[tor-talk] Retroactive traffic confirmation attacks on Tor through data retention records?
Pascal666 at Users.SourceForge.Net
Sat Apr 21 18:41:21 UTC 2012
MAC addresses are used by layer 2 protocols (see
https://en.wikipedia.org/wiki/OSI_model ). Once an IP packet traverses
a layer 3 device (such as a router) the srcMac has been changed to that
of the router's egress interface. Unless your ISP provided your router,
srcMac identifies only which router the packet came from, not the
Decent routers randomize source ports to prevent traffic correlation
(makes it harder to confirm that two streams from the same router came
from the same client).
If you need deniability, don't use an ISP provided router, make sure
your router randomizes source ports, and have an open guest wifi network
(though obviously make sure the guest network can only access the
Internet, not your LAN).
On 4/21/2012 1:05 PM, Ondrej Mikle wrote:
> If the ISP's records store [srcIP, srcPort, srcMac, dstIP, dstPort, size,
> startTime, endTime] for every TCP connection, then it's definitely doable; note
> that srcMac is MAC of client visible from ISP's side of the router to internet
> (so that clients behind NAT can be identified, though the srcPort gives that
> away, too).
More information about the tor-talk