[tor-talk] Is this a practical vulnerability?
Anon Mus
my.green.lantern at googlemail.com
Fri Oct 19 03:25:34 PDT 2012
On 19/10/2012 04:12, Lee Whitney wrote:
> I was reading a paper on discovering hidden service locations, and couldn't find any reason it shouldn't work in principle.
>
> However being that I'm a Tor novice, I wanted ask here.
>
> In a nutshell they propose throwing some modified Tor nodes out there that modify the protocol enough to track down the location. It does take some time, but it doesn't seem like years.
>
My experience is that there s already an easy method of identifying Tor
hidden service nodes and this takes little time to do.
Let me explain why I come to that opinion.
Having a static IP net connection, I set up a test web site as a Tor
service on a Tor middleman server. That server had been a middleman server
for about a year, no problems, no attempts to hack it in all that time.
Within 24hrs of making that Tor hidden service live I could see, in my
firewall logs, hundreds of repeated attempts trying to hack my server,
directly from the internet, not via my hidden Tot service. All were
attempting to access various types of services/permissions which were
mainly focused on attempting to gain control of a "web page server". All
attacks were from US based places of higher education (colleges and
universities), most from establishments where Tor servers were situated
but not from Tor servers themselves.
Now bearing in mind that I had only EVER requested 1 web page (a blank
test page - requested about 4 times) from my own Torrified web browser
(out and back so to speak), and no OTHER (external) page requests were
EVER received via the Tor hidden service, as shown by its log. Then
someone must have been able to immediately see the service enter and track
its source, who then attempted to hack the web server itself and it
appeared to be a group of about 3 or 4 persons, each trying different
attack strategy over a 12 hour period. Hundreds of commands were sent,
many in quick succession as if they were in some sort of script file, but
some were live, at one point I even watched them live as they were coming
in as I countered their hack attempts.
As a result of this I did some serious thinking about Tor and came to the
conclusion that someone out there and I believe it is THE global adversary
(USA mil/sec) is able see with perfect transparency all Tor traffic.
Consider.:
Most Tor users see the Tor connections as merely a set of 3 or 4 connected
nodes over which their traffic is routed, e.g. Tor1 - US, Tor 2 - Germany,
Tor 3 France - EXIT. But in reality then internet is not like that, this is
only the UPPER structure level. At the lower level the packets are routed
over many dozens of sub-nodes, these nodes are invisible to the Tor map of
your traffic. You can find out this info yourself if you wish to test out a
single ROUTE to another IP address just by doing a traceroute url (tracert
url for windows) command from a command line prompt window. As you will
see this is about a dozen hops to the average local url. But this is not
the end of the problem, as some hops are hidden and they report only a
virtual hop back to you.
e.g. lets say a node is in a server in an IBM/US telecoms company based in
France, then that server will almost certainly be routing ALL its traffic
through the USA and back to itself (or another node in the same company)
before sending it on to the next external node. This diversion is NEVER
reported as ONLY a single "virtual node ip" is quoted. The only way you can
ever tell its been done is by looking at the time delay, however this is
also often difficult/impossible to spot because these routes are often the
fastest on the internet. OK - I know this goes on for certain because there
are internal tools used within these companies to trace the TRUE route and
I have seen such servers send their traffic in this manner 24/7 - 365.
Having discussed this as "wasted effort" with a network engineer I was told
there is a "payment" made somewhere to compensate. At the same time all of
this is camouflaged in apparently nice and legitimate reasons for it being
that way, but when you pull it apart you see the lie, but you can't PROVE
it.
As about 70% of Europe's internet traffic passes through an IBM/US telco's
servers then it almost certain that in any one of these Tor node to Tor
node connections there is at least one sub-nodes that passes the traffic
through the USA, who is the global adversary using Total Traffic Timing
Tracking.
You should be able to work the rest out for yourself.
> Any comment appreciated, here's a link to the paper:
>
> http://www.cs.uml.edu/~xinwenfu/paper/HiddenServer.pdf
>
> _______________________________________________
> tor-talk mailing list
> tor-talk at lists.torproject.org
> https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
>
_______________________________________________
tor-talk mailing list
tor-talk at lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
----- End forwarded message -----
--
Eugen* Leitl <a href="http://leitl.org">leitl</a> http://leitl.org
______________________________________________________________
ICBM: 48.07100, 11.36820 http://www.ativel.com http://postbiota.org
8B29F6BE: 099D 78BA 2FD3 B014 B08A 7779 75B0 2443 8B29 F6BE
More information about the cypherpunks-legacy
mailing list