[tor-relays] Exit Concentration vs Bulk filters?
nusenu
nusenu-lists at riseup.net
Sat Jan 4 11:44:00 UTC 2020
> I never heard a real technical reason to avoid
> high concentration of Tor exit capacity.
Let me give you a few examples why a distributed network is in some ways
more resilient to attacks and harder to observe than a centralized.
Observability
If all traffic leaves the tor network at a single or very few places, surveillance becomes a lot easier and cheaper
when compared to a network that is distributed and has many exit locations.
Resiliency against outages
If all capacity is concentrated around just a few locations, local issues/outages have a bigger impact
on the overall availability and capacity of the network.
Resiliency against software vulnerabilities
A single operator tends to setup their systems in a relatively similar manner.
Most of its relays will use the same OS, OS version, SSL library, tor version, hardware architecture
and have a similar good or bad patch level.
In such an environment it is more likely that a single vulnerability affects large portions when compared
to a diverse ecosystem. A homogeneous ecosystem also reduces the cost for exploit development.
Resiliency against security breaches
If an hypothetical operator controlling 1/2 of the network gets compromised the impact is a lot bigger than
if they were to run 1%. The incentive for an attacker to compromise an operator running 50%
of the network is also a lot higher than attacking an operator of 1%.
Risk of detection
The risk of detection is likely higher for an attacker that compromises multiple organizations compared to a single
victim.
Cost of attacks
Compromising all relays operated by a single entity is likely cheaper than compromising all relays
run by multiple independent organizations.
Performing a hijacking attack against a single prefix is probably easier than successfully hijacking multiple independent
prefixes with different upstream providers concurrently and harder to remain undetected.
A DDoS attack against a single AS is likely cheaper than against many targets at the same time.
There are also non-technical (organizational and legal) reasons why having a distributed
network capacity is beneficial to the tor network.
Legally attacking many organizations is more expensive than a single one.
If a single operator no longer has the financial capacity or motivation the removal of their relays should not
have a existential impact on the network.
If the policy of a hoster changes from 'tor relays allowed' to 'tor relays forbidden'
than we better not run all our capacity at a single hoster.
In short, you don't want to make the tor network depend on 1-2 or 10 but many.
So if a few operators disappear the network remains functional and available
and is generally harder to attack.
kind regards,
nusenu
--
https://mastodon.social/@nusenu
https://twitter.com/nusenu
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: OpenPGP digital signature
URL: <http://lists.torproject.org/pipermail/tor-relays/attachments/20200104/4c57b5c1/attachment.sig>
More information about the tor-relays
mailing list