[tor-talk] Differences between real exit traffic and exit-generated traffic ?

John Case case at SDF.ORG
Fri Dec 30 08:40:50 UTC 2011 

Robert,

On Fri, 30 Dec 2011, Robert Ransom wrote:

> On 2011-12-30, John Case <case at sdf.org> wrote:
>>
>> Let's say I have an exit node handling average traffic and number of
>> connections (whatever that is).  Let's also say that port 22 is included
>> in my exit policy.
>>
>> Now let's say that I, as the administrator, log onto the exit node and:
>>
>> ssh user at host.com
>>
>> I understand that a global observer with traffic analysis blah blah blah.
>>
>> But what about someone just watching the exit node ?  Is there anything at
>> all about my ssh connection generate from within the exit node that would
>> distinguish it from "real" exiting Tor traffic ?
>
> Someone watching all traffic to and from the exit node would be able
> to distinguish that connection from Tor traffic because traffic on the
> SSH connection would not be relayed over any OR connection (in either


Hmmm... what I meant to say is, the Tor node exits port 22 *in addition 
to* the rest of its exit policy.  So, for example:

20,21,22,80,443,6667

So someone watching all traffic in and out would see a whole lot of 
unknown incoming connections, all encrypted, from other tor nodes, and 
coming out of the node would see a whole bunch of traffic to all kinds of 
arbitrary destinations, over at least 6 different protocols.

How would they pick a single SSH outbound (low bandwidth, let's say an 
interactive shell login) and know that *that* one has no corresponding 
input ?


> direction).  Someone watching only that SSH connection (e.g. a sniffer
> at host.com) would be able to distinguish that SSH connection from an
> exiting Tor stream because your SSH client would respond to messages
> from the server immediately after they reach the exit node, whereas an
> SSH client connecting over Tor would not be able to respond until data
> from the server reached the other end of a Tor circuit.


Ok, so there is a response speed fast enough that it *couldn't* have just 
done a three-hop back and forth ... that's interesting.

BTW, is this a FAQ ?  I can't be the first exit operator to be tempted by 
a low latency, "almost Tor" connection...

More information about the tor-talk mailing list