Hi I know you weren't looking for me to reply necessarily but let me clarify. In those slides I was principally talking about non-global adversaries - e.g. you or me deploying an attack. With global adversaries they have a handful more options - namely you don't need to own the guard node if you can monitor/delay traffic to and from it.
Sorry if it wasn't clear. Best Gareth On 4 January 2015 at 17:43, carlo von lynX <[email protected]> wrote: > On Mon, Nov 17, 2014 at 09:46:37PM +0000, Gareth Owen wrote: > > Just to let you know, I am also giving a talk at 31c3 on Tor, but my talk > > is focussing on a research project we did on the Tor HS DHT. I was also > > planning to talk a little about the Tor Research Framework and an > > accessible overview of correlation attacks - if time permits. > > Excuse me picking up a very old mail, but the question I have > may (a) be of general interest and (b) possibly be answered by > someone else but Gareth Owen, the presenter. > > There was just one slide at the end of the talk where it occured > to me that my understanding of Tor felt in disagreement with the > presenter's. > > The slide states that "Traffic confirmation attacks are MUCH > more powerful" which makes sense to me, but then Gareth says > that it would take a user to bump into a "dodgy guard relay" > run by the same attacker that also runs the hidden service > in order to de-anonymize a user accessing that hidden service. > Gareth follows up saying you can de-anonymize a fraction of > hidden service users that way. > > Later Gareth says "As the attacker you need to control the > hidden service's guard node to do these traffic correlation > attacks." > > :From my understanding it isn't necessary to *control* any > of the guard nodes, it is fully sufficient to be able to > measure or shape the patterns of traffic moving between > the guard node and the calling user or the hidden service > respectively. So essentially any surveillance infrastructure > monitoring intercontinental traffic may be able to detect > or shape such traffic if the guard nodes happen to not be > network topologically close to their respective users. > > The only protection I see against that would be if either > the user is generating plenty of other traffic between her > node and the guard node while accessing the hidden service, > or if the hidden service is so popular, it is being talked > to by several circuits coming from the same guard. And how > much of a protection that can be would be subject to research. > To me it sounds like it would just take more time to correlate. > > So, from the perspective of a global active adversary doing > traffic shaping, the general procedure to me sounds like this: > > 1. you run confirmation attacks long enough until you have > singled out the IP address of the not so hidden service; > 2. you run heavy weaponry against its guard nodes in order > to get control over the software, allowing you to start > distinguishing individual circuit activity patterns > (this step would only be necessary if the targeted hidden > service is very popular); > 3. you pick out specific tor users and shape their traffic > entering their entry nodes to see if those patterns pop > out on the way to the hidden service - or other way > around, you shape the traffic going back to the user. > > Is there anything wrong with my assumptions, or is Gareth > right that it takes p0wnage of *both* guards in order to > de-anonymize people? Or is the truth somewhere in-between, > in the sense that we don't know how well shaping attacks work? > > I also wonder, if you're a really good global active attacker, > you should be able to spot the traffic you shaped anytime it > crosses your surveillance infrastructure again... so you should > have a plausible chance of figuring out which websites a user is > looking up. > > I understand the Tor network fluctuates a lot concerning latency > and throughput, so the attacker would have to do quite aggressive > shaping, buffering not so little amounts of data, sending specific > amounts of bytes then introducing pauses of significant duration. > > But I'm just theorizing, and maybe Tor has some provisions to > protect against traffic shaping that I am not aware of. That > would explain Gareth' statement. I just grepped through a year > of mailing lists and didn't find traffic shaping discussed much > at all. Maybe "shap" wasn't the suitable search expression. > > > -- > http://youbroketheinternet.org > ircs://psyced.org/youbroketheinternet > -- Dr Gareth Owen Senior Lecturer Forensic Computing Course Leader School of Computing, University of Portsmouth *Office:* BK1.25 *Tel:* +44 (0)2392 84 (6423) *Web*: ghowen.me -- tor-talk mailing list - [email protected] To unsubscribe or change other settings go to https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
