[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

Re: How would tor defend from this attack?




Your proposal is quite realistic, though to get good bi-directional bandwidth would probably cost a lot more than you project, as you'd want colocated servers, not servers on DSL lines.


I believe that the exit nodes are one of the weakest points in a Tor network. If you don't know who is operating them, they can do all kinds of monitoring, modification and other mayhem (eg. inject zero day exploits and malware into your browsing traffic).

Ways to route traffic through "trusted" exit nodes, and ways to provably show that routes are via independent operators is probably useful. This line of thinking moves one toward contracts, companies, etc.

The other approach is to have so many routers that a Sybil attack is not possible. But that means turning every user into a Tor node. I still maintain that unknown exit nodes are dangerous even in a world with 100,000 Tor nodes or 1 million nodes.



At 9:57 PM -0800 3/6/07, Michael_google gmail_Gersten wrote:
So here's an idea for an attack on tor.

We recently saw a paper that said that someone who puts in a lot of
routers, claiming to have high bandwidth, can correlate senders and
destinations, exposing the traffic analysis that tor is trying to
defend against. And, a response from the maintainers -- doing that
leaves a lot of tracks.

What about a real set of routers?

Right now, it looks like the network of tor routers is such that 50
high speed routers will be able to be that >10% of the network, and
determine the senders/receivers of traffic.

How big of an attack is this? 50 headless machines, at $400 per
machine, $20,000. 50 network connections at $50/month, $2,500 per
month. $30,000 per year.

$50,000 for the first year, and what happens?

Tor gets a lot more bandwidth. Tor looks to be expanding at a good
rate. And tor's effectiveness is compromised, completely. Heck, it can
even be done by law enforcement, or even by China, so that they know
who to go after.

And, since exit nodes see a lot of unencrypted traffic, this means
that it becomes easier, not harder, to watch someone. Right now, for
example, it's hard to grab the traffic from someone elsewhere on the
internet, but if you know that they use tor, then you can run an exit
router and have a chance to see what they do. Run enough routers, and
you can grab a large portion of their traffic.

As much as tor is trying to protect privacy, is it time to ask the
other question: Does tor make it much easier for a large organization
to start restricting privacy?

$50,000 may sound like a lot, but consider what can be generated for
an "anti-pedophile" group -- a private organization saying "Protect
the children!". Or ... well, the point is, that's relatively cheap. It
doesn't take a government level spending to do that -- it's even in
the range of the corporate espionage budget of a large multi-national
company.

How can tor defend against something like this?