Disguising a Tor node?

Tyler Durden camera_lumina at hotmail.com
Fri Dec 15 03:43:55 PST 2006 

OK, more dumb questions about hiding a Tor node.

Even though the current list of Tor node IP addresses is basically public, 
I'm not 100% convinced it woul have to be.

Well, exit and entry nodes perhaps have to be public, but what about nodes 
inside the cloud? OK, anything sent to one of those nodes by an edge node 
has to use a unencrypted IP address on the packet header, right? BUT, the 
same machines that house the Tor nodes could (and probably do, right?) house 
other services as well...a packet sent to the Tor node has to be sent to the 
right socket and layer 4 service. Right? And THAT can be encrypted, and 
probably already is by Tor nodes. (Now remember I'm not a datacom guy...)

If the list of interior Tor nodes is encrypted and only machine-readable by 
other Tor nodes, AND if we have a few additional  services residing on the 
same machines as the Tor nodess, then a packet sent to a machine housing a 
Tor node may or may not actually be going to a Tor node.

If the operators of that machine are also unaware of the precise 
service-bundle existing on the machine (not unreasonable as long as someone 
is paying them for the consumed bandwidth) AND if packets destined for that 
machine can reasonably be said to be accessing a non-TOR service AND if the 
IP address list of interior TOR nodes is encrypted, is the Tor node now 
disguised? Seems to me it would be difficult for some  authorities to track 
down the location of some Tor nodes.

Or am I missing something? Like I said, I'm no datacom guy, but hiding a Tor 
node deosn't seem impossible to me.

-TD


>From: Lists <phlex_lists at meshmx.com>
>To: Tyler Durden <camera_lumina at hotmail.com>
>Subject: Re: Disguising a Tor node?
>Date: Thu, 14 Dec 2006 11:38:57 +0000
>
>All TOR nodes can be found in the network directory of TOR.
>
>http://moria.mit.edu:9031/tor/
>
>With that list it is easy to find all official tor nodes on the planet.
>Skype, Wikipedia etc use that list to block access.
>And yes, this list has to be there. It is used by the TOR network itself
>so that nodes can find each other.
>
>TOR is not exactly "censorship resistant".
>
>-- phlex
>
>Tyler Durden wrote:
> > Well, here's where my ignroance is revealed.
> >
> > But let me recall the 'threat scenario' in this case.
> >
> > MwGs don't like Tor networks, and set about trying to find the nodes,
> > and take them down. How do they do this? They can, perhaps, look at the
> > IP addressses of packets they themselves shoot through the network, and
> > then (theoretically) trace these back to the machines that sent the
> > packets, presumably a tor node. Or at least, they can do this  for an
> > exit node(s).
> >
> > After finding an exit node, they can then contact the operator to locate
> > the server and Tor node, and bludgeon them in totaking it down. The
> > operator prrobably won't be surprised, because they will have installed
> > the Tor node, which presumably has all sorts of files named, TOR.EXE,
> > TOR_CLIENT.DLL, and so on. The only other way to tell they are running a
> > Tor node is to see the other IP addresses coming in and going out, which
> > presumably are other Tor nodes.
> >
> > Is that basically right?
> >
> > What if, for instance, a Tor client sent out a whole buttload of IPs,
> > some of which are Tor nodes, some of which aren't, in various cities
> > (including, say Fallujah). Let's say also that the Tor package sent to
> > an actual Tor node operator was disguised to look like some other
> > innocuous service. Let's say also that there are plenty of fake non-Tor
> > packets coming in and out of that node which don't lead to any Tor nodes
> > at at all.
> >
> > In the case, the local authorities would have to have some kind of
> > subpeona (one would think) 'proving' to the operator that they indeed
> > have a hated Tor node on one of their machines. They would also have to
> > do this for a variety of nodes, perhaps, even ones that aren't actually
> > Tor nodes.
> >
> > OK, farfetched. But possible? I'm a telecom guy so what the hell do I
> > know...
> >
> > -TD
> >
> >
> >
> >
> >> From: Eugen Leitl <eugen at leitl.org>
> >> To: Tyler Durden <camera_lumina at hotmail.com>, cypherpunks at jfet.org
> >> Subject: Re: redgene might be gone
> >> Date: Mon, 11 Dec 2006 18:29:54 +0100
> >>
> >> On Mon, Dec 11, 2006 at 12:11:52PM -0500, Tyler Durden wrote:
> >>
> >> > Why is it necessary for a Tor node to be identifiable by
> >> authorities? Is it
> >> > possible to disguise it as something else?
> >>
> >> If you're renting a colo server with a fixed IP, how would you
> >> disguise it as anything, or conceal it as anything else if
> >> you never ever even seen the machine in question?
> >>
> >> Still no news on the trouble ticket. Either they're swamped,
> >> or the server has been really confiscated.
> >>
> >> --
> >> Eugen* Leitl <a href="http://leitl.org">leitl</a> http://leitl.org
> >> ______________________________________________________________
> >> ICBM: 48.07100, 11.36820            http://www.ativel.com
> >> 8B29F6BE: 099D 78BA 2FD3 B014 B08A  7779 75B0 2443 8B29 F6BE
> >>
> >> [demime 1.01d removed an attachment of type application/pgp-signature
> >> which had a name of signature.asc]
> >
> > _________________________________________________________________
> > Visit MSN Holiday Challenge for your chance to win up to $50,000 in
> > Holiday cash from MSN today!
> > http://www.msnholidaychallenge.com/index.aspx?ocid=tagline&locale=en-us
> >
>

_________________________________________________________________
Talk now to your Hotmail contacts with Windows Live Messenger. 
http://clk.atdmt.com/MSN/go/msnnkwme0020000001msn/direct/01/?href=http://get.live.com/messenger/overview

More information about the cypherpunks-legacy mailing list