[liberationtech] Breaking Tor for $3K
Maxim Kammerer
mk at dee.su
Wed Jul 30 12:45:23 PDT 2014
On Tue, Jul 8, 2014 at 12:20 AM, Maxim Kammerer <mk at dee.su> wrote:
> Well, if we estimate total guard node bandwidth at 4GB/s, several
> controlled guard nodes with two gigabit links allow control of
> ~6% of Tor traffic, enabling a fair share of opportunistic
> deanonymization attacks on hidden services and their clients.
“Then the second class of attack they used, in conjunction with their
traffic confirmation attack, was a standard Sybil attack — they signed
up around 115 fast non-exit relays, all running on 50.7.0.0/16 or
204.45.0.0/16. Together these relays summed to about 6.4% of the Guard
capacity in the network.” [1]
> Simultaneously, I would inject arbitrary delays into all client
connections to controlled guard nodes, and watch for similar delays on
suspected hidden service nodes.
“The particular confirmation attack they used was an active attack
where the relay on one end injects a signal into the Tor protocol
headers, and then the relay on the other end reads the signal. These
attacking relays were stable enough to get the HSDir ("suitable for
hidden service directory") and Guard ("suitable for being an entry
guard") consensus flags. Then they injected the signal whenever they
were used as a hidden service directory, and looked for an injected
signal whenever they were used as an entry guard.” [1]
So they apparently found a more efficient and reliable way to transmit
the signal, at the cost of getting detected after half a year. Too bad
the talk was retracted, I was looking towards some actual
non-propaganda Tor hidden service statistics.
[1] https://blog.torproject.org/blog/tor-security-advisory-relay-early-traffic-confirmation-attack
--
Maxim Kammerer
Liberté Linux: http://dee.su/liberte
More information about the liberationtech
mailing list