What to do at IP number change?

Jon McLachlan mcla0181 at umn.edu
Tue Jan 8 20:15:05 UTC 2008


dr._no at cool.ms wrote:
> Another point is that without a tor server my home would be vulnerable to traffic 
> analysis and a further point is that a tor server is more safe than only a client.
>   
I think this depends largely on what type of traffic analysis we're 
talking about.  Traffic analysis, just looking at traffic, almost always 
divulges some level of information.  For example, if a local passive 
adversary simply watched a Tor Relay that was suspected to also contain 
a Tor Client, then one could imagine a simple traffic analysis as follows:

1)  Establish running totals of all incoming and outgoing traffic from 
the machine.

2)  Then, closely monitory when it is the case that the outgoing traffic 
level "spikes" or when the incoming traffic level "spikes" as they could 
indicate that a Tor Client was using the relay as an entry point.  How 
much it "spikes" could fingerprint a website ... or even be a 
maliciously modulated signal from an evil server might you might have 
connected to via your tunnel.

This exploits the behavior of a basic Tor Relay, in which everything 
that enters a relay must [immediately] leave that relay.  This traffic 
alone would generate what appears equal/average incoming and outgoing 
msgs.  Any spikes in the entering / leaving traffic is therefore 
probably not from the Tor Relay itself, but, from something else.  (or 
course, this ignorse dir service lookups, bridges, and prly a few other 
things).

Sounds like an interesting research project.

Best Regards,
~Jon



More information about the tor-talk mailing list