Re: [tor-talk] Traffic shaping attack

[Oskar Wendel <o.wendel@xxxxx>]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Roger Dingledine <arma@xxxxxxx>:

>> Let's assume that the service is extremely popular, with over 6 terabytes 
>> of traffic each day, and a gigabit port almost constantly saturated.
> 
> This assumed scenario seems extremely unlikely to be happening in
> practice. First because there aren't any relays that are doing 1gbit/s
> of traffic, so no onion service would be able to do that to its guard
> (unless it used many entry guards and spread the load over them, in which
> case it would be screwing its own anonymity). And second because the
> graph at https://metrics.torproject.org/hidserv-rend-relayed-cells.html
> shows there's only something like 1.4gbit/s of onion service traffic in
> the whole network. And third because scalability issues in the current
> design make onion services unable to keep up with the number of users
> that you're describing.

Actually, I blindly told what the site admin published:

"I strongly suspect it's the highest traffic site ever to exist on Tor. 
That's why it's gotten so expensive to run, we use close to 100% of a 
gigabit internet port much of the time, pushing well over 6 TB of traffic 
per day."

I'm not sure if it's true (and from what you say, it seems it's not), but 
the site is very active anyway.

>> This is not a theoretic attack. This is something that has been noticed 
>> on one of illegal sites and I expect many busts around the globe in the 
>> coming weeks.
> 
> More details please?

A couple of users recently noticed this repeatable pattern during 
downloads. From what they told, downloads from this site were always 
smooth and, although the speed have always been fluctuating, it rarely 
stopped completely, and even if it did, it was random. Now, when it 
occurs (because it doesn't occur every time), it occurs perfectly 
repeatedly.

To quote one of the users: "Yes, speed can vary, it is normal and observed 
everywhere in Tor, but it is NOT frequent INTERRUPTS. Normally speed 
changes monotonically, so if interrupt happens, it happens only after the 
speed decreased to just a few KB/s. If speed is perfect, very high, and 
then sudden interrupt happens, it is very warring sign. This may be new 
FBI technique."

> This is not a crazy possibility, but it would be good to know exactly 
> what evidence we have for its being true.

The only evidence I have is how the site started to behave, and what 
the users noticed.

> For example, if somebody noticed "I get a burst of cells from this onion 
> service, then a few seconds of silence, then I get another burst of 
> cells", that's actually a property of our current load balancing 
> algorithm, and not necessarily evidence of an intentional signal being 
> injected into the circuit.

When this load balancing algorithm starts to work? When it is used (to 
balance load between what and what?), and what can be the reason it 
started to behave that way only recently?

- -- 
Oskar Wendel, o.wendel@xxxxxxxxxxxxxxxxx
Pubkey: http://pgp.mit.edu/pks/lookup?op=get&search=0xB5E3846CD40F08E3
-----BEGIN PGP SIGNATURE-----

iQEcBAEBAgAGBQJW7warAAoJELXjhGzUDwjjI6wIAIIDcJ1OeODexXJGMQmF+/pb
MJv1tqccLtQ7MKbV/SsrT4C7ULiKVxu9v/5+Zin3oCqSHQH2ChUIjJ+a2rWc0G+y
a4+y1XRFGT9xUIGABwsj6pLP6uc1BXEfs06SMEn0ScbzZ8W8H+E2Oz34l9baC+k1
nhx7Ds6w24AyCxQtcPCsJjlas+E9YO4/xufDs6Ba91pjLeRmHfr/8gviTkzX5BQw
jiOJQfhCM2ZjuWk5dtjXcay96bMiP86HRqd6aNcnYYvllkAxP1nxA9+jtK2Bx/Lk
7gbF3rVHm3de5bKUpwGI5GDzmqBso75faTKtpD7XtDplJ3B12VlaHLuGoTb9u+c=
=gLWs
-----END PGP SIGNATURE-----

-- 
tor-talk mailing list - tor-talk@xxxxxxxxxxxxxxxxxxxx
To unsubscribe or change other settings go to
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk