[tor-talk] Differences between real exit traffic and exit-generated traffic ?

Robert Ransom rransom.8774 at gmail.com
Fri Dec 30 07:59:31 UTC 2011

On 2011-12-30, John Case <case at sdf.org> wrote:
> Let's say I have an exit node handling average traffic and number of
> connections (whatever that is).  Let's also say that port 22 is included
> in my exit policy.
> Now let's say that I, as the administrator, log onto the exit node and:
> ssh user at host.com
> I understand that a global observer with traffic analysis blah blah blah.
> But what about someone just watching the exit node ?  Is there anything at
> all about my ssh connection generate from within the exit node that would
> distinguish it from "real" exiting Tor traffic ?

Someone watching all traffic to and from the exit node would be able
to distinguish that connection from Tor traffic because traffic on the
SSH connection would not be relayed over any OR connection (in either
direction).  Someone watching only that SSH connection (e.g. a sniffer
at host.com) would be able to distinguish that SSH connection from an
exiting Tor stream because your SSH client would respond to messages
from the server immediately after they reach the exit node, whereas an
SSH client connecting over Tor would not be able to respond until data
from the server reached the other end of a Tor circuit.

Robert Ransom

More information about the tor-talk mailing list