[tor-talk] insufficient hidden service performance is potential de-anonymizing DoS [was Re: [tor-dev] yes hello, internet supervillain here]

Andrea Shepard andrea at torproject.org
Sun Nov 9 16:08:36 UTC 2014

On Sun, Nov 09, 2014 at 05:31:47AM -0800, coderman wrote:
> On 11/9/14, coderman <coderman at gmail.com> wrote:
> > ...
> > your ConstrainedSockets experiments are exactly what i would expect to
> > see if this technique were used, since reducing socket buffers would
> > allow you to have more concurrent connections open (and thus thwart a
> > DoS at lower limits).
> someone asked, "then why the names and ..?"
> if i was implementing this attack, i would want the attacked to assume
> it was a mis-configured bot. this looks like a mis-configured bot.

Yes, and that is what it looks like.  The strings 'code', 'old' and 'fail' in
the URLs seen in nachash's logs were also present as top-level directories on
his site, and he apparently had a 404 redirect to his index page - so a
buggy crawler might well produce something like the observed pattern.  Who
would leave an obviously broken crawler producing nothing of interest like
that running for such a long time and O(1M) requests, though?  An attack
designed to look like skiddie bullshit is starting to sound plausible.

Andrea Shepard
<andrea at torproject.org>
PGP fingerprint (ECC): BDF5 F867 8A52 4E4A BECF  DE79 A4FF BC34 F01D D536
PGP fingerprint (RSA): 3611 95A4 0740 ED1B 7EA5  DF7E 4191 13D9 D0CF BDA5
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 328 bytes
Desc: not available
URL: <http://lists.torproject.org/pipermail/tor-talk/attachments/20141109/17ccded4/attachment.sig>

More information about the tor-talk mailing list