[tor-talk] Traffic shaping attack

Oskar Wendel o.wendel at wp.pl
Sat Mar 19 11:02:44 UTC 2016


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Roger Dingledine <arma at mit.edu>:

> One of the questions to ask is how many points you need to watch in order
> to be in a position to launch the attack. This is where Tor fares better
> than centralized approaches like VPNs or single-hop proxies, and it's
> Tor's best line of defense here.

Let's assume that the service is extremely popular, with over 6 terabytes 
of traffic each day, and a gigabit port almost constantly saturated. Then, 
we can observe a small handset of guards and still be able to spot at 
least some users.

> Another question to ask is whether there will be false positives in the
> statistics, i.e. how often your analysis says "yes, match" when actually
> it's mistaken.

Well, for one traffic hiccup probably many. For constant interruptions in 
specified time frames, probably not many, if any. I mean, if you download 
a file that is big enough to cause many of these interruptions, I think no 
other traffic would meet this pattern.

> The third question you might ask is: can I inject these signals in a
> way that they're still recognizable to me, but observers don't realize
> that anything weird is going on with the traffic? That is, can I do
> this active traffic modulation attack but still be undetectable?

Some observers will realize and stay safe, but some people will not 
realize and get caught...

This is not a theoretic attack. This is something that has been noticed 
on one of illegal sites and I expect many busts around the globe in the 
coming weeks.

> http://freehaven.net/anonbib/#ndss09-rainbow
> http://freehaven.net/anonbib/#ndss11-swirl
> http://freehaven.net/anonbib/#pets13-flow-fingerprints

The swirl seems to describe just that...

- -- 
Oskar Wendel, o.wendel at wp.pl.REMOVE.THIS
Pubkey: https://pgp.mit.edu/pks/lookup?search=0x6690CC52318DB84C
Fingerprint: C8C4 B75C BB72 36FB 94B4 925C 6690 CC52 318D B84C
-----BEGIN PGP SIGNATURE-----

iQEcBAEBAgAGBQJW7THNAAoJEGaQzFIxjbhMMM8IALvc0miX63zI+xIKlvliXnXs
NveIctCz2pxfeXthMZWbULtRWKPBvMqVdwlQ0SYc4FKpVENL0o+8/554b0WGAYV5
49+wyXFVtFhD+QLDpkiFuiybRTrZxDK6cSITPv987JWWQIJdZ9nTFUkxTTXqUjHa
9EHVibzlxMWivZl/eUpG3wqYiqyruHthH0+zbTovRtlO2uxTANqoGeXOgwxUyaYc
DbQWFHQ4onWsyM8vqU+pNsIo2k9a3Ns0SgX14GL+2Ml8T3QsbfE4cT8wML62KpIg
s1kGYURGCtgzA6QU6DVrUw2TF7phvPfkQHKIUleCIkoSFpTk7hxeH7haQbKXBvE=
=C9tj
-----END PGP SIGNATURE-----



More information about the tor-talk mailing list