How do we defeat exit node sniffing?

Scott Bennett bennett at cs.niu.edu
Tue Jun 10 08:31:54 UTC 2008


     On Mon, 09 Jun 2008 23:11:35 -0700 Jack Straw <JackStraw at xeromail.com>
wrote:
     [duplicate copy of previous postings deleted  --SB]
>Scott Bennett wrote:
> >      On Mon, 09 Jun 2008 20:51:10 -0700 Jack Straw 
><JackStraw at xeromail.com>
> > wrote:
> >> F. Fox wrote:
> >>> defcon wrote:
> >>>> so what do you all suggest if I must authenticate to a non ssl
> >>>> connection?  How do I do it anonymously and safely?
> >>> (snip)
> >>>
> >>> AFAIK, you can't.
> >>>
> >>> However, there are three personal rules I stick to, when using accounts
> >>> which need a login through Tor. They may or may not apply to your 
>scenario:
> >>>
> >>> 1.) Any account used for anonymity, must be created through Tor, and
> >>> never have been touched without it.
> >>>
> >>> 2.) Any such account must, of course, always be accessed through Tor
> >>> after its creation.
> >>>
> >>> 3.) Any such account must be considered expendable; i.e., if an exit
> >>> sniffer stole the credentials and either locked you out or impersonated
> >>> you, it wouldn't be a real problem.
> >>>
> >>> If you'd rather not have to follow Rule 3, make sure you use accounts
> >>> with services that use strong encryption - and watch out for accidental
> >>> leaks*.
> >>>
> >>>
> >>> *: Supposedly, Gmail's Web interface sometimes leaks, even when 
>using it
> >>> under HTTPS. To minimize such leaks, it's important to switch on POP or
> >>> IMAP ASAP, and use a client with it with SSL/TLS enabled.
> >>>
> >> I have a question about that, which has puzzled me for quite some time.
> >> Perhaps I'm being too rigid in regards to this.
> >>
> >> I have a Gmail account that was created through Tor.
> >> I should say, that this anonymous account is a test account. I use it
> >> for no sensitive communications, however I treat the account as if I do.
> >>
> >>  I have only accessed that GMail account through Tor, and my Xerobank
> >> account. Mixing it up. I have  been very cautious in adhering to that.
> >> Well sort of... My bad.
> >>
> >> A few months back, in haste, I accidentally accessed the account naked
> >> from my standard IP address. Maybe 2-4 times. That's all. But it 
>happened.
> >> I felt that the account had to be abandoned as it was now "tainted."
> >>
> >> But then I thought, "How so?"
> >>
> >> Let's say hypothetically, I have accessed that account 1,000 times.
> >> 950 times I have logged in using Tor. 48 times I've logged in using my
> >> Xerobank account.
> >>
> >> On those few occasions, I've logged in from my home IP.
> >>
> >> Logically, how would a potential adversary know where I'm coming from?
> >>
> >> For all they'd know, I was traveling, and logged in using a friend's
> >> computer as the access was less than a half dozen times. Unless I'm
> >> missing something, that unintended access really tells them nothing. Or
> >> does it? It may be suggestive, I'd think, but that's it. For some, that
> >> be enough to abandon the account and I understand that.
> >>
> >> I accept all that Fox wrote as "Best Practices" and should always be
> >> adhered to. One doesn't want to take risks or play Russian Roulette.
> >>
> >> I agree.
> >>
> >> But is that account really tainted?
> >>
> >      Okay, let me don a black hat for a bit to tackle this one.  Suppose
> > I can watch the traffic going into and out of the destination, where you
> > hold your account, an account that particularly interests me for reasons
> > unknown to you.  I've noticed already that the source addresses of the
> > connections coming in to access this account seem to bounce around the
> > globe from one connection to the next.  I might think you were traveling,
> > except that I see occasions where the access times that I've logged show
> > consecutive addresses that are too far apart geographically for the user
> > to have traveled between them in the time between those accesses.  E.g.,
> > one time the user accesses the account from an IP address in the London
> > metro area, and an hour later accesses it again, but this time from 
>Delhi.
> > So I check more closely, comparing those IP addresses to various lists I
> > keep up-to-date copies of and...voila!  All of them are tor exit nodes!
> > Except, perhaps, this one IP address that might be someone's home 
>computer
> > because it doesn't appear as an exit for the port in question in the
> > cached-descriptors list that I keep on hand, in which case, I've probably
> > found you.  OTOH, perhaps you run a tor exit node for that port, in which
> > case that method doesn't work.  But wait just a sec here...hmmm...the
> > last access was from a tor exit for the appropriate port, but then there
> > are no accesses after since that time over a week ago, but the user has
> > typically been accessing it at least every two or three days ever since
> > the account was opened.  I wonder...could the user have slipped up and
> > accessed the account without realizing that the access had not gone
> > through the tor network?  Perhaps he had disabled the use of tor in
> > his/her browser and forgotten to reenable it, in which case I've got you
> > located by IP address and can find out your street address quite easily.
> > Now maybe I don't have any real evidence to use against you for Vaterland
> > Security or FiBbI or wherever my blackhat character happens to work, but
> > maybe I have a girlfriend who works down the street at the IRS, who might
> > take an interest in the tax protest postings to various USENET groups
> > from your account.
> >      Dropping the black hat to return to normal self :-)...so in that
> > light, is your account tainted?  I would contend that it probably is if
> > Mr. Black Hat has been focusing on your account.  To the extent that I
> > may be doing by hand all the closer examination of your account accesses,
> > rather than using a completely automated process that simply delivers
> > these results to me, you might be able to cover the trail, especially if
> > you do run a tor exit node for the port in question, by doing something
> > like this after your little accident occurred:  roll a 20-sided die to
> > determine how many more times you will access the account via the tor
> > network before abandoning the account, so that the cessation of accesses
> > will not so obviously point to your IP address.
> >      I realize that may not seem to be much consolation, but you should
> > understand that all of this occurred to me while I was still reading
> > your message the first time.  It didn't take any real pondering to come
> > up with.
> >
     [my quoted .signautre deleted  --SB]
>
>Scott, that was a brilliant answer. And I appreciate the time you 
>invested in it.

     The only time invested was the time to edit the reply.  You're quite
welcome.
>
>I wasn't sure, and I wasn't trying to be defensive or protect a position.

     That was clear.
>
>But I could not logically parse, how Gmail logins from an overwhelming 
>majority of random IP's with minimal logins from my valid home IP could 
>possibly compromise the account.
>
>But it is precisely that small number of tainted logins that with 
>careful research would prove to be the most revealing or productive for 
>an adversary. Often, the smallest piece of evidence turns out to be the 
>most significant.

     In the more difficult case in which you do run an exit server for the
appropriate port, that small clue is the fact that you stopped using that
account, suggesting that you perhaps no longer trusted it, which is what
highlights the last IP address used as the one that may lead to you.
>
>When it comes to security, one must always consider as the priority, the 
>worst possible scenario, which you did.
>
>I wholeheartedly agree. The account is tainted.
>
     But, you do see that it is much worse than that, right?  Unless you
did do something to hide the significance of your real IP address appearing
in Mr. Black Hat's logs of your account's accesses, like the example I gave,
then *you* *personally* are "tainted" because he now is pretty sure that
that IP address leads directly to *you*, whoever you may be, which he can
now pin down fairly quickly by finding out from your ISP your street address
and who has the ISP account at that address.  In other words, if you were up
to something Big Brother takes offense to, then your goose could well
*already* be cooked.  (You could perhaps get a lawyer to negotiate your
surrender while you remain in hiding somewhere and run a hidden service for
communication with that lawyer.  The lawyer might be able to work a deal for
you where they would be willing to forego the torture sessions at GTMO or
one of the secret prisons around the world and proceed immediately to your
execution by firing squad.  Best wishes. :-)


                                  Scott Bennett, Comm. ASMELG, CFIAG
**********************************************************************
* Internet:       bennett at cs.niu.edu                              *
*--------------------------------------------------------------------*
* "A well regulated and disciplined militia, is at all times a good  *
* objection to the introduction of that bane of all free governments *
* -- a standing army."                                               *
*    -- Gov. John Hancock, New York Journal, 28 January 1790         *
**********************************************************************



More information about the tor-talk mailing list