flooding attacks to discover hidden services
Steven Murdoch
tortalk+Steven.Murdoch at cl.cam.ac.uk
Mon Jan 1 18:22:52 UTC 2007
On Tue, Jan 02, 2007 at 01:39:05AM +1100, Wikileaks wrote:
> Open an onion connection to the hidden service, asking for echos.
> Now flood each router. If the "ping" is overly delayed, the router
> is on the hidden path.
This is a special case of the attack described in 5.2 of [1].
If we assume that the hidden service is on a Tor server then the nodes
which will show positive correlation will the the hidden service and
the guard node. If the guard nodes are stable then this gives the
hidden service some protection.
If the hidden service is not on a Tor server, and there is no other
way for the attacker to build a list of candidates to ping, then the
attack becomes a lot harder.
Furthermore, there is no reason the hidden server needs to respond to
pings, or even have a public IP address. Tor only requires that the
hidden service be able to make outgoing TCP connections.
Hosting the hidden service on a Tor node gives some plausible
deniability, but opens up attacks like the one you describe.
Thanks,
Steven.
[1] http://www.cl.cam.ac.uk/~sjm217/papers/oakland05torta.pdf
--
w: http://www.cl.cam.ac.uk/users/sjm217/
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: not available
URL: <http://lists.torproject.org/pipermail/tor-talk/attachments/20070101/0ec6b0cb/attachment.pgp>
More information about the tor-talk
mailing list