Fwd: (Theory) The BGP exploit: Effects on Tor routing and overall anonymity?

Isaac Levy isaac at ceetoneresearch.com
Fri Aug 29 16:50:34 UTC 2008 

Hi All,

I'm sorry for the cross-post, but I felt this was relevant (and an  
interesting thread!).

Alex Pilosov (one of the presenters for this BGP exploit) hangs out on  
our list, so I cross posted this thread to the NYC*BUG-talk list, and  
below is Alex's short response.

Best,
.ike


(For the record, the NYC*BUG Talk mailing list and archives can be  
found at: <http://www.nycbug.org/index.php?NAV=MailingLists>)

> On Fri, 29 Aug 2008, Isaac Levy wrote:
>
>> Hi All,
>>
>> So this is a bit of a cross-post, I thought it was relevant/
>> interesting, since we've all been buzzing about our very own Alex,  
>> and
>> the wild Defcon demo on scary BGP re-routing; and many folks here  
>> have
>> an interest in the TOR network.
>>
>> ike-summary:
>>
>> - Essentially, the first poster asks if the BGP attack could be  
>> used to
>> break TOR anonynimity.
>>
>> - The second poster explains a quick no, and then a sort of 'yes but
>> it's not in the realm of sanity', in good detail.
> The second poster is correct.
>
> -alex







Begin forwarded message:

> From: "John Brooks" <aspecialj at gmail.com>
> Date: August 29, 2008 1:46:30 AM EDT
> To: or-talk at freehaven.net
> Subject: Re: (Theory) The BGP exploit: Effects on Tor routing and  
> overall anonymity?
> Reply-To: or-talk at freehaven.net
>
> The short answer is no, not much. The long answer is a lot longer  
> than that, so get ready :P
>
> This would serve the person intercepting the traffic in near exactly  
> the same way it does the operator of the node - entry nodes know the  
> client, middle nodes know the entry and exit nodes, exit nodes know  
> the destination (and the traffic to that destination). You would  
> still need to intercept a significant amount of nodes before being  
> able to break anonymity and tell which users are responsible for  
> what traffic - which is a problem because the entire reason this  
> attack works is that it targets more specific IP blocks. That many  
> announcements (for various nodes) would be pretty easy to see. If an  
> attacker were able to intercept traffic on the entry and exit nodes,  
> or the client and destination, they could use timing and bandwidth  
> correlations to tell (with high probability) that this client is  
> accessing this destination. But this is no different from an  
> attacker with control of the entry node or exit/destination.
>
> The only way to make use of it that doesn't involve guessing at what  
> nodes are in use would be to start at one end and work backwards or  
> forwards in realtime. Essentially, you start by intercepting traffic  
> to a target destination, then intercept traffic to the exit node  
> contacting that destination, then intercept traffic to the middle  
> node contacting that exit, then the entry node contacting that  
> middle node, and finally to the client. The problem here is that  
> you'd need a consistant (and obvious) traffic pattern sustained  
> throughout that time (which would be long, due to the large amount  
> of traffic most nodes handle and that BGP is not instantaneous),  
> which is not generally true of HTTP requests. The complexity of such  
> an attack would be problematic, and it still involves quite a lot of  
> guesswork.
>
> So no, this isn't a significant risk to tor anonymity, it's at best  
> a quicker way to intercept traffic and follow a node path to its  
> source, and I would be amazed if that were pulled off successfully.  
> Remember that this exploit only allows you to intercept traffic *to*  
> a specific destination, and in that situation you have no more  
> information than the real destination does (less, in fact, because  
> you don't see the traffic going the other direction unless you  
> intercept that too).
>
> - John Brooks
>
> On Thu, Aug 28, 2008 at 11:21 PM, F. Fox <kitsune.or at gmail.com> wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA256
>
> Once I read about the recent BGP exploit (
> http://blog.wired.com/27bstroke6/2008/08/revealed-the-in.html ) -  
> which
> has the potential to re-route the traffic of millions of users - I  
> had a
> question, from a theoretical standpoint:
>
> If such siphoning drew in traffic passing in between Tor nodes, would
> this have an effect on reducing anonymity for the users having their
> traffic relayed by these nodes? If so, how?
>
> - --
> F. Fox
> Owner of Tor node "kitsune"
> http://fenrisfox.livejournal.com
>
> Note 2008/08/19: I lost my old GPG keypair, and have generated a new
> one. Authenticity can be verified by checking the ContactInfo on  
> kitsune.
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.4.9 (GNU/Linux)
> Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
>
> iQIcBAEBCAAGBQJIt4dHAAoJECxKjnsrYHNHl8AP/3U3VKRjmft8SADOPJtOPdIt
> HCBbf60VSDTCPVnfKiDNQ7GmYDzUPeYX763qkPO6/yds/As6mwbIWYhtrMlGyX63
> 0JhvWVnQdNDHQ2begsX4tHVJwck1+e3jCawoo9Z5uydKomJbPL3JNkxQ1RYQ5aKD
> sq1z5Ha27FpxB3kA9GjbcgrpIaQTCaBEY+vVtDtT+zQdmFSaBsWNuPhs/7Iq2Lum
> 8AZwXMKElGIZICjMjf76Otdevkday40bgjPohliRfG9Yz5v5OHQLNI95GuI4YCxr
> aqLV7Q8aoqGEwkxkPYvBlMSV/F+0Q7Xwa9p+XgdSNtAhh4Q2dG7tdmOKPnOAEQzG
> 1aKtFFFwKJgOK0YsvutB/l5ePgqv4WtM/CUHmcQViUT/1EwvgTDxOMV2MAwHAAmz
> TDSpnbgweWwbWy/BME76zECvJGJalOqXo2XOioKRGP2KAWjK4bQvtZaTvKCf3CVI
> cvJ/we8eQmqKRuBiFU6yQNcgzpx3Q5XMvyQi5FYB8X+HWH9oFNBSVFpN4jRVf0Dm
> RWNgx3XxejT1BzE7oRrQ19iAvT6q0jozhKayLbMWRlhE0NAeH9FuN7peAlS3CnGw
> MEWSEaS1xTxw3+vWUbWpJSisELqI19xkFWO5y7ThsoQGuCbMxZ4Zut0z8MVciQ2v
> yHquFwNAvmzRWYyOaamj
> =cnNg
> -----END PGP SIGNATURE-----
>

More information about the tor-talk mailing list