On Wed, 24 Nov 2010 18:38:23 -0800 "Theodore Bagwell" <toruser1@xxxxxxx> wrote: > We recently discussed an attack on onion-routing anonymity, wherein a > well-funded adversary overwhelms the network with compromised relays, > thereby increasing his chances of monitoring anonymity-compromising > data. > > I don't mean to alarm anyone, but I just did some quick-and-dirty > research that suggests such an attempt may already be under way. I hope > to be proven wrong. > > I postulated that such an attacker would mass-deploy his relays in a way > that did not lend a whole lot of uniqueness to the name of each relay*. > The relay names would probably be random characters, numbers, or words > at best. At sloppiest, they would just be one name with sequential > numbers after it - "AnonymityAttacker001, AnonymityAttacker002, > AnonymityAttacker003, etc." > > So, I decided to look for such patterns in the list of Relays available > in my Tor console. A quick scan revealed what appeared to be either (A) > mass-deployments of Tor relays by a singular entity, or (B) > astronomically-unlikely coincidental naming schemes adopted by dozens of > disparate and unconnected individuals.** Several people and organizations run multiple Tor relays with obviously similar names. They generally do not try to hide their identities or the connections between their relays. See <http://torstatus.blutmagie.de/> for an easily browsable list; click on the name of a relay to see more detailed information about it, including the ContactInfo value, if any, specified by the relay's operator. Entities which operate multiple Tor relays can, usually should, and often do use the MyFamily torrc option to indicate that their relays are run by a common operator. If two relays list each other in their MyFamily directives, your Tor client will not include them in the same circuit. Unless you have turned off the EnforceDistinctSubnets torrc option, your Tor client will also not include two relays in the same /16 network in a single circuit. > But it wasn't just finding these relays that concerned me. It was Tor's > affinity for routing through them. > > See, I began closing my open circuits systematically. I kept records of > any circuits which contained PPrivCom___ or torserversNet_ relays in it. > I closed and recorded 43 circuits. Here are my findings: > > While Tor indicated it had 1665 relays to choose from, 79% of my > circuits used one of the suspicious relays. 2% of my circuits used two > suspicious relays. 0% of my circuits used three suspicious relays. > > Of the circuits I recorded, only 21% did not route through a suspicious > relay. Tor weights its node selection according to node bandwidth, as specified in the consensus. The consensus, in turn, provides bandwidth values measured by the âbandwidth authoritiesâ. This weighting is necessary to balance load fairly throughout the Tor network. There should be multiple bandwidth authorities running, operated by people whom the Tor Project and the directory authority operators trust; as I understand it, there is currently only one running bandwidth authority, but the Tor Project is working on getting others back online. > My conclusion is that someone (a security researcher? A hobbyist? A > government?) is actively toying with the feasibility of attacking Tor's > anonymity. According to my statistics, they may also be gaming Tor's > affinity for choosing relays*** because they have, unquestionably, > succeeded in relaying 79% of my circuits despite controlling a mere 2.8% > of the relays in the Tor network. The relay families which you have complained about are most likely not controlled by a single organization, and the organizations that control them are most likely not trying or planning to attack Tor or its users. > How dangerous is it if two of the three circuit relays are compromised? A passive attacker can use some combination of the following capabilities to try to link you to the Internet server you access using a Tor circuit: * The ability to monitor the TLS connection from your computer to your guard node for the circuit. * The ability to monitor the Tor circuit at your middle node (by controlling the middle node and monitoring/logging its internal state). * The ability to monitor the TCP connection from your exit node for the circuit to the server you are accessing. There are other capabilities which an attacker could have, but I think the three I have listed are sufficient for this discussion. An attacker who monitors the TLS connection from you to your guard node and the TCP connection from your exit node to the server can link the endpoints of your connection using timing alone. There is no point in considering the more precise attacks that can be performed by controlling your guard node and/or exit node themselves; if an attacker monitors both you and the server you are connecting to, you lose. An attacker who monitors the Tor circuit at your middle node and the TCP connection from your exit node to the server can link the connection at the server to your guard node for the circuit. This will not provide your IP address to the attacker. However: * An attacker who knows one of your guard nodes may be able to begin monitoring the guard node's incoming connections. * An attacker who knows all three of your current guard nodes, can monitor the middle node on another Tor circuit, and sees that it originates from a guard node you are not currently using, can determine that you did not open that Tor circuit. This is a surprisingly damaging attack, especially if your Tor client has chosen one or more low-bandwidth (and therefore relatively unpopular) guard nodes. An attacker who monitors the TLS connection from you to your guard node and the Tor circuit at your middle node may later gain access to logs kept by the server you are accessing, match the IP address and times of connections to the server with the times at which you opened TCP connections through the Tor circuit, and thereby determine what requests you sent to the server. > What recourse do we have? Can someone more knowledgeable shed more light > on this? There are several torrc options that you can set if you are afraid of certain relays -- ExcludeNodes, ExcludeExitNodes, StrictNodes, StrictExitNodes, NodeFamily, and perhaps others. ExcludeExitNodes may be useful if you find that an exit node is misbehaving and is not yet flagged as a BadExit. I strongly recommend that you DO NOT set any of these directives, with the possible exception of ExcludeExitNodes, if you are *very* certain that a particular exit node is actively malicious. All of the above options will change the probability distribution from which your Tor client chooses circuits. If you blacklist a few low-bandwidth relays, you probably won't change the distribution noticeably, but you won't improve your security noticeably, either. If you blacklist one or more of the major families of high-bandwidth Tor relays and/or exits, you will change the distribution quite noticeably, and you will make yourself quite distinguishable from normal Tor users. The most obvious way in which choosing circuits from an unusual probability distribution can hurt you is through the distribution from which you choose exit nodes. An adversary can capture and examine a particularly sensitive server's logs, notice that someone is accessing it only through relatively low-probability Tor exits, and then go look for logs from less sensitive servers to which you might have given information that readily identifies you. If the adversary knows that someone is posting information they want to suppress to a blog or forum through low-probability Tor exits, and then finds that Fred Foobar routinely accesses a shopping site through the same low-probability Tor exits, Fred Foobar is in trouble. There is another, somewhat less obvious way in which choosing circuits from an unusual distribution can hurt you -- if you routinely download large files from an adversary-monitored server through high-bandwidth exit nodes, but low-probability, low-bandwidth middle nodes, the adversary may be able to detect this fact from the server alone, and use it to link your connections together. I assume that choosing circuits from an unusual distribution can allow other attacks as well. In general, the Tor developers try to avoid making different clients' circuit distributions distinguishable, and would prefer that you not make your Tor client's circuit distribution distinguishable yourself, even if there is no obvious way that your particular change will allow an attack on your anonymity. > * Of course, the well-organized attacker would go to the trouble to > construct names that truly blended in with the Tor namescape - such > as,"MrSpudRelays, QueenAnnesRevenge, SteveKenpIsMyHero, and so forth." The Adversary would like to thank you for providing those names. They will be *very* useful. Robert Ransom
Attachment:
signature.asc
Description: PGP signature