How would tor defend from this attack?

Dave Jevans djevans at ironkey.com
Wed Mar 7 06:32:11 UTC 2007


Your proposal is quite realistic, though to get good bi-directional 
bandwidth would probably cost a lot more than you project, as you'd 
want colocated servers, not servers on DSL lines.

I believe that the exit nodes are one of the weakest points in a Tor 
network.  If you don't know who is operating them, they can do all 
kinds of monitoring, modification and other mayhem (eg. inject zero 
day exploits and malware into your browsing traffic).

Ways to route traffic through "trusted" exit nodes, and ways to 
provably show that routes are via independent operators is probably 
useful.  This line of thinking moves one toward contracts, companies, 
etc.

The other approach is to have so many routers that a Sybil attack is 
not possible.  But that means turning every user into a Tor node.  I 
still maintain that unknown exit nodes are dangerous even in a world 
with 100,000 Tor nodes or 1 million nodes.



At 9:57 PM -0800 3/6/07, Michael_google gmail_Gersten wrote:
>So here's an idea for an attack on tor.
>
>We recently saw a paper that said that someone who puts in a lot of
>routers, claiming to have high bandwidth, can correlate senders and
>destinations, exposing the traffic analysis that tor is trying to
>defend against. And, a response from the maintainers -- doing that
>leaves a lot of tracks.
>
>What about a real set of routers?
>
>Right now, it looks like the network of tor routers is such that 50
>high speed routers will be able to be that >10% of the network, and
>determine the senders/receivers of traffic.
>
>How big of an attack is this? 50 headless machines, at $400 per
>machine, $20,000. 50 network connections at $50/month, $2,500 per
>month. $30,000 per year.
>
>$50,000 for the first year, and what happens?
>
>Tor gets a lot more bandwidth. Tor looks to be expanding at a good
>rate. And tor's effectiveness is compromised, completely. Heck, it can
>even be done by law enforcement, or even by China, so that they know
>who to go after.
>
>And, since exit nodes see a lot of unencrypted traffic, this means
>that it becomes easier, not harder, to watch someone. Right now, for
>example, it's hard to grab the traffic from someone elsewhere on the
>internet, but if you know that they use tor, then you can run an exit
>router and have a chance to see what they do. Run enough routers, and
>you can grab a large portion of their traffic.
>
>As much as tor is trying to protect privacy, is it time to ask the
>other question: Does tor make it much easier for a large organization
>to start restricting privacy?
>
>$50,000 may sound like a lot, but consider what can be generated for
>an "anti-pedophile" group -- a private organization saying "Protect
>the children!". Or ... well, the point is, that's relatively cheap. It
>doesn't take a government level spending to do that -- it's even in
>the range of the corporate espionage budget of a large multi-national
>company.
>
>How can tor defend against something like this?



More information about the tor-talk mailing list