Active Attacks - Already in Progress?

Kyle Williams kyle.kwilliams at gmail.com
Thu Nov 25 05:02:55 UTC 2010 

A quick look at my cache-descriptors show the following for "PPrivComXXX".

family PPrivCom001 PPrivCom002 PPrivCom003 PPrivCom004 PPrivCom005
PPrivCom006 PPrivCom007 PPrivCom008 PPrivCom009 PPrivCom010 PPrivCom012
PPrivCom013 PPrivCom014 PPrivCom015 PPrivCom016 PPrivCom017 PPrivCom018
PPrivCom019 PPrivCom020 PPrivCom021 PPrivCom022 PPrivCom023 PPrivCom024
PPrivCom025 PPrivCom026 PPrivCom027 PPrivCom028 PPrivCom029 PPrivCom030
PPrivCom031 PPrivCom032 PPrivCom033 PPrivCom034 PPrivCom035 PPrivCom036
PPrivCom037 PPrivCom038 PPrivCom039 PPrivCom040 PPrivCom041 PPrivCom042
PPrivCom043 PPrivCom044 PPrivCom045 PPrivCom046 PPrivCom047 PPrivCom048
PPrivCom049 PPrivCom050 PPrivCom051 PPrivCom052 PPrivCom053 PPrivCom054
PPrivCom055 PPrivCom056 PPrivCom057 PPrivCom058 PPrivCom059 PPrivCom060
PPrivCom061 PPrivCom062 PPrivCom063 PPrivCom064 PPrivCom065 PPrivCom066
PPrivCom067 PPrivCom068 PPrivCom069 PPrivCom070 PPrivCom071 PPrivCom072
PPrivCom073 PPrivCom074 PPrivCom075 PPrivCom076 PPrivCom077 PPrivCom078
PPrivCom079 PPrivCom080 PPrivCom081 PPrivCom082 PPrivCom083 PPrivCom084
PPrivCom085 PPrivCom086 PPrivCom087 PPrivCom088 PPrivCom089 PPrivCom090
PPrivCom091 PPrivCom092 PPrivCom093 PPrivCom094 PPrivCom095 PPrivCom096
PPrivCom097 PPrivCom098 PPrivCom099 PPrivCom100

As for "torserversNetX", they have the following listed.

family $2F265B37920BDFE474BF795739978EEFA4427510
$89B64AB62ECBE91CD58017065DE01BD477F638AD
$9B41B9B3D4661566C660096B715BC647FBD72A72
$CF91FBA32FDAC4C500F3A3565591F144D5074820
$D0378B405AA7781820428EE4F40867B53CC70599

It seems they are playing by the rules by listing the other nodes owned by
them in the MyFamily tag on their torrc files.


On Wed, Nov 24, 2010 at 6:38 PM, Theodore Bagwell <toruser1 at imap.cc> wrote:

> We recently discussed an attack on onion-routing anonymity, wherein a
> well-funded adversary overwhelms the network with compromised relays,
> thereby increasing his chances of monitoring anonymity-compromising
> data.
>
> I don't mean to alarm anyone, but I just did some quick-and-dirty
> research that suggests such an attempt may already be under way. I hope
> to be proven wrong.
>
> I postulated that such an attacker would mass-deploy his relays in a way
> that did not lend a whole lot of uniqueness to the name of each relay*.
> The relay names would probably be random characters, numbers, or words
> at best. At sloppiest, they would just be one name with sequential
> numbers after it - "AnonymityAttacker001, AnonymityAttacker002,
> AnonymityAttacker003, etc."
>
> So, I decided to look for such patterns in the list of Relays available
> in my Tor console. A quick scan revealed what appeared to be either (A)
> mass-deployments of Tor relays by a singular entity, or (B)
> astronomically-unlikely coincidental naming schemes adopted by dozens of
> disparate and unconnected individuals.**
>
> But it wasn't just finding these relays that concerned me. It was Tor's
> affinity for routing through them.
>
> See, I began closing my open circuits systematically. I kept records of
> any circuits which contained PPrivCom___ or torserversNet_ relays in it.
> I closed and recorded 43 circuits. Here are my findings:
>
> While Tor indicated it had 1665 relays to choose from, 79% of my
> circuits used one of the suspicious relays. 2% of my circuits used two
> suspicious relays. 0% of my circuits used three suspicious relays.
>
> Of the circuits I recorded, only 21% did not route through a suspicious
> relay.
>
> My conclusion is that someone (a security researcher? A hobbyist? A
> government?) is actively toying with the feasibility of attacking Tor's
> anonymity. According to my statistics, they may also be gaming Tor's
> affinity for choosing relays*** because they have, unquestionably,
> succeeded in relaying 79% of my circuits despite controlling a mere 2.8%
> of the relays in the Tor network.
>
> How dangerous is it if two of the three circuit relays are compromised?
> What recourse do we have? Can someone more knowledgeable shed more light
> on this?
>
> I yield the balance of my time. :)
> ---
> * Of course, the well-organized attacker would go to the trouble to
> construct names that truly blended in with the Tor namescape - such
> as,"MrSpudRelays, QueenAnnesRevenge, SteveKenpIsMyHero, and so forth."
> ** I speak primarily of "torserversNet_" numbers 1-5, and PPrivCom___"
> numbers 004-052.
> *** The inner workings of which I, admittedly, do not understand...
> **** 47 out of 1665 active relays, according to my Tor console.
> --
>  Theodore Bagwell
>  toruser1 at imap.cc
>
> --
> http://www.fastmail.fm - The professional email service
>
> ***********************************************************************
> To unsubscribe, send an e-mail to majordomo at torproject.org with
> unsubscribe or-talk    in the body. http://archives.seul.org/or/talk/
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.torproject.org/pipermail/tor-talk/attachments/20101124/cfb74125/attachment.htm>

More information about the tor-talk mailing list