[tor-talk] Partial View Traffic Analysis

[Mark McCarron]

I've been working on some theories I have in regards to isolating traffic to particular regions using only partial views.  It should be possible to capture timing information based upon requests made by a logged on user to a website or hidden service (such as requests for js, or css files).

>From this a metric can be calculated that indicates a "timing profile" for that particular user.  If we have information gathered from machines we control (i.e. we own them, or part of a botnet) that provides metrics of timing information of circuits from machines located in particular areas, we can then compare this against the "timing profile" for our logged on user.

This would provide us with a general location of a user with a certain degree of probability.

Two major aspects control the resolution:

1.  The size and density of a given botnet.
2.  The number of timing profiles obtained.

We could also change the geographic location of the hidden service periodically, to increase the resolution further.  This is a highly cost effective attack against TOR and does not require the resources of a government to conduct either.

Has anyone else investigated this approach?  If so, what were your results?

Regards,

Mark McCarron