[tor-talk] Is this a practical vulnerability?

Anon Mus my.green.lantern at googlemail.com
Fri Oct 19 10:25:34 UTC 2012 

On 19/10/2012 04:12, Lee Whitney wrote:
> I was reading a paper on discovering hidden service locations, and couldn't find any reason it shouldn't work in principle.
>
> However being that I'm a Tor novice, I wanted ask here.
>
> In a nutshell they propose throwing some modified Tor nodes out there that modify the protocol enough to track down the location.  It does take some time, but it doesn't seem like years.
>
My experience is that there s already an easy method of identifying Tor 
hidden service nodes and this takes little time to do.

Let me explain why I come to that opinion.

Having  a static IP net connection, I set up a test web site as a Tor 
service on a Tor middleman server. That server had been a middleman 
server for about a year, no problems, no attempts to hack it in all that 
time.

Within 24hrs of making that Tor hidden service live I could see, in my 
firewall logs, hundreds of repeated attempts trying to hack my server, 
directly from the internet, not via my hidden Tot service. All were 
attempting to access various types of services/permissions which were 
mainly focused on attempting to gain control of a "web page server". All 
attacks were from US based places of higher education (colleges and 
universities), most from establishments where Tor servers were situated 
but not from Tor servers themselves.

Now bearing in mind that I had only EVER requested 1 web page (a blank 
test page - requested about 4 times) from my own Torrified web browser 
(out and back so to speak), and no OTHER (external) page requests were 
EVER received via the Tor hidden service, as shown by its log. Then 
someone must have been able to immediately see the service enter and 
track its source, who then attempted to hack the web server itself and 
it appeared to be a group of about 3 or 4 persons, each trying different 
attack strategy over a 12 hour period. Hundreds of commands were sent, 
many in quick succession as if they were in some sort of script file, 
but some were live, at one point I even watched them live as they were 
coming in as I countered their hack attempts.

As a result of this I did some serious thinking about Tor and came to 
the conclusion that someone out there and I believe it is THE global 
adversary (USA mil/sec) is able see with perfect transparency all Tor 
traffic.

Consider.:

Most Tor users see the Tor connections as merely a set of 3 or 4 
connected nodes over which their traffic is routed, e.g. Tor1 - US, Tor 
2 - Germany, Tor 3 France - EXIT. But in reality then internet is not 
like that, this is only the UPPER structure level. At the lower level 
the packets are routed over many dozens of sub-nodes, these nodes are 
invisible to the Tor map of your traffic. You can find out this info 
yourself if you wish to test out a single ROUTE to another IP address 
just by doing a traceroute url (tracert url for windows) command from a 
command line prompt window.  As you will see this is about a dozen hops 
to the average local url. But this is not the end of the problem, as 
some hops are hidden and they report only a virtual hop back to you.

e.g. lets say a node is in a server in an IBM/US telecoms company based 
in France, then that server will almost certainly be routing ALL its 
traffic through the USA and back to itself (or another node in the same 
company) before sending it on to the next external node. This diversion 
is NEVER reported as ONLY a single "virtual node ip" is quoted. The only 
way you can ever tell its been done is by looking at the time delay, 
however this is also often difficult/impossible to spot because these 
routes are often the fastest on the internet. OK - I know this goes on 
for certain because there are internal tools used within these companies 
to trace the TRUE route and I have seen such servers send their traffic 
in this manner 24/7 - 365. Having discussed this as "wasted effort" with 
a network engineer I was told there is a "payment" made somewhere to 
compensate. At the same time all of this is camouflaged in apparently 
nice and legitimate reasons for it being that way, but when you pull it 
apart you see the lie, but you can't PROVE it.

As about 70% of Europe's internet traffic passes through an IBM/US 
telco's servers then it almost certain that in any one of these Tor node 
to Tor node connections there is at least one sub-nodes that passes the 
traffic through the USA, who is the global adversary using Total Traffic 
Timing Tracking.


You should be able to work the rest out for yourself.



> Any comment appreciated, here's a link to the paper:
>
> http://www.cs.uml.edu/~xinwenfu/paper/HiddenServer.pdf
>
> _______________________________________________
> tor-talk mailing list
> tor-talk at lists.torproject.org
> https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
>

More information about the tor-talk mailing list