SPD talk: "Simulating a Global Passive Adversary for Attacking Tor-like Anonymity Systems"?

gojosan at mailhaven.com gojosan at mailhaven.com
Fri Jun 13 02:48:29 UTC 2008


Hi,


On Thu, 12 Jun 2008 16:26:48 -0700, "Mike Perry" <mikeperry at fscked.org>
said:
> Thus spake gojosan at mailhaven.com (gojosan at mailhaven.com):
> 
> > I just noticed this talk at the Security and Privacy Day from May 2008. 
> > While I understand that Tor's thread model does not defend against a GPA
> > I am still curious what effect this attack can have against the current,
> > real Tor network?  
> > 
> > Simulating a Global Passive Adversary for Attacking Tor-like Anonymity
> > Systems
> > http://web.crypto.cs.sunysb.edu/spday/
> 
> A handful of comments about the paper (many of these they themselves
> brought up, but some they did not):
> 
> [snip]

That is great info and very well explained, thank you.  Your response
was exactly what I was hoping for.


> A couple countermeasures that are possible:
> 
> 1. Nodes that block ICMP and filter closed TCP ports are less
> susceptible to this attack, since they would force the adversary to
> measure the capacity changes at upstream routers instead (which will
> have other noise introduced due to peers utilizing the link as well). I
> am wondering if this means we should scan the network to see how many of
> these top nodes allow ICMP and send TCP resets, and if it is feasible to
> notify their operators that they may want to consider improving their
> firewalls, since we're only talking about 100-150 IPs here. There are a
> lot more critical things to scan for though, so this is probably lower
> priority.


I am considering running an exit relay.  I have a software firewall to
stealth ports (ICMP, TCP, etc) and I assume "filter" is synonymous with
"stealth"?  When I enable my relay (cable Internet connection) I will
most likely use BandwithRate of 1048576kb and a BandwidthBurst of
2097152kb.  Does this mean my node is more susceptible to this attack?
Also, I have the bandwidth to set BandwithRate of 2097152kb and a
BandwithBurst of 4194304kb; would this larger rate be preferable?  


> 2. Roger pointed out that clients can potentially protect themselves
> by setting 'BandwidthRate 25KB' and setting 'BandwidthBurst' to some
> high value, so that short lived streams will still get high capacity
> if it is available, but once streams approach the 10-20minute lifetime
> needed for this attack to work, they should be below the detectable
> threshold. 

What is considered a high BandwidtBurst setting?  


> I think this is a somewhat ugly hack, and should probably
> be governed by a "High Security Mode" setting that would be
> specifically tuned to this purpose (and be a catching point for other
> hacks that protect against various attacks but at the expense of
> performance/usability).

Could you please elaborate on these other hacks?  What other settings
should be used for those who prefer security/anonymity over
performance/usability?  In your opinion what settings and actions
constitute a "High Security Mode"?  


> All this aside, this is a very clever attack, and further evidence
> that we should more closely study capacity properties, reliability
> properties, queuing properties, and general balancing properties of
> the network.
> 
> 
> -- 
> Mike Perry
> Mad Computer Scientist
> fscked.org evil labs


Thank your for your time and assistance,
-gojosan

-- 
  
  gojosan at mailhaven.com

-- 
http://www.fastmail.fm - One of many happy users:
  http://www.fastmail.fm/docs/quotes.html



More information about the tor-talk mailing list