[tor-talk] Shaping Tor's traffic
gareth.owen at port.ac.uk
Sun Jan 4 18:10:23 UTC 2015
I know you weren't looking for me to reply necessarily but let me clarify.
In those slides I was principally talking about non-global adversaries -
e.g. you or me deploying an attack. With global adversaries they have a
handful more options - namely you don't need to own the guard node if you
can monitor/delay traffic to and from it.
Sorry if it wasn't clear.
On 4 January 2015 at 17:43, carlo von lynX <lynX at time.to.get.psyced.org>
> On Mon, Nov 17, 2014 at 09:46:37PM +0000, Gareth Owen wrote:
> > Just to let you know, I am also giving a talk at 31c3 on Tor, but my talk
> > is focussing on a research project we did on the Tor HS DHT. I was also
> > planning to talk a little about the Tor Research Framework and an
> > accessible overview of correlation attacks - if time permits.
> Excuse me picking up a very old mail, but the question I have
> may (a) be of general interest and (b) possibly be answered by
> someone else but Gareth Owen, the presenter.
> There was just one slide at the end of the talk where it occured
> to me that my understanding of Tor felt in disagreement with the
> The slide states that "Traffic confirmation attacks are MUCH
> more powerful" which makes sense to me, but then Gareth says
> that it would take a user to bump into a "dodgy guard relay"
> run by the same attacker that also runs the hidden service
> in order to de-anonymize a user accessing that hidden service.
> Gareth follows up saying you can de-anonymize a fraction of
> hidden service users that way.
> Later Gareth says "As the attacker you need to control the
> hidden service's guard node to do these traffic correlation
> :From my understanding it isn't necessary to *control* any
> of the guard nodes, it is fully sufficient to be able to
> measure or shape the patterns of traffic moving between
> the guard node and the calling user or the hidden service
> respectively. So essentially any surveillance infrastructure
> monitoring intercontinental traffic may be able to detect
> or shape such traffic if the guard nodes happen to not be
> network topologically close to their respective users.
> The only protection I see against that would be if either
> the user is generating plenty of other traffic between her
> node and the guard node while accessing the hidden service,
> or if the hidden service is so popular, it is being talked
> to by several circuits coming from the same guard. And how
> much of a protection that can be would be subject to research.
> To me it sounds like it would just take more time to correlate.
> So, from the perspective of a global active adversary doing
> traffic shaping, the general procedure to me sounds like this:
> 1. you run confirmation attacks long enough until you have
> singled out the IP address of the not so hidden service;
> 2. you run heavy weaponry against its guard nodes in order
> to get control over the software, allowing you to start
> distinguishing individual circuit activity patterns
> (this step would only be necessary if the targeted hidden
> service is very popular);
> 3. you pick out specific tor users and shape their traffic
> entering their entry nodes to see if those patterns pop
> out on the way to the hidden service - or other way
> around, you shape the traffic going back to the user.
> Is there anything wrong with my assumptions, or is Gareth
> right that it takes p0wnage of *both* guards in order to
> de-anonymize people? Or is the truth somewhere in-between,
> in the sense that we don't know how well shaping attacks work?
> I also wonder, if you're a really good global active attacker,
> you should be able to spot the traffic you shaped anytime it
> crosses your surveillance infrastructure again... so you should
> have a plausible chance of figuring out which websites a user is
> looking up.
> I understand the Tor network fluctuates a lot concerning latency
> and throughput, so the attacker would have to do quite aggressive
> shaping, buffering not so little amounts of data, sending specific
> amounts of bytes then introducing pauses of significant duration.
> But I'm just theorizing, and maybe Tor has some provisions to
> protect against traffic shaping that I am not aware of. That
> would explain Gareth' statement. I just grepped through a year
> of mailing lists and didn't find traffic shaping discussed much
> at all. Maybe "shap" wasn't the suitable search expression.
Dr Gareth Owen
Forensic Computing Course Leader
School of Computing, University of Portsmouth
*Tel:* +44 (0)2392 84 (6423)
More information about the tor-talk