[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

Re: Sampled Traffic Analysis by Internet-Exchange-Level Adversaries



On Mon, May 28, 2007 at 03:36:05AM -0700, coderman wrote:
> you state "an assumption that the global passive adversary is
> unrealistic".  is this really true in anonymity research circles?

The convention in anonymity research is to assume a global passive
adversary, since then any system shown to be secure under that model
is probably secure in the real world. The problem with this approach
is it eliminates all practical low-latency designs, hence the weaker
threat model adopted by Tor.

I do think that a global passive adversary is stronger than the real
world situation. For example, such an adversary could read traffic
between two computers in my office, which I suspect is outside of the
NSA's capabilities, unless I were targeted for special attention.

The actual capabilities will probably lie somewhere between the two
extremes. Sometimes your connections through Tor will go via enough
monitored nodes to be tracked, sometimes they won't. The interesting
question is the relative proportion between the two quantities, and
how to change it for the better.

> i am also curious if you had considered lower layer propinquity of
> physical paths.  

I had thought about that aspect, but given the shortage of space
didn't include it. Perhaps I should for the final version. Traceroute
gives a more accurate picture of topology the BGP data (in that it
shows up IXes), but it is still not "true". 

For example, it only discovers devices which reduce the IP TTL, and so
will not find MPLS links or long-haul layer-2 VLANs. Then, as you
point out, it could be that seemingly disparate traffic is going
through the same cable-tunnel, if not the same fibre.

On Mon, May 28, 2007 at 03:47:22AM -0700, coderman wrote:
> one more comment that ties into your mention PCIe bus limitations.
> previous research on monitoring high speeds links has shown FPGA
> devices well suited for header and deep packet inspect at line rates
> up to 10GigE for hundreds of snort style  filter rules. this
> approach scales in a linear fashion.

The point behind that section was to dispel the myth that traffic
analysis is easy, because you can just run tcpdump on off-the-shelf
hardware. Actually, on high-speed links it requires serious
engineering effort to even capture the data, let alone store it. That
said, there is demand for such capabilities and given enough hardware
it is possible.

Thanks,
Steven.

-- 
w: http://www.cl.cam.ac.uk/users/sjm217/

Attachment: pgp0mDp17CYkv.pgp
Description: PGP signature