It is in fact old, however I hadn't seen it posted anywhere even back then, figured I'd pass it in since there was some speculation about the feasibility of such an attack given the spike in Tor client usage.
Most of those using well-known privacy tools for "privacy" do not realize that they are painting a target on themselves. The elite hide data in plain sight. I am not elite, btw. I stay the hell out of it, and I suggest you do the same if you don't know what you are really doing, or even if you do.
God will bring every deed into judgment, including every secret thing, whether good or evil.
I read the abstract. I'm thinking this attack is mitigated by increasing Tor popularity. The more total Tor traffic, the less likely that deploying high-bandwidth ingress and egress nodes will grab the specific traffic the attacker is looking for.
Surely the sudden spike in entry and exit nodes would make the attack obvious. The central directory authority service could be modified to blacklist nodes from the master OR directory list that join within too small of a time interval.
On a more practical note, few cloud providers are going to let their network suddenly become a massive transit space for Tor traffic.
Before this could be successfully deployed in the wild, the problem can be easily corrected.
A few hundred Tor nodes would be useless in trying to break anyone's anonymity.
With ~4k relays (entry/exits) and ~2k bridges (pure relays of encrypted connections) and only a few hundred hostile relays, the odds of an OP's (end-user's) connection's flowing through both a hostile entry node and a hostile exit node are infinitesimal.
Let's say you add 400 ORs to the network. Let's further assume no one in the privacy-conscious, some would say paranoid, Tor community notices this unexplained 10% spike in entry/exit nodes. Your odds of compromising any given Tor circuit (connection) are a compound probability: P(A and B) = P(A) * P(B). In this case: .1 * .1 = .01, or approximately 1%.
When you add to the fact that the network automatically tries to route to entry and exit nodes in different countries, the chances of compromising the network in this fashion are virtually nill.
Everyone in the Tor community has known this attack has been possible, which is why the network growth metrics are watched closely. If any shenanigans are detected, the authority is prepared to add a notion of OR trust to the directory file.
I did out the math for what was necessary to control the entire path of 50% of the network traffic. I might post the resulting charts and stuff but when I did it out a few months ago it required 12,000 nodes. Entry/Exit are sufficient when also combining timing attacks but why not go whole hog? Also the increased security from new-identitying every few minutes increases the chance that at least some of your traffic would be caught while this type of attack is going on.
In reply to s_q_b: Amazon actually hosted this guy's demonstration, so at least one good cloud provider has in fact done this. Additionally, if you time your attack correctly and don't have persistent objectives, then it's pretty much moot that the spike is obvious because who checks the total amount of nodes frequently while surfing? Finally, if you do have persistent objectives, then you could mask it by introducing nodes by the dozen or so randomly spaced over a year or two.
Edit: just to clarify: Not my paper. No one has commented to that effect yet, but I just realized that that could be a conclusion drawn. I've only done some analysis on this type of attack.
From what I understand, the real vulnerability with the Tor model is if there aren't enough entry/exit nodes. Is there a tipping point after which, there are so many entry/exit nodes that the system would be relatively secure from this kind of attack?
Given the ridiculously cheap cost of the computing necessary to host a node, even the increased difficulty of doubling the number of entry/exit nodes wouldn't drive the cost of this attack into the realm of the unachievable even for modestly wealthy individuals.
Virtual-Notary.Org hereby notes that on
Date: Friday August 30, 2013 07:26.35 EDT (UTC-0400)
a random drawing in the range [1, 100000], inclusive, based on
a hardware source of true randomness, yielded the following decision.
Random Value: 39640
God says...
abroad even to the entering in of Egypt; for he strengthened himself
exceedingly.
26:9 Moreover Uzziah built towers in Jerusalem at the corner gate, and
at the valley gate, and at the turning of the wall, and fortified
them.
26:10 Also he built towers in the desert, and digged many wells: for
he had much cattle, both in the low country, and in the plains:
husbandmen also, and vine dressers in the mountains, and in Carmel:
for he loved husbandry.
26:11 Moreover Uzziah had an host of fighting men, that went out to
war by bands, according to the number of their account by the hand of
Jeiel the scribe and Maaseiah the ruler, under the hand of Hananiah,
one of the king's captains.
26:12 The whole number of the chief of the fathers of the mighty men
of valour were two thousand and six hundred.
26:13 And under their hand was an army, three hundred thousand and
seven thousand and five hundred, that made war with mighty power, to
help the king against the enemy.
26:14 And Uzziah prepared for them throughout all the host shields,
and spears, and helmets, and habergeons, and bows, and slings to cast
stones.
26:15 And he made in Jerusalem engines, invented by cunning men, to be
on the towers and upon the bulwarks, to shoot arrows and great stones
withal.
And his name spread far abroad; for he was marvellously helped, till
he was strong.
26:16 But when he was strong, his heart was lifted up to his
destruction: for he transgressed against the LORD his God, and went
into the temple of the LORD to burn incense upon the altar of incense.
That's an increase in clients, not Entry/Exit nodes. Until they begin flipping over into nodes there is nothing to worry about wrt this type of attack from a freak influx of clients.
20 comments
[ 4.6 ms ] story [ 40.4 ms ] threadGod will bring every deed into judgment, including every secret thing, whether good or evil.
On a more practical note, few cloud providers are going to let their network suddenly become a massive transit space for Tor traffic.
Before this could be successfully deployed in the wild, the problem can be easily corrected.
With ~4k relays (entry/exits) and ~2k bridges (pure relays of encrypted connections) and only a few hundred hostile relays, the odds of an OP's (end-user's) connection's flowing through both a hostile entry node and a hostile exit node are infinitesimal.
Let's say you add 400 ORs to the network. Let's further assume no one in the privacy-conscious, some would say paranoid, Tor community notices this unexplained 10% spike in entry/exit nodes. Your odds of compromising any given Tor circuit (connection) are a compound probability: P(A and B) = P(A) * P(B). In this case: .1 * .1 = .01, or approximately 1%.
When you add to the fact that the network automatically tries to route to entry and exit nodes in different countries, the chances of compromising the network in this fashion are virtually nill.
Everyone in the Tor community has known this attack has been possible, which is why the network growth metrics are watched closely. If any shenanigans are detected, the authority is prepared to add a notion of OR trust to the directory file.
In reply to s_q_b: Amazon actually hosted this guy's demonstration, so at least one good cloud provider has in fact done this. Additionally, if you time your attack correctly and don't have persistent objectives, then it's pretty much moot that the spike is obvious because who checks the total amount of nodes frequently while surfing? Finally, if you do have persistent objectives, then you could mask it by introducing nodes by the dozen or so randomly spaced over a year or two.
Edit: just to clarify: Not my paper. No one has commented to that effect yet, but I just realized that that could be a conclusion drawn. I've only done some analysis on this type of attack.
Virtual-Notary.Org hereby notes that on Date: Friday August 30, 2013 07:26.35 EDT (UTC-0400)
a random drawing in the range [1, 100000], inclusive, based on a hardware source of true randomness, yielded the following decision.
God says...abroad even to the entering in of Egypt; for he strengthened himself exceedingly.
26:9 Moreover Uzziah built towers in Jerusalem at the corner gate, and at the valley gate, and at the turning of the wall, and fortified them.
26:10 Also he built towers in the desert, and digged many wells: for he had much cattle, both in the low country, and in the plains: husbandmen also, and vine dressers in the mountains, and in Carmel: for he loved husbandry.
26:11 Moreover Uzziah had an host of fighting men, that went out to war by bands, according to the number of their account by the hand of Jeiel the scribe and Maaseiah the ruler, under the hand of Hananiah, one of the king's captains.
26:12 The whole number of the chief of the fathers of the mighty men of valour were two thousand and six hundred.
26:13 And under their hand was an army, three hundred thousand and seven thousand and five hundred, that made war with mighty power, to help the king against the enemy.
26:14 And Uzziah prepared for them throughout all the host shields, and spears, and helmets, and habergeons, and bows, and slings to cast stones.
26:15 And he made in Jerusalem engines, invented by cunning men, to be on the towers and upon the bulwarks, to shoot arrows and great stones withal.
And his name spread far abroad; for he was marvellously helped, till he was strong.
26:16 But when he was strong, his heart was lifted up to his destruction: for he transgressed against the LORD his God, and went into the temple of the LORD to burn incense upon the altar of incense.