[tor-relays] Traffic Confimration Attacks/ Bad Relays

Matt Traudt sirmatt at ksu.edu
Fri Jul 21 22:00:06 UTC 2017



On 7/21/17 12:56, Matt Traudt wrote:
> [This sender failed our fraud detection checks and may not be who they appear to be. Learn about spoofing at http://aka.ms/LearnAboutSpoofing]
> 
> On 7/21/17 12:12, 0dayshoppingspree at tutanota.com wrote:
>> Hello
>>
>> A few users have detected suspicious activity around certain Relays in
>> the network. There could be Time Confirmation Attacks happening
>> currently on the Live Tor Network.
>>
>> If any Tor dev see this, Please Start Checking The US Relays in the
>> network.
>> --
>> Securely sent with Tutanota. Claim your encrypted mailbox today!
>> https://tutanota.com
>>
> 
> Since this person has yet again left out all the important information,
> here's what this person has to say. I'm quoting this Reddit comment:
> https://www.reddit.com/r/TOR/comments/6oor5n/confirmation_attacks_and_bad_relays/dkizo2o/
> 
> """
> 
> Ive noticed every single node in the circuits i start building all
> connect to 3 Relays in the US.
> 
> Then today a relay operator notices this:
> 
> I operate the apx family of exit nodes. [1]
> 
> It may be valuable to know that traffic confirmation attacks [2] are
> seemingly taking place. [3]
> 
> [1] apx1 apx2 apx3
> 
> [2] http://www.ohmygodel.com/publications/usersrouted-ccs13.pdf
> 
> 
> EDIT> See
> 
> https://www.reddit.com/r/DarkNetMarkets/comments/6oocii/tor_traffic_confirmation_attacks/
> 
> [3] Regular 30 second windows with around 1.8 Gbit/s - 2.1 Gbit/s of
> traffic on each of the exits which are also guards (apx1, apx2) while
> the exit which isn't a guard sees stable traffic of only ~ 1 Gbit/s
> (apx3). Circuits to hidden services include guards and middle nodes
> (rendevouz point). DDoS attacks against hidden services do not affect
> exit nodes unless they are also guard nodes.
> 
> """
> 
> I now ask:
> 
> 1. Please provide proof that all your circuits always contain 3 relays
> in the US. If you didn't actually mean that all circuits always have all
> 3 relays in the US, then please explain why you think sometimes having
> all 3 in the same country is bad. Keep in mind that guard nodes are a
> thing and it isn't weird to have the same 1st hop in every circuit. Also
> keep in mind that (i) there are a large number of relays in a small
> number of countries, (ii) a relay existing in country X does not
> necessarily mean they are dangerous relays, (iii) you should assume
> large adversaries would geo-diversify.
> 
> 2. What is the point of bringing up the traffic you see on your relays?
> It isn't obvious to me. Keep in mind that relays aren't always assigned
> weights in a predictable or perfectly fair manner. I run multiple relays
> on a single machine and they get weighted very differently.
> 
> Matt

The following is a reply from the person running exit nodes. I
originally confused the following person with the one posting the vague
"OMG US relays" panic on this list.

I'll probably be stepping out of this discussion at this point. I don't
think there's more I can contribute.

"""
Hey,

I was made aware of this thread by the user pastly in the #tor IRC
channel. I would like to clarify some things.

To begin with, I really don't know what the user is referring to. There
are currently 149 exit nodes from the US, from a total of 787 exit
nodes; that is 81% non-US exit nodes. If the users' client does in fact
only connect to US relays, that is likely unrelated to my observations.
However, if that happens consistently, I would really appreciate if that
would be investigated further.

Now, to my observations and the post that was referred to:

/I clearly failed to clarify/ that the "suspicious" traffic which caught
my interest was about non-Tor IPs entering the network through my exits.

As pastly nicely put it: /> will never be used as a guard by
well-behaved tor clients./

My observations were made using a utility I built using nDPI and sysdig
(kernel module).

That is, I have observed about a gigabit of traffic entering my exit
nodes originating /from non-Tor IPs/, causing connections to be
initiated to middle nodes.

I have not claimed evidence to "prove" confirmation attacks. I have
merely observed nearly a gigabit (on multiple nodes, that is) of inbound
traffic entering the network through my exit nodes, which does not seem
very reasonable to do unless the goal is attack hidden services.

If I can clarify further, please let me know.

-- Kenan
"""


More information about the tor-relays mailing list