Active Attacks - Already in Progress?

Theodore Bagwell toruser1 at imap.cc
Wed Nov 24 18:38:23 PST 2010 

We recently discussed an attack on onion-routing anonymity, wherein a
well-funded adversary overwhelms the network with compromised relays,
thereby increasing his chances of monitoring anonymity-compromising
data.

I don't mean to alarm anyone, but I just did some quick-and-dirty
research that suggests such an attempt may already be under way. I hope
to be proven wrong.

I postulated that such an attacker would mass-deploy his relays in a way
that did not lend a whole lot of uniqueness to the name of each relay*.
The relay names would probably be random characters, numbers, or words
at best. At sloppiest, they would just be one name with sequential
numbers after it - "AnonymityAttacker001, AnonymityAttacker002,
AnonymityAttacker003, etc."

So, I decided to look for such patterns in the list of Relays available
in my Tor console. A quick scan revealed what appeared to be either (A)
mass-deployments of Tor relays by a singular entity, or (B)
astronomically-unlikely coincidental naming schemes adopted by dozens of
disparate and unconnected individuals.**

But it wasn't just finding these relays that concerned me. It was Tor's
affinity for routing through them.

See, I began closing my open circuits systematically. I kept records of
any circuits which contained PPrivCom___ or torserversNet_ relays in it.
I closed and recorded 43 circuits. Here are my findings:

While Tor indicated it had 1665 relays to choose from, 79% of my
circuits used one of the suspicious relays. 2% of my circuits used two
suspicious relays. 0% of my circuits used three suspicious relays.

Of the circuits I recorded, only 21% did not route through a suspicious
relay.

My conclusion is that someone (a security researcher? A hobbyist? A
government?) is actively toying with the feasibility of attacking Tor's
anonymity. According to my statistics, they may also be gaming Tor's
affinity for choosing relays*** because they have, unquestionably,
succeeded in relaying 79% of my circuits despite controlling a mere 2.8%
of the relays in the Tor network.

How dangerous is it if two of the three circuit relays are compromised?
What recourse do we have? Can someone more knowledgeable shed more light
on this? 

I yield the balance of my time. :)
---
* Of course, the well-organized attacker would go to the trouble to
construct names that truly blended in with the Tor namescape - such
as,"MrSpudRelays, QueenAnnesRevenge, SteveKenpIsMyHero, and so forth."
** I speak primarily of "torserversNet_" numbers 1-5, and PPrivCom___"
numbers 004-052.
*** The inner workings of which I, admittedly, do not understand...
**** 47 out of 1665 active relays, according to my Tor console.
-- 
  Theodore Bagwell
  toruser1 at imap.cc

-- 
http://www.fastmail.fm - The professional email service

***********************************************************************
To unsubscribe, send an e-mail to majordomo at torproject.org with
unsubscribe or-talk    in the body. http://archives.seul.org/or/talk/

----- End forwarded message -----
-- 
Eugen* Leitl <a href="http://leitl.org">leitl</a> http://leitl.org
______________________________________________________________
ICBM: 48.07100, 11.36820 http://www.ativel.com http://postbiota.org
8B29F6BE: 099D 78BA 2FD3 B014 B08A  7779 75B0 2443 8B29 F6BE

More information about the cypherpunks-legacy mailing list