[tor-talk] Attack against Tor: Statistic Manipulation Attack

adrelanos adrelanos at riseup.net
Fri Aug 10 00:28:24 UTC 2012


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Introduction:
There are not only technical attacks against the Tor network. Another
strong attack against Tor are legal attacks (i.e. attacking with laws,
not saying the attack is legal). The adversary tries to put Tor into
the worst light and tries to convince politicians to issue laws to
forbid Tor.

Recently it has been discussed to create statistics about for what Tor
is being used most. There are claims and discussions, that Tor is
mostly used for "bad" things.

Many powerful groups would gladly see Tor and any anonymous proxy
dead. Even whole countries are blocking Tor. (China, Iran, etc.) Also
other groups were happy if there were no anonymous proxies. (anti
copyright infringement, anti drug abuse, etc.)

Exit nodes:
- - by Tor design, don't know who is requesting the traffic
- - resolve DNS
- - obviously must know the IP of the destination are asked to connect to
- - can log the amount of traffic transfered
- - can log at which times how much traffic was transfered to a specific IP
- - can even log a curve, how much/less traffic was transfered, when it
paused

The attack:
- - The adversary writes a program, a robot.
- - He keeps the source code of the robot secret.
- - He either rents anonymously a few virtual servers or a state-wide
adversary can also force a few local internet service providers to
grant many different IP's in different subnets and self host the servers.
- - He uploads only an obfuscated version of the robot to the servers.
- - Additionally he could put something legitimate on the servers for
distraction of the real purpose.
- - The robot will fetch "bad" www or .onion websites and imitate a human.
- - Imitation will be done by imitating mouse clicking, perhaps by
imitating using Tor Browser Bundle (for traffic fingerprint), by
randomizing the time between "mouse clicks", by randomizing the time
"viewing" a site, by randomizing how long he "stays" on the website,
by randomizing or imitating etc.
- - From one IP/connection the adversary can run many instances of Tor
or build many Tor circuits.
- - At the beginning only a very few robots will do that, to avoid the
fraud being detected. The amount of "Tor users" (which are actually
robots) from the attacking country will grow slowly, so it looks
naturally.
- - Optionally, to strengthen the attack, the adversary could also host
or support "bad" hidden services. Run an exit node as well and push
for "creating Tor statistics" to "prove" Tor is mostly used for "bad"
things to get a reason to ban it.

Conclusion:
I am sure, if the robot and attack is well designed, neither exit
nodes nor anyone else are able to distinguish between robots and
humans. They also can not find out that such a attack was run from one
specific country.

In conclusion, even if we had a statistic, they're possibly or likely
manipulated by a (powerful*) adversary who wants to see Tor shut down.

*powerful: The actual programming of the robot can be probable done
even by a low skilled programmer or otherwise cost very little (below
1000$) compared to a powerful adversary who can easily spend a lot
money. Perhaps also running the attack is cheap, it would have to be
tested how well many circuits and robots scale on low cost vps to have
a significant impact on the statistics.

Defense:
Best defense against this attack is to develop the robot, to test-wise
run it and to prove it's working. That would make any statistics about
Tor less credible.

Cheers,
adrelanos
-----BEGIN PGP SIGNATURE-----

iQIcBAEBCgAGBQJQJFWnAAoJEJwTGtNxOq7vn10QAJeOzV/v4hIPIzY544+kkEZc
pWKAWUpx4wgOtXHN6NO8yX1RzXAIMBwDsx0WJFgFjGq2esnQ96dq/BC6MG35AzdV
PzT5VvZ/V5uSb5bjdX1ARfmcjw8gi6rtyjwvNOVbTmbomV//gkHhHwlvMvZeqFqg
VGQJ+n21yaXdzSClOIKqsKC366+ffrdJyxqe7h/e/Cc6rHlm8aCo3uzuDmfae2qZ
fJcnKaUB9QgZ2Aa6mUDB0FkcBPqv8pd6cUTzma2r8erBuWRs+nXoYBDOSUm9baxD
6Ak2NswWQ97X545a2PphWt9MAET4RKEnA19M+FrY2C6e8lqyNOg1DJwNu8Pg/l/8
AFlL5/5cMp23MQgD22OdlC95rTk6fQNa98m/uwaYG+emg7F1yim8TifWzDwyD4uL
4GPmAYwDjyq9GeQUsuGK5zBKUW0NIH9jeLrfi9BUwt7B0cWf4wXvRb5VGD7c9Csx
75iVwsLFlX3a/eMOwLsn93ZeCCC1dOiDu9z1o3psuyzY9vUQCSNcK7s8r+apgfEb
7VdCtPt5OuA92xpLtt9W4tElnl8Lp/sPAm9mpbsNwd+HpFLCjPpzgL1JGndgEhiU
9yhjd2m69K9912c1A2Jpqb9M3DASlwsTdtuFaQ674P7D3P6SHpmta6WPI2cf2nzn
901xr4hs9EHPxOPikg6P
=8PQg
-----END PGP SIGNATURE-----


More information about the tor-talk mailing list