[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

Re: [tor-talk] Traffic shaping attack

To: tor-talk@xxxxxxxxxxxxxxxxxxxx
Subject: Re: [tor-talk] Traffic shaping attack
From: coderman <coderman@xxxxxxxxx>
Date: Mon, 21 Mar 2016 07:27:01 +0100
Delivered-to: archiver@xxxxxxxx
Delivery-date: Mon, 21 Mar 2016 02:27:15 -0400
Dkim-signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to; bh=nX08cMXU76TZKB+YH+P77nljlWjGsyEcAqxdxPjXbbs=; b=XK69hfVhzAF5XsEEG5CIgifR/JXSu6NmmDQd9XMTHIyc3QpcadlFbRXguUpKtIYLeC oqfFxSyCZCBtvYwyrkc6Let73Q1VVCqxWr/OUtjGxYCxu6olNQhJQ/6jgcmXYwBBp+4v UNcHJ2EpOYuj+MrWN9WXJ/yYMSV5g7OtOx2xXa8SBXS/kd6vSZ+/aVwUMyLuovIWttd9 rA4Sufx9DfkBlsidNyjGKDhxjIorrxWoC+T2N/xGWCdY4pTe3z5GynV2suNaefwIaDmJ dMH3RQrSLY8I5nZKdFpxVS1kxUMlciC57WnJSMfD5GTTbpESoBDfzH4SbqCCYC9BhKnR nfeA==
In-reply-to: <ncjbkj$tfr$1@xxxxxxxxxxxxx>
List-archive: <http://lists.torproject.org/pipermail/tor-talk/>
List-help: <mailto:tor-talk-request@lists.torproject.org?subject=help>
List-id: "all discussion about theory, design, and development of Onion Routing" <tor-talk.lists.torproject.org>
List-post: <mailto:tor-talk@lists.torproject.org>
List-subscribe: <https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk>, <mailto:tor-talk-request@lists.torproject.org?subject=subscribe>
List-unsubscribe: <https://lists.torproject.org/cgi-bin/mailman/options/tor-talk>, <mailto:tor-talk-request@lists.torproject.org?subject=unsubscribe>
References: <nci43k$3ee$1@xxxxxxxxxxxxx> <CAJVRA1SOk_FBO7wXi_tHbFzfPdG21KK5M++45iGcv9tJ8uRs3A@xxxxxxxxxxxxxx> <20160319034044.GQ8732@xxxxxxxxxxxxxx> <ncjbkj$tfr$1@xxxxxxxxxxxxx>
Reply-to: tor-talk@xxxxxxxxxxxxxxxxxxxx
Sender: "tor-talk" <tor-talk-bounces@xxxxxxxxxxxxxxxxxxxx>

On 3/19/16, Oskar Wendel <o.wendel@xxxxx> wrote:
> ...
> Let's assume that the service is extremely popular, with over 6 terabytes
> of traffic each day, and a gigabit port almost constantly saturated. Then,
> we can observe a small handset of guards and still be able to spot at
> least some users.

the problem with high traffic sites is a local confirmation attack.
E.g. your colo line is really active! and on a short list of suspects
above large traffic threshold.

an outage of your local link for 3-5 min leads to confirmation across
10,000 probe sessions, circuit extension attempts, and connect
attempts, all confirming yes indeed suspect hidden service suddenly
out of reach. [ is this sufficient *proof* for $context? who knows,
but you get the picture...]

at least now the feds can't pretend to be the technicians servicing
your outage under cover, anymore... ;)

> Well, for one traffic hiccup probably many...
>
> This is not a theoretic attack. This is something that has been noticed
> on one of illegal sites and I expect many busts around the globe in the
> coming weeks.

attacks attempting to confirm a solitary client connecting to a peer
(e.g. very low degree node) are at different risk than those highly
centralized, very active services experience.

good luck to you! and please share insights and experience :)

best regards,
-- 
tor-talk mailing list - tor-talk@xxxxxxxxxxxxxxxxxxxx
To unsubscribe or change other settings go to
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk

Follow-Ups:
- Re: [tor-talk] Traffic shaping attack
  - From: Oskar Wendel

References:
- [tor-talk] Traffic shaping attack
  - From: Oskar Wendel
- Re: [tor-talk] Traffic shaping attack
  - From: coderman
- Re: [tor-talk] Traffic shaping attack
  - From: Roger Dingledine
- Re: [tor-talk] Traffic shaping attack
  - From: Oskar Wendel

Prev by Author: Re: [tor-talk] Traffic shaping attack
Next by Author: Re: [tor-talk] [DFW.pm] Announcement: TPF to send a few first timers to YAPC for $50. Register soon.
Previous by thread: Re: [tor-talk] Traffic shaping attack
Next by thread: Re: [tor-talk] Traffic shaping attack
Index(es):
- Author
- Thread