flooding attacks to discover hidden services

Steven Murdoch tortalk+Steven.Murdoch at cl.cam.ac.uk
Mon Jan 1 18:22:52 UTC 2007


On Tue, Jan 02, 2007 at 01:39:05AM +1100, Wikileaks wrote:
> Open an onion connection to the hidden service, asking for echos.
> Now  flood each router. If the "ping" is overly delayed, the router
> is on the hidden  path.

This is a special case of the attack described in 5.2 of [1].

If we assume that the hidden service is on a Tor server then the nodes
which will show positive correlation will the the hidden service and
the guard node. If the guard nodes are stable then this gives the
hidden service some protection.

If the hidden service is not on a Tor server, and there is no other
way for the attacker to build a list of candidates to ping, then the
attack becomes a lot harder. 

Furthermore, there is no reason the hidden server needs to respond to
pings, or even have a public IP address. Tor only requires that the
hidden service be able to make outgoing TCP connections.

Hosting the hidden service on a Tor node gives some plausible
deniability, but opens up attacks like the one you describe.

Thanks,
Steven.

[1] http://www.cl.cam.ac.uk/~sjm217/papers/oakland05torta.pdf

-- 
w: http://www.cl.cam.ac.uk/users/sjm217/
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: not available
URL: <http://lists.torproject.org/pipermail/tor-talk/attachments/20070101/0ec6b0cb/attachment.pgp>


More information about the tor-talk mailing list