tracking locally originated traffic from an exit node ... ?

Martin Fick mogulguy at yahoo.com
Wed Aug 4 00:09:39 UTC 2010


--- On Tue, 8/3/10, John Case <case at SDF.LONESTAR.ORG> wrote:
> On Tue, 3 Aug 2010, Martin Fick wrote:
> 
> >> So ... if I've got a 5 or 10 mbps exit node with a
> >> healthy
> >> list of connections, can I use lynx locally to
> >> browse anonymously ?
> > 
> > 
> > I suspect that latencies would strongly differentiate your
> > traffic from regular tor exit node traffic. Also, while
> > you may have a decent amount of tor bandwidth, how much of
> > that bandwidth can actually be used by an individual tor
> > user?  Individual tor users going through at least 2
> > other nodes before yours may still be severely BW limited
> > before  reaching your exit node.  If your traffic is not
> > so BW limited, it will likely stand out again.
> 
> 
> Ok, I'd like to address both cases...
> 
> There's really no way they could see latency unless they
> had compromised the system itself.

What about ACKs in a TCP stream?  What 
about application level responses?  If I 
know the site being visited, and I know 
that loading a certain web page has 
certain images in it, wouldn't it be 
fairly easy to identify when the latency 
is really low if some of those images on
the page are requested very soon after 
the HTML is downloaded?  You have used 
tor, haven't you? :)  You do realise how 
bad the latencies can be?


> As for the speed, that may be the case, but I don't think
> it's _necessarily_ the case.

Well, of course, I didn't say it was nec. 
the case, but I sure would be concerned 
about it if you take your anonymity 
seriously.


> That is, it might look
> interesting that particular connections were high bandwidth,

If I can monitor your incoming traffic and 
determine which middle nodes are connected 
to you, shouldn't I be able to get a fairly 
good idea on the maximum BW of each since 
it is advertised?  If not a single middle 
node can match your output BW, it's a sure
bet it is not tor BW!  Now, let's suppose 
that only one middle node can match your 
output BW, it might be fairly easy to 
determine that this node is not currently
transmitting to you at the BW of your 
output, again, foiled.  In fact, if I can 
simply monitor every single input stream 
to your node, I can tell if any single one 
is large enough to match your output BW, 
if not...  This all seems pretty easy if I
only have to observe your node.  

> but is there anything implied literally in the code that
> would preclude that ?

No idea,

-Martin



      
***********************************************************************
To unsubscribe, send an e-mail to majordomo at torproject.org with
unsubscribe or-talk    in the body. http://archives.seul.org/or/talk/



More information about the tor-talk mailing list