[tor-talk] Is this a practical vulnerability?
Anon Mus
my.green.lantern at googlemail.com
Fri Oct 19 10:25:34 UTC 2012
On 19/10/2012 04:12, Lee Whitney wrote:
> I was reading a paper on discovering hidden service locations, and couldn't find any reason it shouldn't work in principle.
>
> However being that I'm a Tor novice, I wanted ask here.
>
> In a nutshell they propose throwing some modified Tor nodes out there that modify the protocol enough to track down the location. It does take some time, but it doesn't seem like years.
>
My experience is that there s already an easy method of identifying Tor
hidden service nodes and this takes little time to do.
Let me explain why I come to that opinion.
Having a static IP net connection, I set up a test web site as a Tor
service on a Tor middleman server. That server had been a middleman
server for about a year, no problems, no attempts to hack it in all that
time.
Within 24hrs of making that Tor hidden service live I could see, in my
firewall logs, hundreds of repeated attempts trying to hack my server,
directly from the internet, not via my hidden Tot service. All were
attempting to access various types of services/permissions which were
mainly focused on attempting to gain control of a "web page server". All
attacks were from US based places of higher education (colleges and
universities), most from establishments where Tor servers were situated
but not from Tor servers themselves.
Now bearing in mind that I had only EVER requested 1 web page (a blank
test page - requested about 4 times) from my own Torrified web browser
(out and back so to speak), and no OTHER (external) page requests were
EVER received via the Tor hidden service, as shown by its log. Then
someone must have been able to immediately see the service enter and
track its source, who then attempted to hack the web server itself and
it appeared to be a group of about 3 or 4 persons, each trying different
attack strategy over a 12 hour period. Hundreds of commands were sent,
many in quick succession as if they were in some sort of script file,
but some were live, at one point I even watched them live as they were
coming in as I countered their hack attempts.
As a result of this I did some serious thinking about Tor and came to
the conclusion that someone out there and I believe it is THE global
adversary (USA mil/sec) is able see with perfect transparency all Tor
traffic.
Consider.:
Most Tor users see the Tor connections as merely a set of 3 or 4
connected nodes over which their traffic is routed, e.g. Tor1 - US, Tor
2 - Germany, Tor 3 France - EXIT. But in reality then internet is not
like that, this is only the UPPER structure level. At the lower level
the packets are routed over many dozens of sub-nodes, these nodes are
invisible to the Tor map of your traffic. You can find out this info
yourself if you wish to test out a single ROUTE to another IP address
just by doing a traceroute url (tracert url for windows) command from a
command line prompt window. As you will see this is about a dozen hops
to the average local url. But this is not the end of the problem, as
some hops are hidden and they report only a virtual hop back to you.
e.g. lets say a node is in a server in an IBM/US telecoms company based
in France, then that server will almost certainly be routing ALL its
traffic through the USA and back to itself (or another node in the same
company) before sending it on to the next external node. This diversion
is NEVER reported as ONLY a single "virtual node ip" is quoted. The only
way you can ever tell its been done is by looking at the time delay,
however this is also often difficult/impossible to spot because these
routes are often the fastest on the internet. OK - I know this goes on
for certain because there are internal tools used within these companies
to trace the TRUE route and I have seen such servers send their traffic
in this manner 24/7 - 365. Having discussed this as "wasted effort" with
a network engineer I was told there is a "payment" made somewhere to
compensate. At the same time all of this is camouflaged in apparently
nice and legitimate reasons for it being that way, but when you pull it
apart you see the lie, but you can't PROVE it.
As about 70% of Europe's internet traffic passes through an IBM/US
telco's servers then it almost certain that in any one of these Tor node
to Tor node connections there is at least one sub-nodes that passes the
traffic through the USA, who is the global adversary using Total Traffic
Timing Tracking.
You should be able to work the rest out for yourself.
> Any comment appreciated, here's a link to the paper:
>
> http://www.cs.uml.edu/~xinwenfu/paper/HiddenServer.pdf
>
> _______________________________________________
> tor-talk mailing list
> tor-talk at lists.torproject.org
> https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
>
More information about the tor-talk
mailing list