount of nodes before being  
able to break anonymity and tell which users are responsible for  
what traffic - which is a problem because the entire reason this  
attack works is that it targets more specific IP blocks. That many  
announcements (for various nodes) would be pretty easy to see. If an  
attacker were able to intercept traffic on the entry and exit nodes,  
or the client and destination, they could use timing and bandwidth  
correlations to tell (with high probability) that this client is  
accessing this destination. But this is no different from an  
attacker with control of the entry node or exit/destination.
The only way to make use of it that doesn't involve guessing at what  
nodes are in use would be to start at one end and work backwards or  
forwards in realtime. Essentially, you start by intercepting traffic  
to a target destination, then intercept traffic to the exit node  
contacting that destination, then intercept traffic to the middle  
node contacting that exit, then the entry node contacting that  
middle node, and finally to the client. The problem here is that  
you'd need a consistant (and obvious) traffic pattern sustained  
throughout that time (which would be long, due to the large amount  
of traffic most nodes handle and that BGP is not instantaneous),  
which is not generally true of HTTP requests. The complexity of such  
an attack would be problematic, and it still involves quite a lot of  
guesswork.
So no, this isn't a significant risk to tor anonymity, it's at best  
a quicker way to intercept traffic and follow a node path to its  
source, and I would be amazed if that were pulled off successfully.  
Remember that this exploit only allows you to intercept traffic *to*  
a specific destination, and in that situation you have no more  
information than the real destination does (less, in fact, because  
you don't see the traffic going the other direction unless you  
intercept that too).
- John Brooks

On Thu, Aug 28, 2008 at 11:21 PM, F. Fox <kitsune.or@xxxxxxxxx> wrote:
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Once I read about the recent BGP exploit (
http://blog.wired.com/27bstroke6/2008/08/revealed-the-in.html ) - which has the potential to re-route the traffic of millions of users - I had a
question, from a theoretical standpoint:

If such siphoning drew in traffic passing in between Tor nodes, would
this have an effect on reducing anonymity for the users having their
traffic relayed by these nodes? If so, how?

- --
F. Fox
Owner of Tor node "kitsune"
http://fenrisfox.livejournal.com

Note 2008/08/19: I lost my old GPG keypair, and have generated a new
one. Authenticity can be verified by checking the ContactInfo on kitsune.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iQIcBAEBCAAGBQJIt4dHAAoJECxKjnsrYHNHl8AP/3U3VKRjmft8SADOPJtOPdIt
HCBbf60VSDTCPVnfKiDNQ7GmYDzUPeYX763qkPO6/yds/As6mwbIWYhtrMlGyX63
0JhvWVnQdNDHQ2begsX4tHVJwck1+e3jCawoo9Z5uydKomJbPL3JNkxQ1RYQ5aKD
sq1z5Ha27FpxB3kA9GjbcgrpIaQTCaBEY+vVtDtT+zQdmFSaBsWNuPhs/7Iq2Lum
8AZwXMKElGIZICjMjf76Otdevkday40bgjPohliRfG9Yz5v5OHQLNI95GuI4YCxr
aqLV7Q8aoqGEwkxkPYvBlMSV/F+0Q7Xwa9p+XgdSNtAhh4Q2dG7tdmOKPnOAEQzG
1aKtFFFwKJgOK0YsvutB/l5ePgqv4WtM/CUHmcQViUT/1EwvgTDxOMV2MAwHAAmz
TDSpnbgweWwbWy/BME76zECvJGJalOqXo2XOioKRGP2KAWjK4bQvtZaTvKCf3CVI
cvJ/we8eQmqKRuBiFU6yQNcgzpx3Q5XMvyQi5FYB8X+HWH9oFNBSVFpN4jRVf0Dm
RWNgx3XxejT1BzE7oRrQ19iAvT6q0jozhKayLbMWRlhE0NAeH9FuN7peAlS3CnGw
MEWSEaS1xTxw3+vWUbWpJSisELqI19xkFWO5y7ThsoQGuCbMxZ4Zut0z8MVciQ2v
yHquFwNAvmzRWYyOaamj
=cnNg
-----END PGP SIGNATURE-----