[tor-talk] Traffic shaping attack

coderman coderman at gmail.com
Mon Mar 21 06:27:01 UTC 2016


On 3/19/16, Oskar Wendel <o.wendel at wp.pl> wrote:
> ...
> Let's assume that the service is extremely popular, with over 6 terabytes
> of traffic each day, and a gigabit port almost constantly saturated. Then,
> we can observe a small handset of guards and still be able to spot at
> least some users.

the problem with high traffic sites is a local confirmation attack.
E.g. your colo line is really active! and on a short list of suspects
above large traffic threshold.

an outage of your local link for 3-5 min leads to confirmation across
10,000 probe sessions, circuit extension attempts, and connect
attempts, all confirming yes indeed suspect hidden service suddenly
out of reach. [ is this sufficient *proof* for $context? who knows,
but you get the picture...]

at least now the feds can't pretend to be the technicians servicing
your outage under cover, anymore... ;)



> Well, for one traffic hiccup probably many...
>
> This is not a theoretic attack. This is something that has been noticed
> on one of illegal sites and I expect many busts around the globe in the
> coming weeks.

attacks attempting to confirm a solitary client connecting to a peer
(e.g. very low degree node) are at different risk than those highly
centralized, very active services experience.

good luck to you! and please share insights and experience :)


best regards,


More information about the tor-talk mailing list