[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

[tor-talk] Shaping Tor's traffic

On Mon, Nov 17, 2014 at 09:46:37PM +0000, Gareth Owen wrote:
> Just to let you know, I am also giving a talk at 31c3 on Tor, but my talk
> is focussing on a research project we did on the Tor HS DHT. I was also
> planning to talk a little about the Tor Research Framework and an
> accessible overview of correlation attacks - if time permits.

Excuse me picking up a very old mail, but the question I have
may (a) be of general interest and (b) possibly be answered by
someone else but Gareth Owen, the presenter.

There was just one slide at the end of the talk where it occured 
to me that my understanding of Tor felt in disagreement with the 

The slide states that "Traffic confirmation attacks are MUCH
more powerful" which makes sense to me, but then Gareth says
that it would take a user to bump into a "dodgy guard relay"
run by the same attacker that also runs the hidden service
in order to de-anonymize a user accessing that hidden service.
Gareth follows up saying you can de-anonymize a fraction of
hidden service users that way.

Later Gareth says "As the attacker you need to control the
hidden service's guard node to do these traffic correlation

:From my understanding it isn't necessary to *control* any
of the guard nodes, it is fully sufficient to be able to
measure or shape the patterns of traffic moving between
the guard node and the calling user or the hidden service
respectively. So essentially any surveillance infrastructure
monitoring intercontinental traffic may be able to detect
or shape such traffic if the guard nodes happen to not be
network topologically close to their respective users.

The only protection I see against that would be if either
the user is generating plenty of other traffic between her
node and the guard node while accessing the hidden service,
or if the hidden service is so popular, it is being talked
to by several circuits coming from the same guard. And how
much of a protection that can be would be subject to research.
To me it sounds like it would just take more time to correlate.

So, from the perspective of a global active adversary doing 
traffic shaping, the general procedure to me sounds like this:

1. you run confirmation attacks long enough until you have
   singled out the IP address of the not so hidden service;
2. you run heavy weaponry against its guard nodes in order
   to get control over the software, allowing you to start
   distinguishing individual circuit activity patterns
   (this step would only be necessary if the targeted hidden
   service is very popular);
3. you pick out specific tor users and shape their traffic
   entering their entry nodes to see if those patterns pop
   out on the way to the hidden service - or other way
   around, you shape the traffic going back to the user.

Is there anything wrong with my assumptions, or is Gareth
right that it takes p0wnage of *both* guards in order to
de-anonymize people? Or is the truth somewhere in-between,
in the sense that we don't know how well shaping attacks work?

I also wonder, if you're a really good global active attacker,
you should be able to spot the traffic you shaped anytime it
crosses your surveillance infrastructure again... so you should
have a plausible chance of figuring out which websites a user is
looking up.

I understand the Tor network fluctuates a lot concerning latency
and throughput, so the attacker would have to do quite aggressive
shaping, buffering not so little amounts of data, sending specific 
amounts of bytes then introducing pauses of significant duration.

But I'm just theorizing, and maybe Tor has some provisions to
protect against traffic shaping that I am not aware of. That 
would explain Gareth' statement. I just grepped through a year
of mailing lists and didn't find traffic shaping discussed much
at all. Maybe "shap" wasn't the suitable search expression.

tor-talk mailing list - tor-talk@xxxxxxxxxxxxxxxxxxxx
To unsubscribe or change other settings go to