[tor-talk] insufficient hidden service performance is potential de-anonymizing DoS [was Re: [tor-dev] yes hello, internet supervillain here]

grarpamp grarpamp at gmail.com
Sun Nov 9 18:47:26 UTC 2014

On Sun, Nov 9, 2014 at 11:08 AM, Andrea Shepard <andrea at torproject.org> wrote:
> Yes, and that is what it looks like.  The strings 'code', 'old' and 'fail' in
> the URLs seen in nachash's logs were also present as top-level directories on
> his site, and he apparently had a 404 redirect to his index page - so a
> buggy crawler might well produce something like the observed pattern.  Who
> would leave an obviously broken crawler producing nothing of interest like
> that running for such a long time and O(1M) requests, though?  An attack
> designed to look like skiddie bullshit is starting to sound plausible.

> coderman:
> morals of this story:
> - never assume a crash or DoS is innocuous on the Tor network.
> - always get packet captures to diagnose trouble! (not just request logs)
> - "the old tricks, still the best tricks..."

In one of many threads, mine being 'dirty pool', there is forming a
good variety of such morals to live by and areas of action to pursue.
HS operators banding together to compare the above logs is one
of them. You could conceivably throw the logs/pcaps from many
relays and onions into a splunk.onion instance and try to mine some
knowledge out of them that way. Tor is a jointly owned wide area
infrastructure... seems time to apply the traditional net/sec tools
to it and see what's up on your own network.

More information about the tor-talk mailing list