Loops show DHS run Nodes, flood takeover

Wilfred L. Guerin wilfredguerin at gmail.com
Sat Oct 20 19:48:32 UTC 2007

A brief cycle of loopbacks was run this past week and the models run against
public databases.

There is a huge influx of new nodes with slightly-above-average
characteristics over the last few weeks at most, all of which have close to
identical processing and bandwith characteristics abnormal to real

Many of the highest correlations point at american DHS and USSS (cybercrime)
counterparts in close physical proximity as well as a large set of British
interpol spiders.

When the entire block is allocated to a specific client, it is only obvious
when they assign one ip of the range to the tor node on many hundred client
units using the public tor master list...

In short, someone has taken the que from the "spy nodes" issue of last month
and is attempting to flood the TOR mixer out of service.

This is a little more problematic than such things as https key negotiation
on the same wire, or million-bit encryption around a 56 or (much) less bit
key like we saw in anguilla a decade ago, since it explicitly authorizes
what is correlary to a denial of service attack against the operational
mechanisms of the TOR system as defined.

Has anyone further analysis of this problem?

Flooding out the media is IBB and BBC's job, but since it is heirchial and
structured from a single source, the MIM of google or mass media sources and
quarentine/isolation is not beyond their authority, but a public source
system that employs only donated elements should NOT be attacked in the same
manner. No mention of ISP dns registrations for update.windows...

Please advise

-Wilfred L. Guerin
WilfredGuerin at Gmail.com
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.torproject.org/pipermail/tor-dev/attachments/20071020/fafec8f2/attachment.htm>

More information about the tor-dev mailing list