[tor-relays] Detecting Network Attack [re: exit synflooded]

[grarpamp]

On Sat, Nov 25, 2017 at 5:15 PM, teor <teor2345 at gmail.com> wrote:
> need a privacy-preserving aggregation scheme

> (Otherwise, anyone who can remotely trigger a rare protocol
> violation can find out which relays a client or onion service is using.)

The above don't necessarily lead to each other.

> scheme in Tor so we can do these counts

That's thinking of 'in tor' code, which is good way and project
to see some things only visible there, and way to count and
submit them over tor.


I'm more thinking using external tools to watch the network
interface itself...

Attackers will read / fuzz the source code till they exploit
via tor's open ports anyway.  Though it could still be good
to instrument those ports with both tor protocol analyzer, and
a raw packet statistical analyzer / classifier to see what's
incoming.

Instrumenting the IP itself to look for debilitating inbound
packet bursts from the internet indicating node pruning
segmentation attacks. Would be interesting discovery. Though
attackers might find the method redundant given already ways
to deanon hidden services and fewer to deanon users.

And all the usual IDS type of tools that could be deployed and
collected to see who / what is probing away at the network
itself and how.

Might want to look for modulation patterns in OR traffic
proving existance of certain known attack methods.

Not talking about content of exit traffic in any of this.
It's exposing attacks from clearnet, not users of tor.

Operators could opt in.
Prebuilt tool packages could be created.

Someone with a handful of relays could always do the research
project on their own, and like silent attackers, may already be.