SPD talk: "Simulating a Global Passive Adversary for Attacking Tor-like Anonymity Systems"?
gojosan at mailhaven.com
gojosan at mailhaven.com
Fri Jun 13 02:48:29 UTC 2008
Hi,
On Thu, 12 Jun 2008 16:26:48 -0700, "Mike Perry" <mikeperry at fscked.org>
said:
> Thus spake gojosan at mailhaven.com (gojosan at mailhaven.com):
>
> > I just noticed this talk at the Security and Privacy Day from May 2008.
> > While I understand that Tor's thread model does not defend against a GPA
> > I am still curious what effect this attack can have against the current,
> > real Tor network?
> >
> > Simulating a Global Passive Adversary for Attacking Tor-like Anonymity
> > Systems
> > http://web.crypto.cs.sunysb.edu/spday/
>
> A handful of comments about the paper (many of these they themselves
> brought up, but some they did not):
>
> [snip]
That is great info and very well explained, thank you. Your response
was exactly what I was hoping for.
> A couple countermeasures that are possible:
>
> 1. Nodes that block ICMP and filter closed TCP ports are less
> susceptible to this attack, since they would force the adversary to
> measure the capacity changes at upstream routers instead (which will
> have other noise introduced due to peers utilizing the link as well). I
> am wondering if this means we should scan the network to see how many of
> these top nodes allow ICMP and send TCP resets, and if it is feasible to
> notify their operators that they may want to consider improving their
> firewalls, since we're only talking about 100-150 IPs here. There are a
> lot more critical things to scan for though, so this is probably lower
> priority.
I am considering running an exit relay. I have a software firewall to
stealth ports (ICMP, TCP, etc) and I assume "filter" is synonymous with
"stealth"? When I enable my relay (cable Internet connection) I will
most likely use BandwithRate of 1048576kb and a BandwidthBurst of
2097152kb. Does this mean my node is more susceptible to this attack?
Also, I have the bandwidth to set BandwithRate of 2097152kb and a
BandwithBurst of 4194304kb; would this larger rate be preferable?
> 2. Roger pointed out that clients can potentially protect themselves
> by setting 'BandwidthRate 25KB' and setting 'BandwidthBurst' to some
> high value, so that short lived streams will still get high capacity
> if it is available, but once streams approach the 10-20minute lifetime
> needed for this attack to work, they should be below the detectable
> threshold.
What is considered a high BandwidtBurst setting?
> I think this is a somewhat ugly hack, and should probably
> be governed by a "High Security Mode" setting that would be
> specifically tuned to this purpose (and be a catching point for other
> hacks that protect against various attacks but at the expense of
> performance/usability).
Could you please elaborate on these other hacks? What other settings
should be used for those who prefer security/anonymity over
performance/usability? In your opinion what settings and actions
constitute a "High Security Mode"?
> All this aside, this is a very clever attack, and further evidence
> that we should more closely study capacity properties, reliability
> properties, queuing properties, and general balancing properties of
> the network.
>
>
> --
> Mike Perry
> Mad Computer Scientist
> fscked.org evil labs
Thank your for your time and assistance,
-gojosan
--
gojosan at mailhaven.com
--
http://www.fastmail.fm - One of many happy users:
http://www.fastmail.fm/docs/quotes.html
More information about the tor-talk
mailing list