[tor-dev] Proposal xyz : Count Unique IP addresses in an anonymous way

Sat Mar 18 04:36:46 UTC 2017

On Fri, 17 Mar 2017 18:12:11 +0000, Jaskaran Singh wrote:
...
> Currently, guard relays and bridges maintains a list of IP addresses of
> the devices that connect to it for various reasons such as for use by
> the bridge to check which country has them blocked. This is dangerous
> because if any of these tor instances get compromised, clients will be
> de-anonymized.

As an adversary, I wouldn't take down the bridge but either monitor
the traffic to it ($country can also do this on its border gateways),
or modify it to tell me the connecting IP addresses.

End users tend to be on dynamic IP address, so stored IP addresses
aren't of much worth when you don't know when they were used; that
is a reason why $adversary might be more interested in snooping
than in compromising the bridge.

(Although I don't know how prevalent changing IP addresses still
are when you're online permanently. E.g. here in germany telekom
changes to all-ip, and there no longer disconnects after 24h, and
thus you don't change IPs every day.)

...
> present in the set. The feature of this bitmap is that collisions could
> happen. And this collision creates deniability. When collisions happen,

The problem is that for the accounting purposes you don't want (too
many) collisions, and also that state agencies don't necessarily
care for plausible deniability - if an IP address is found by
enumeration and probing the bloom filter they might still decide
to put that user on closer watch. (I've heard that a lot of the
traditional telephone tapping isn't used as evidence in court
but produces leads to where to investigate next.)

On the other hand side you can indeed keep the filter rather small
because one bridge doesn't get that many collisions, and you don't
need to make it anywhere as big as to avoid collision with 2^32 entries.
Could also be dynamically sized depending on the number of clients seen
- you need aging anyway, so the next table can have a different size.

You can also go and poison the bloom filter with some random addresses,
even a lot, actually. If we're talking of 2000 users you can easily
throw in another 2000 random addresses without decreasing the
precision of the statistics much - only on a size comparable to
collisions in the bloom filter itself.

- Andreas

-- 
"Totally trivial. Famous last words."
From: Linus Torvalds <torvalds@*.org>
Date: Fri, 22 Jan 2010 07:29:21 -0800