[tor-talk] Traffic shaping attack

Oskar Wendel o.wendel at wp.pl
Sat Mar 26 15:30:45 UTC 2016


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Mike Perry <mikeperry at torproject.org>:

> I'm still with Roger on being careful about assuming its an attack (and
> not a bug, or other emergent behavior) before conducting more tests. At
> least, that is what proper engineering and science demands before we can
> respond, anyway.

Yes, I agree. But the attack is very probable here.

> For example, I wonder if users see such interrupts on all of their Tor
> traffic at that time, or just hidden service traffic? Or just hidden
> service traffic to specific services?

Only with hidden service traffic from this specific service.

> I am wondering the same thing about the hidden service side. Is it
> seeing interrupts of all traffic, or just some?

Unfortunately, only the site admin could confirm, but I don't see him 
here (he has been notified of this thread).

Actually, as I don't know the site admin in person, it would be possible 
that the site admin is already in jail and the site is being run by LEA, 
inserting these interruptions deliberately. But for now let's assume it's 
not true.

> If this is an attack, this information could help inform us as to if
> we're looking at an attack targeting all users, certain guard nodes, or
> just specific hidden services. With this information, we will also be
> able to better consider defenses, if it is an attack.

If it is an attack, I strongly suspect it's targetting users of the 
specific hidden service.

> Even if it is not an attack, it would still be useful to know, because
> we may be looking at some other kind of bug or bad emergent property in
> Tor.

Yes, definitely.

> It could also be due to the fact that Tor is effectively
> single-threaded. If something on the user's guard node, intermediate
> node, or hidden service is taking large amounts of CPU time, this will
> prevent traffic from flowing while that operation is happening.

It would have to run within a realtime scheduler to completely block Tor 
for several seconds... very few applications use this scheduler, at least 
in Linux.

- -- 
Oskar Wendel, o.wendel at wp.pl.REMOVE.THIS
Pubkey: http://pgp.mit.edu/pks/lookup?op=get&search=0xB5E3846CD40F08E3
-----BEGIN PGP SIGNATURE-----

iQEcBAEBAgAGBQJW9qscAAoJELXjhGzUDwjjfIEH/j1sPFmu0rqg/CoRMuR1kRmV
121yTGD2rS8U+RrsudX8gRUxDvGhn8/CTPV4pV5DEGZErNpxQzzhogy8iPpeG57u
jDwT+0m5wfT1lcjWofRQCi2CvqT3GqQnjk5x59ZGKl3en8HYjJkwJ2G7JDpn6zTQ
/eviPJv+QYn4qt11RgcNOMktYux6nad744LFSdiLp+h57ka1VSVwPQ/g8IvoZ9qu
HrhrNZfn5bu+uaeWrMkQjGgXHXy1Yx+myh7dGiS3oZHycjm2f/9zs/jAOozZ9EXb
YAwYSY5XZte464zrXpTfgdaIB33XrDAelPqFwmJuLcg6sk1Q2x7LavT3lCqgWRk=
=hyKK
-----END PGP SIGNATURE-----



More information about the tor-talk mailing list