kiwifarmsfan1
kiwifarms.net
- Joined
- Apr 13, 2018
Article:
HackerNews discussion: https://news.ycombinator.com/item?id=24500214
Abridged version of the article and excerpts:
---------------------------------------------------------------------------------------------------------------------------------
I read off the address: "152 dot" and they repeated back "152 dot". "19 dot" "19 dot" and then they told me the rest of the network address. (I was stunned.) Tor is supposed to be anonymous. You're not supposed to know the IP address of a hidden service. But they knew. They had been watching the Tor-based DDoS. They had a list of the hidden service addresses that were being targeted by the attack.
God's Eye View
If you are the only person is on[sic] the Tor network [editors note: I believe the author is referring to the only person with Tor activity at that moment in time], then you are vulnerable to someone with a theoretical "God's eye view", who can see all network traffic all over the world.
The problem with this theoretical God's eye vantage point is that it isn't theoretical -- and the random shuffling isn't good enough. The people I consulted about my DDoS issue included people with real God's eye views. One claimed to see over 70% of all internet traffic worldwide. Another claimed over 50%. Moreover, these people are not nation-states or governments; they are corporate.
Why do these high level views exist? Well, there are denial-of-service attacks going on all the time. These corporate monitoring groups pair up with major network carriers in order to monitor the overall network levels. When a DDoS is observed, they can engage in a coordinated effort to mitigate the impact.
In my case, they saw a high volume DDoS that only involved known Tor nodes. That's how they knew it was a Tor-based DDoS. All of the traffic went through the Tor network before merging at a single point: my hidden service. (Technically, there were over a half-dozen hidden services being attacked, but it's the same methodology.)
As it turns out, you don't even need to have a huge DDoS to find a single user or a hidden service. You just need a sustained network load.
A Lesser God?
Not everyone has the required God's eye view. If using a God's eye view is out of scope, then how small is "some fraction"? How about 10% of guard nodes?
With Tor, you don't change guards often. So 1 out of every 10 Tor connections likely used these hostile guards. And given enough time, you will use one of their exit nodes.
A Teeny Tiny God?
I've shown[editors note: in the full article at the link at the top of this post] that they do not protect against someone with a God's eye view, or even someone who controls 10% of Tor guards along with some of the exit nodes. So how small does "some fraction" need to be for Tor to actually provide protection? What if the adversary only controls one (1) guard and nothing else?
Every guard is also a relay. A guard can distinguish end users from other Tor nodes by comparing the client's network address against the public list of known Tor nodes. If the incoming traffic is from another Tor node, then it's being used as a relay. Otherwise, the node is being used as a guard. (There is the case of a bridge connecting to a relay, but in a previous blog entry I showed how to identify all bridges.) This means that a hostile guard can tell when a connection represents an end point -- either a user or a hidden service.
A guard cannot decrypt traffic; it can only see traffic volume; what this means: the guard knows your network address and it can passively detect whether you are likely a human, bot, or hidden service.
Of course, if you're not using the adversary's guard, then you're safe... right? Well, my own hidden service has experienced a half dozen different kinds of Tor-based denial-of-service attacks. One of them was really creative: they owned one or more hostile routers and could identify which guard I was using. If I wasn't connected to their guard, then they would DDoS my guard until I was forced offline. Then my tor daemon would automatically select a different guard. They did this enough times that my tor daemon eventually chose their guard. Then they directly attacked my IP address.
Abridged version of the article and excerpts:
---------------------------------------------------------------------------------------------------------------------------------
I read off the address: "152 dot" and they repeated back "152 dot". "19 dot" "19 dot" and then they told me the rest of the network address. (I was stunned.) Tor is supposed to be anonymous. You're not supposed to know the IP address of a hidden service. But they knew. They had been watching the Tor-based DDoS. They had a list of the hidden service addresses that were being targeted by the attack.
God's Eye View
If you are the only person is on[sic] the Tor network [editors note: I believe the author is referring to the only person with Tor activity at that moment in time], then you are vulnerable to someone with a theoretical "God's eye view", who can see all network traffic all over the world.
The problem with this theoretical God's eye vantage point is that it isn't theoretical -- and the random shuffling isn't good enough. The people I consulted about my DDoS issue included people with real God's eye views. One claimed to see over 70% of all internet traffic worldwide. Another claimed over 50%. Moreover, these people are not nation-states or governments; they are corporate.
Why do these high level views exist? Well, there are denial-of-service attacks going on all the time. These corporate monitoring groups pair up with major network carriers in order to monitor the overall network levels. When a DDoS is observed, they can engage in a coordinated effort to mitigate the impact.
In my case, they saw a high volume DDoS that only involved known Tor nodes. That's how they knew it was a Tor-based DDoS. All of the traffic went through the Tor network before merging at a single point: my hidden service. (Technically, there were over a half-dozen hidden services being attacked, but it's the same methodology.)
As it turns out, you don't even need to have a huge DDoS to find a single user or a hidden service. You just need a sustained network load.
A Lesser God?
Not everyone has the required God's eye view. If using a God's eye view is out of scope, then how small is "some fraction"? How about 10% of guard nodes?
With Tor, you don't change guards often. So 1 out of every 10 Tor connections likely used these hostile guards. And given enough time, you will use one of their exit nodes.
A Teeny Tiny God?
I've shown[editors note: in the full article at the link at the top of this post] that they do not protect against someone with a God's eye view, or even someone who controls 10% of Tor guards along with some of the exit nodes. So how small does "some fraction" need to be for Tor to actually provide protection? What if the adversary only controls one (1) guard and nothing else?
Every guard is also a relay. A guard can distinguish end users from other Tor nodes by comparing the client's network address against the public list of known Tor nodes. If the incoming traffic is from another Tor node, then it's being used as a relay. Otherwise, the node is being used as a guard. (There is the case of a bridge connecting to a relay, but in a previous blog entry I showed how to identify all bridges.) This means that a hostile guard can tell when a connection represents an end point -- either a user or a hidden service.
A guard cannot decrypt traffic; it can only see traffic volume; what this means: the guard knows your network address and it can passively detect whether you are likely a human, bot, or hidden service.
Of course, if you're not using the adversary's guard, then you're safe... right? Well, my own hidden service has experienced a half dozen different kinds of Tor-based denial-of-service attacks. One of them was really creative: they owned one or more hostile routers and could identify which guard I was using. If I wasn't connected to their guard, then they would DDoS my guard until I was forced offline. Then my tor daemon would automatically select a different guard. They did this enough times that my tor daemon eventually chose their guard. Then they directly attacked my IP address.
