[Fwd: High-traffic Colluding Tor Routers in Washington, D.C. Confirmed]

Roger Dingledine arma at mit.edu
Wed Apr 18 05:01:55 UTC 2007


On Fri, Apr 13, 2007 at 12:50:00PM -0400, Roger Dingledine wrote:
> > A group of 9 Tor routers also functioning overtly or indirectly as Tor
> > exit nodes have been observed colluding on the public Tor network.
> 
> Yeah. This happened in mid 2006. I don't know why some random person
> just picked it up now.

"Nostra2004 at Safe-mail.net" sent me some follow-up questions, which
I'll answer here so we can keep the thread in one place. Maybe this
will finally put the topic to rest. :)

| How did Steven Murdoch and Richard Clayton tracked down the operator?

I believe they made some phone calls to their friends who work in the
network operations center at psinet.

| How did they determine it was an innocent mistake?

They know the person who was running them. It was somebody in the security
field who was helping out but was embarrassed to realize that he was
actually putting the network at risk by helping out quite so much. :)

The fellow felt that private embarrassment was adequate, and asked not
to be publically named. I trust them, and they trust him, so from my
perspective it is now fine.

|  Even if the
| operator is benevolent, that capability with so few nodes is disturbing.

Yep. I agree. The Tor network may seem large, but it still needs to grow
a lot larger to resist even medium sized attackers.

| How were 9 nodes apparently able to touch 11% of all Tor traffic?

If you launch a bunch of Tor servers that together push upwards of
200MBit/s each way sustained, ...that's a lot of bytes.

Tor weights path selection by bandwidth -- otherwise Tor performance
would be extremely miserable rather than just miserable.
(http://wiki.noreply.org/noreply/TheOnionRouter/TorFAQ#WhySlow)

There are even several research projects currently looking at how to
trade off a bit more privacy for better performance, including one of
our GSoC interns. See also item #4 on
http://tor.eff.org/volunteer#Research

| Have changes to the code since then reduced this vulnerability?

Yes. See the previous post:

  This issue also prompted us to speed up the fix/feature in
  0.1.2.1-alpha:
  "Automatically avoid picking more than one node from the same
  /16 network when constructing a circuit."

  http://archives.seul.org/or/talk/Aug-2006/msg00300.html

But the issue still exists with respect to people who control different
/16 networks, and who can push lots of bytes (or trick us into thinking
they can).

| Do you think there needs to be activity (perhaps "collusion" between a
| group of good guys), similar to what's on Bit Torrent, to identify and
| blacklist nodes (discussions about the risks and legality of such
| things can be left till later)?

Well, the Tor directory authorities list servers, and can mark each
server as invalid, badexit, etc. So in effect the authority operators
can collude to blacklist nodes that we agree are behaving badly. A
majority of authority operators need to claim something before clients
will believe it. See http://tor.eff.org/svn/trunk/doc/spec/dir-spec.txt
for a few more details.

| Is there a transcript of the talk those slides were given with, or at
| least a video?

Yes, there is actually a video, courtesy the 23C3 folks:
http://events.ccc.de/congress/2006/Streams
look for talk 1513. For example,
http://media.hojann.net/23C3/23C3-1513-en-detecting_temperature_through_clock_skew.m4v

Hope that helps,
--Roger



More information about the tor-talk mailing list