1 comment

[ 2.8 ms ] story [ 15.8 ms ] thread
Inducing system load on a Tor hidden service, to generate heat from the CPU, to increase temperature of the quartz crystal driving the system clock, to cause system clock skew, which is remotely detectable via the TCP sequence number generated by rand(), or more directly by TCP timestamps (RFC 1323).

This lets you try to check if a given hidden service is running on a known machine, or if two hidden services are running on the same machine.

Could you skip everything in the middle, since request latency is correlated with system load? You have to load the server in either case, so both are active attacks. I think the problem is that latency is so variable due to Tor itself, it's actually faster to measure server load through clock skew than through request latency.

How would you find a candidate public server to run this attack against? "Many hidden servers are also publicly advertised Tor nodes, in order to mask hidden server traffic with other Tor traffic, so this scenario is plausible." But I think you would run your public Tor relay on a different machine behind the same firewall, since you want the absolute minimum amount of processes running on the machine actually hosting the hidden service.

Not that I know anything about running Tor hidden services.