tior stinks

Sat Oct 26 15:41:58 PDT 2019

On Sat, Oct 26, 2019 at 04:53:02PM -0300, Punk - Stasi 2.0 wrote:
> 
> 
> 
> 	2005 Low-Cost Traffic Analysis of Tor
> 	https://www.freehaven.net/anonbib/cache/torta05.pdf

Thank you. Have to read this.

> 	"By making these assumptions, the designers of Tor believe it is safe to employ only minimal mixing of the stream cells...
> 
> 	...This choice of threat model, with its limitation of the adversaries’ powers, has been a subject of controversy...
> 
> 	...Tor, on the other hand assumes a much weaker threat model..
> 
> 	...we show that even relatively weak adversaries can perform traffic-analysis, and get vital information out of Tor. This means that even non-law-enforcement agencies can significantly degrade the quality of anonymity that Tor provides, to the level of protection provided by a collection of simple proxy servers, or even below."
> 
> -------
> 
> 	my comment : the attack is based on monitoring the latency of a node while sending an attacker controlled stream through it 
> 
> 
> 	"Tor exhibits the worst possible behaviour: not enough interference to destroy individ-
> ual stream characteristics, yet enough to allow the remote measurement of the node’s load." 
> 
> 
> 	Maybe some tor fanboi knows if this has been somehow fixed?

The real question is whether it's possible to fix.

> 	Anyway the article makes it clear that simple cover traffic in
> 	not enough to defend against timing attacks. 

Packet size, bandwidth used, as well as packet transmission latency,
each need to be normalized.

And any time an attacker can suspend your network stream briefly,
there's a blip that will propagate through the network - and so, of
course, if the attacker is sending a stream through your node, and
your ISP/Gov suspended your connection to your ISP for say 200ms,
then the attacker will get a subsequent gap in his stream being sent
via your node, thus identifying you as their target.

Splitting streams and having only micro (low b/w) streams doesn't
help - the attacker is only going to send one stream through you of
course.

Dark alt net can handle outgoing temp suspends - just send streams
through your 'dark' non-govnet hop, to some other node who can
onforward the incoming streams or requests for outgoing (if I'm say a
web server), but this does not fix the attacker's incoming stream
being suspended, whereby you don't have any of the attacker's packets
to send to the attacker during the suspension window, and attacker
sees the latency spike, identifies you.

Mandating higher latency per node requires (significantly) larger
packet queues, and quickly ramps up overall end to end latency:

Let's say we buffer 500ms since that forces attackers to suspend
links for over 500ms to identify target nodes, and making their
network node bisections more noticeable to end users:

So 7 hops, * 500ms latency per hop, = 3.5s - and that's a basic
minimal length end to end route from end user node, to dark net
server node, 10 hops = 5seconds.

And 500ms may not be enough! Perhaps we should buffer up for a second
or more?

Attackers such government stalkers who have wide spread control
over ISP and backbone routers, will bisect their target sets,
reducing these sets (of interesting to them end user nodes) as much
as possible, before doing say a binary bisection using the above
latency injection analysis technique (and other techniques).