Active Attacks - Already in Progress?

Jimmy Richardson jmmrchrdsn at gmail.com
Thu Nov 25 03:35:17 UTC 2010 

Hi,:

I suspect torserversNet_* belongs to http://www.torservers.net/, not 
sure about PPrivCom though.

Thanks

On 11/25/2010 10:38 AM, Theodore Bagwell wrote:
> We recently discussed an attack on onion-routing anonymity, wherein a
> well-funded adversary overwhelms the network with compromised relays,
> thereby increasing his chances of monitoring anonymity-compromising
> data.
>
> I don't mean to alarm anyone, but I just did some quick-and-dirty
> research that suggests such an attempt may already be under way. I hope
> to be proven wrong.
>
> I postulated that such an attacker would mass-deploy his relays in a way
> that did not lend a whole lot of uniqueness to the name of each relay*.
> The relay names would probably be random characters, numbers, or words
> at best. At sloppiest, they would just be one name with sequential
> numbers after it - "AnonymityAttacker001, AnonymityAttacker002,
> AnonymityAttacker003, etc."
>
> So, I decided to look for such patterns in the list of Relays available
> in my Tor console. A quick scan revealed what appeared to be either (A)
> mass-deployments of Tor relays by a singular entity, or (B)
> astronomically-unlikely coincidental naming schemes adopted by dozens of
> disparate and unconnected individuals.**
>
> But it wasn't just finding these relays that concerned me. It was Tor's
> affinity for routing through them.
>
> See, I began closing my open circuits systematically. I kept records of
> any circuits which contained PPrivCom___ or torserversNet_ relays in it.
> I closed and recorded 43 circuits. Here are my findings:
>
> While Tor indicated it had 1665 relays to choose from, 79% of my
> circuits used one of the suspicious relays. 2% of my circuits used two
> suspicious relays. 0% of my circuits used three suspicious relays.
>
> Of the circuits I recorded, only 21% did not route through a suspicious
> relay.
>
> My conclusion is that someone (a security researcher? A hobbyist? A
> government?) is actively toying with the feasibility of attacking Tor's
> anonymity. According to my statistics, they may also be gaming Tor's
> affinity for choosing relays*** because they have, unquestionably,
> succeeded in relaying 79% of my circuits despite controlling a mere 2.8%
> of the relays in the Tor network.
>
> How dangerous is it if two of the three circuit relays are compromised?
> What recourse do we have? Can someone more knowledgeable shed more light
> on this?
>
> I yield the balance of my time. :)
> ---
> * Of course, the well-organized attacker would go to the trouble to
> construct names that truly blended in with the Tor namescape - such
> as,"MrSpudRelays, QueenAnnesRevenge, SteveKenpIsMyHero, and so forth."
> ** I speak primarily of "torserversNet_" numbers 1-5, and PPrivCom___"
> numbers 004-052.
> *** The inner workings of which I, admittedly, do not understand...
> **** 47 out of 1665 active relays, according to my Tor console.
***********************************************************************
To unsubscribe, send an e-mail to majordomo at torproject.org with
unsubscribe or-talk    in the body. http://archives.seul.org/or/talk/

More information about the tor-talk mailing list