[tor-talk] insufficient hidden service performance is potential de-anonymizing DoS [was Re: [tor-dev] yes hello, internet supervillain here]
coderman at gmail.com
Sun Nov 9 13:31:47 UTC 2014
On 11/9/14, coderman <coderman at gmail.com> wrote:
> your ConstrainedSockets experiments are exactly what i would expect to
> see if this technique were used, since reducing socket buffers would
> allow you to have more concurrent connections open (and thus thwart a
> DoS at lower limits).
someone asked, "then why the names and ..?"
if i was implementing this attack, i would want the attacked to assume
it was a mis-configured bot. this looks like a mis-configured bot.
only by watching established connections, and the rate of client
request data sent over them, would you be able to identify this type
of malicious attack was taking place.
morals of this story:
- never assume a crash or DoS is innocuous on the Tor network.
- always get packet captures to diagnose trouble! (not just request logs)
- "the old tricks, still the best tricks..."
- and DON'T record traffic on a relay or exit! this is likely to harm
others while you attempt to be proactive. the last thing Tor needs is
relays and exits breaking the very privacy it is intended to provide
More information about the tor-talk