: Export END_CIRC_REASON_* to controler

Paul Syverson syverson at itd.nrl.navy.mil
Fri Oct 13 13:28:02 UTC 2006

On Fri, Oct 13, 2006 at 01:14:53AM -0500, Mike Perry wrote:
> One issue I would like to guard against/watch for is an adversary
> destroying circuits if they do not detect one of their colluders at
> each end.  Adversaries doing this would be able to ensure that the
> only time they waste bandwidth on a connection is if they know they
> are able to determine its origin, thus gaining an advantage over the
> expected rate of O((c/n)^2).
> For the scanner to detect this, there shouldn't be any way a node can
> make us mistake a malicious closure from one that should happen
> normally (ie was requested by us). Taking the reason right from the
> wire enables a node to do this.

I'm probably not getting some key assumption here, but I don't see how
this can be prevented without some major developments.  This sort of
attack is roughly how the experiments to detect hidden servers were
In that case we controlled the requesting client so could easily drop
the circuit without doing anything otherwise odd.  But I don't see why
any entry or exit node can't simply stop sending if a colluder is not
detected on the other end.  Then he can close the circuit or others
on the circuit will close it for him, and there will be no easy way to
recognize that node as the culprit.  One coud construct testing and
reputation mechanisms to recognize nodes that do this flagrantly and
repeatedly. But some of us have worked on that and it can get tricky
quickly, plus framing other nodes becomes a big issue.

Paul Syverson                              ()  ascii ribbon campaign  
Contact info at http://www.syverson.org/   /\  against html e-mail

More information about the tor-dev mailing list