Path-spec - fast circuits

Paul Syverson syverson at itd.nrl.navy.mil
Mon Feb 15 16:27:56 UTC 2010


On Mon, Feb 15, 2010 at 12:30:22AM -0600, Scott Bennett wrote:
>      On Mon, 15 Feb 2010 00:16:28 -0500 Flamsmark <flamsmark at gmail.com>
> wrote:
> >On 14 February 2010 03:15, Scott Bennett <bennett at cs.niu.edu> wrote:
> >
> >>
> >> >But one big problem is that you have no guarantee whatsoever that I'm
> >> >telling you the truth about my measurements.  See for example Kevin
> >> >Bauer et al's "Low Resource Routing Attacks Against Tor."
> >>
> >>      Yes, I've understood that from the outset, but I haven't seen any
> >> evidence that such abuse is actually happening.
> >
> >
> >Tor isn't just designed to be resilient to attacks that are actually being
> >employed. It is designed to be resistant to theoretical attacks too - as
> >well it should be. Indeed: complaining that we're protecting against
> >attacks, but nobody is using them is like saying `I bought this expensive
> >umbrella, but then I didn't even get wet.':
> >
>      That wasn't my point at all.  What I was complaining about was the
> introduction of a new, *actual* problem as the cure for a disease we had
> no sign of suffering from.  Of course, a clear avenue of attack should be
> blocked, but let's pick a way of doing it that embodies the "first, do no
> harm" concept.  The method that the developers have employed in this case
> simply adds to the misallocation problems that were already bogging tor
> down.

This is a good point, but it's hard to gauge both the urgency and the
significance of a threat you discover. In the case of one that had
been shown to work on the live Tor network and that was easy to do, it
seemed clear that some remediation was needed quickly.  Note that the
Bauer et al. simulation was a year after Lasse Overlier and I
demonstrated this attack on the live Tor network (not simulated) using
just a single corrupt Tor node that lied about its bandwidth to find
hidden services, as we described in "Locating Hidden Services" in
2006. Of course we structured things so that we would only attack
ourselves without affecting others. See the paper for details.  This
prompted a couple of changes. One was the capping of allowed claimed
bandwidth, another was entry guards (which Bauer et al. showed could
also be used to create attacks without the caps).

Your comments on and suggestions for (and even complaints about ;>)
how to measure the network and how to use that information in routing
are a welcome part of the picture, but this remains a complicated
balancing act that we continue to refine as best we can, including
in that the considerations that you have raised.

aloha,
Paul
***********************************************************************
To unsubscribe, send an e-mail to majordomo at torproject.org with
unsubscribe or-talk    in the body. http://archives.seul.org/or/talk/



More information about the tor-talk mailing list