[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

Re: [tor-talk] Traffic shaping attack



On Sat, Mar 19, 2016 at 04:02:53AM +0100, coderman wrote:
> On 3/19/16, Oskar Wendel <o.wendel@xxxxx> wrote:
> >...
> > Let's set up a service in a way that it will modulate the traffic, so the
> > download would look like:
> > [ some distinct signaling here...]
> 
> yes; it's a traffic confirmation attack, and by interrupting the flow
> you confirm that the endpoints in question are involved in that flow.

Right. This general idea of a traffic confirmation attack is an issue
to consider for any low-latency system.

One of the questions to ask is how many points you need to watch in order
to be in a position to launch the attack. This is where Tor fares better
than centralized approaches like VPNs or single-hop proxies, and it's
Tor's best line of defense here.

Another question to ask is whether there will be false positives in the
statistics, i.e. how often your analysis says "yes, match" when actually
it's mistaken. In your scenario, the adversary is doing an active attack
on the traffic, so while I think it's legitimate to speculate about
how false positive rates maybe get high when you're looking at many
Tor flows across many relays (the NSA scenario -- and we even have a
document from an NSA analyst being frustrated by the false positives),
I think it's fair to say that if you generate the signals clearly enough,
false positives will be much less of a worry.

The third question you might ask is: can I inject these signals in a
way that they're still recognizable to me, but observers don't realize
that anything weird is going on with the traffic? That is, can I do
this active traffic modulation attack but still be undetectable? For
that topic, check out these papers:
http://freehaven.net/anonbib/#ndss09-rainbow
http://freehaven.net/anonbib/#ndss11-swirl
http://freehaven.net/anonbib/#pets13-flow-fingerprints

--Roger

-- 
tor-talk mailing list - tor-talk@xxxxxxxxxxxxxxxxxxxx
To unsubscribe or change other settings go to
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk