[tor-talk] Traffic shaping attack
torleaks at sigaint.org
torleaks at sigaint.org
Sun Jun 5 00:42:50 UTC 2016
My two cents to previous discussions:
https://lists.torproject.org/pipermail/tor-talk/2016-March/040639.html
https://lists.torproject.org/pipermail/tor-talk/2016-April/040816.html
https://lists.torproject.org/pipermail/tor-talk/2016-June/041058.html
Admin of another hidden service told people he saw the same thing.
One day before his server was seized by authorities he found
frequently jumping connection speed from 500 Kbit/s to 15 Mbit/s.
It isn't clear when the attack was started, but one week before
the server's seizure he didn't see anything suspicious.
A total lifetime of his server was about 3 months. Admin thinks
it could be remote traffic shaping attack (DoS) which helped
authorities to discover IP address of his hidden service.
In normal operation mode the server speed was about 1 Mbit/s
without any jumps. During attack he saw these speed jumps on the
client side, but cannot sure the same was seen on the server side.
To get more information he wants to enable advanced network
logging for his other hidden services which can be attacked.
His hidden service was running inside VM, Tor client was running
on real hardware and iptables rules were blocking all non-Tor
connections from VM. Most likely it isn't a problem on the
application side (HTTP server).
More information about the tor-talk
mailing list