[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

Re: Low-Cost Traffic Analysis of Tor



Thus spake Steven J. Murdoch (tortalk+Steven.Murdoch@xxxxxxxxxxxx):

> One of the advantages of Tor is that it is sufficiently open and
> widely deployed enough to run "real-world" anonymity experiments. Last
> year, myself and George Danezis performed traffic analysis on Tor to
> test the attack potential of weaker adversaries. This paper has now
> been accepted for a conference, the 2005 IEEE Symposium on Security
> and Privacy (Oakland). It isn't a full and general attack on Tor as
> the basic attack only gives path information, not the address of the
> originator, but we think it does provide some interesting results.
> 
> The paper can be found here (PDF 364K):
>  http://www.cl.cam.ac.uk/users/sjm217/papers/oakland05torta.pdf

Really nice work! I do have a few questions about the results, though,
if you have the time:

Why do some target nodes yield such drastic results? For example,
where there any particular properties of C, K, and L (and perhaps A)
in Figure 4 that might explain why the technique worked so much better
on them? Were these nodes already operating at full capacity or
operating on really low-bandwidth/high latency links? Or is there some
other explaination?

What is your estimate on the minimum amount of time the pseudorandom
traffic from the corrupt server must run in order for results to be
picked up by the probe server? 

What is the nature of the 'echos' that might cause false positives to
which you refer? It would seem to me that echos would be lulls in
traffic propogating to other nodes that would normally be recieving
non-generated relayed data. In this cause, would they really cause
false positives? Or am I confused on the nature of the echo effect?


Thanks for posting this paper, it was very interesting and
illuminating.

-- 
Mike Perry
Mad Computer Scientist
fscked.org evil labs