[tor-relays] Traffic Confimration Attacks/ Bad Relays
Matt Traudt
sirmatt at ksu.edu
Fri Jul 21 16:56:02 UTC 2017
On 7/21/17 12:12, 0dayshoppingspree at tutanota.com wrote:
> Hello
>
> A few users have detected suspicious activity around certain Relays in
> the network. There could be Time Confirmation Attacks happening
> currently on the Live Tor Network.
>
> If any Tor dev see this, Please Start Checking The US Relays in the
> network.
> --
> Securely sent with Tutanota. Claim your encrypted mailbox today!
> https://tutanota.com
>
Since this person has yet again left out all the important information,
here's what this person has to say. I'm quoting this Reddit comment:
https://www.reddit.com/r/TOR/comments/6oor5n/confirmation_attacks_and_bad_relays/dkizo2o/
"""
Ive noticed every single node in the circuits i start building all
connect to 3 Relays in the US.
Then today a relay operator notices this:
I operate the apx family of exit nodes. [1]
It may be valuable to know that traffic confirmation attacks [2] are
seemingly taking place. [3]
[1] apx1 apx2 apx3
[2] http://www.ohmygodel.com/publications/usersrouted-ccs13.pdf
EDIT> See
https://www.reddit.com/r/DarkNetMarkets/comments/6oocii/tor_traffic_confirmation_attacks/
[3] Regular 30 second windows with around 1.8 Gbit/s - 2.1 Gbit/s of
traffic on each of the exits which are also guards (apx1, apx2) while
the exit which isn't a guard sees stable traffic of only ~ 1 Gbit/s
(apx3). Circuits to hidden services include guards and middle nodes
(rendevouz point). DDoS attacks against hidden services do not affect
exit nodes unless they are also guard nodes.
"""
I now ask:
1. Please provide proof that all your circuits always contain 3 relays
in the US. If you didn't actually mean that all circuits always have all
3 relays in the US, then please explain why you think sometimes having
all 3 in the same country is bad. Keep in mind that guard nodes are a
thing and it isn't weird to have the same 1st hop in every circuit. Also
keep in mind that (i) there are a large number of relays in a small
number of countries, (ii) a relay existing in country X does not
necessarily mean they are dangerous relays, (iii) you should assume
large adversaries would geo-diversify.
2. What is the point of bringing up the traffic you see on your relays?
It isn't obvious to me. Keep in mind that relays aren't always assigned
weights in a predictable or perfectly fair manner. I run multiple relays
on a single machine and they get weighted very differently.
Matt
More information about the tor-relays
mailing list