[tor-talk] Retroactive traffic confirmation attacks on Tor through data retention records?

Ondrej Mikle ondrej.mikle at gmail.com
Sun Apr 22 17:04:27 UTC 2012


On 04/21/2012 08:41 PM, Pascal wrote:
> MAC addresses are used by layer 2 protocols (see
> https://en.wikipedia.org/wiki/OSI_model ).  Once an IP packet traverses a layer
> 3 device (such as a router) the srcMac has been changed to that of the router's
> egress interface.  Unless your ISP provided your router, srcMac identifies only
> which router the packet came from, not the particular client.
> 
> Decent routers randomize source ports to prevent traffic correlation (makes it
> harder to confirm that two streams from the same router came from the same client).

Well, yes. That's exactly the point why they want to store (srcPort, srcIP) <->
srcMac mapping so that they can identify people with private IPs hidden behind NAT.

Ondrej


More information about the tor-talk mailing list