[tor-talk] Is this a practical vulnerability?

Sat Oct 20 10:56:40 UTC 2012

On 19/10/2012 16:38, Eugen Leitl wrote:
> On Fri, Oct 19, 2012 at 11:25:34AM +0100, Anon Mus wrote:
>
>> e.g. lets say a node is in a server in an IBM/US telecoms company based
>> in France, then that server will almost certainly be routing ALL its
>> traffic through the USA and back to itself (or another node in the same
>> company) before sending it on to the next external node. This diversion
> While it is no secret that intercontinental fiber taps exist, you
> would not route the traffic itself over the Atlantic to an
> intercept and analysis point and then back (you would see that
> in giant added latency), but to tap the signal not too
> far from the fiber landing point, since you would need to
> analyze it in a somewhat big box probably not residing on the seabed.
>
> It is probably easier to local intelligence services to
> co-operate intensively, and intercept data close to exchange
> points, and share results of analysis (only sharing realtime
> communication taps on a very small set of high value targets).
> Such sharing can happen over dedicated channels, or over VPN
> tunnels over the public Internet.
>

Not if you want to tap -

  and insert realtime recognizable timing sequence delays into a packet 
train.

and/or block traffic.

And besides, I've seen it done and talked to those who set the servers 
up to do this..

You need to also remember, that to do a "Man In The Middle" attack you 
need to be in-line not just a tap.

>> is NEVER reported as ONLY a single "virtual node ip" is quoted. The only
>> way you can ever tell its been done is by looking at the time delay,
>> however this is also often difficult/impossible to spot because these
>> routes are often the fastest on the internet. OK - I know this goes on
>> for certain because there are internal tools used within these companies
>> to trace the TRUE route and I have seen such servers send their traffic
>> in this manner 24/7 - 365. Having discussed this as "wasted effort" with
>> a network engineer I was told there is a "payment" made somewhere to
>> compensate. At the same time all of this is camouflaged in apparently
>> nice and legitimate reasons for it being that way, but when you pull it
>> apart you see the lie, but you can't PROVE it.
>>
>> As about 70% of Europe's internet traffic passes through an IBM/US
>> telco's servers then it almost certain that in any one of these Tor node
>> to Tor node connections there is at least one sub-nodes that passes the
>> traffic through the USA, who is the global adversary using Total Traffic
>> Timing Tracking.
> Passive traffic analysis does not require being part of the Tor
> network (though operating a noticeable number of compromised Tor
> nodes would give you additional information which is not easily
> available with traffic analysis).
>

Well of course not, and I never said it did. I was talking about all the 
internet traffic. To view a single instance of the Tor network traffic 
you would just need to filter out the client ip's tor traffic, then its 
network nodes along any single route. And if you insert special timing 
sequences in the packets from the clients you can identify these along 
route and at the exit.