[tor-talk] Retroactive traffic confirmation attacks on Tor through data retention records?

Pascal Pascal666 at Users.SourceForge.Net
Sat Apr 21 18:41:21 UTC 2012

MAC addresses are used by layer 2 protocols (see 
https://en.wikipedia.org/wiki/OSI_model ).  Once an IP packet traverses 
a layer 3 device (such as a router) the srcMac has been changed to that 
of the router's egress interface.  Unless your ISP provided your router, 
srcMac identifies only which router the packet came from, not the 
particular client.

Decent routers randomize source ports to prevent traffic correlation 
(makes it harder to confirm that two streams from the same router came 
from the same client).

If you need deniability, don't use an ISP provided router, make sure 
your router randomizes source ports, and have an open guest wifi network 
(though obviously make sure the guest network can only access the 
Internet, not your LAN).


On 4/21/2012 1:05 PM, Ondrej Mikle wrote:
> If the ISP's records store [srcIP, srcPort, srcMac, dstIP, dstPort, size,
> startTime, endTime] for every TCP connection, then it's definitely doable; note
> that srcMac is MAC of client visible from ISP's side of the router to internet
> (so that clients behind NAT can be identified, though the srcPort gives that
> away, too).

More information about the tor-talk mailing list