[tor-talk] Differences between real exit traffic and exit-generated traffic ?
case at SDF.ORG
Fri Dec 30 08:40:50 UTC 2011
On Fri, 30 Dec 2011, Robert Ransom wrote:
> On 2011-12-30, John Case <case at sdf.org> wrote:
>> Let's say I have an exit node handling average traffic and number of
>> connections (whatever that is). Let's also say that port 22 is included
>> in my exit policy.
>> Now let's say that I, as the administrator, log onto the exit node and:
>> ssh user at host.com
>> I understand that a global observer with traffic analysis blah blah blah.
>> But what about someone just watching the exit node ? Is there anything at
>> all about my ssh connection generate from within the exit node that would
>> distinguish it from "real" exiting Tor traffic ?
> Someone watching all traffic to and from the exit node would be able
> to distinguish that connection from Tor traffic because traffic on the
> SSH connection would not be relayed over any OR connection (in either
Hmmm... what I meant to say is, the Tor node exits port 22 *in addition
to* the rest of its exit policy. So, for example:
So someone watching all traffic in and out would see a whole lot of
unknown incoming connections, all encrypted, from other tor nodes, and
coming out of the node would see a whole bunch of traffic to all kinds of
arbitrary destinations, over at least 6 different protocols.
How would they pick a single SSH outbound (low bandwidth, let's say an
interactive shell login) and know that *that* one has no corresponding
> direction). Someone watching only that SSH connection (e.g. a sniffer
> at host.com) would be able to distinguish that SSH connection from an
> exiting Tor stream because your SSH client would respond to messages
> from the server immediately after they reach the exit node, whereas an
> SSH client connecting over Tor would not be able to respond until data
> from the server reached the other end of a Tor circuit.
Ok, so there is a response speed fast enough that it *couldn't* have just
done a three-hop back and forth ... that's interesting.
BTW, is this a FAQ ? I can't be the first exit operator to be tempted by
a low latency, "almost Tor" connection...
More information about the tor-talk