[tor-dev] Defending against guard discovery attacks by pinning middle nodes

Michael Rogers michael at briarproject.org
Mon Sep 22 17:15:04 UTC 2014


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

On 13/09/14 15:34, George Kadianakis wrote:
> Michael Rogers <michael at briarproject.org> writes:
>> Hi George,
>> 
>> Could you explain what it means to say that HS traffic isn't
>> counted in the load balancing equations? Why is that so, and can
>> it be changed if that would allow a more secure HS design?
>> 
> 
> Hello Michael,
> 
> this is an area that I don't really understand so I might be
> totally wrong, but Tor has the concept of bandwidth weights: 
> https://gitweb.torproject.org/torspec.git/blob/ebc5a935ee4aa0c123829706671a3f43da82f11f:/path-spec.txt#l207
>
> 
where directory authorities calculate how much Guard/Middle/Exit
> bandwidth is available, and then they specify some parameters that 
> clients use to load balance better. For example, if there is not
> much Guard bandwidth, clients will be asked to use Guards mainly
> for Guard purposes and not for Middle/Exit purposes.
> 
> Now that we have reduced the number of guard nodes to 1, there are 
> some HSes that receive lots of traffic and are hidden behind a
> single guard. That guard is probably receiving/pushing quite some
> HS traffic that is not really considered during client load
> balancing. So normal clients will keep on pushing that node to
> become their guard, and at the same time HS clients will push that
> node for HS traffic.
> 
> If we now pin both the guard and the middle (as discussed in my
> post), now middle nodes that protect popular HSes, will also get a
> surge of HS traffic that is not accounted by Tor's bandwidth weight
> load balancing.
> 
> I might be wrong in all the above.

Thanks for the explanation! If I understand right (probably not), this
issue isn't specific to hidden services. Any client that sends or
receives a lot of traffic will create a hotspot of load on its guard.
If there are multiple layers of guards there will be a hotspot at each
layer. But that load won't be taken into consideration by other
clients picking guards, because relays report how much bandwidth
they're willing to provide, but not how much of it has been used. So
hotspots are invisible to the directory authorities. Is that anywhere
near the mark?

Cheers,
Michael
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)

iQEcBAEBCAAGBQJUIFkYAAoJEBEET9GfxSfMKlcH/0cRiUaWKvHYbQqOqI8rfXfX
h4v/hwRrVOfPtlLaIcryFTG2iDBAORfZjxZ7hABk+ymkiasfYPCQxfbXd2h3i80h
4558eqnfHGn8NCVdKyjLz4IzSDFWJXu42M6ZSWYg0Q5L4UrbNc37KhE34AYwb53V
TwzYMy8gXBA6yZKgPWKcmZ103pwK8vXT9kdO0M7LynMojy7/9b5K8Q9nYAueBb7n
Flw2vkLj2hzmVJeZjXDQCUGHRK4SErL/CUh349TRc7mXcDQZg6QMQ8DYCQIVHWmd
JbW/6QEK8qOCjziAGTLdIo5FmFYSdoNyAxn2819YJ6FP+YtP3cHFb0+FjW82YR8=
=aPDI
-----END PGP SIGNATURE-----


More information about the tor-dev mailing list