Tor Open To Attack

← Back to Stories (view on slashdot.org)

Posted by kdawson on Sunday February 25, 2007 @08:58AM from the peeling-the-onion dept.

An anonymous reader writes "A group of researchers have written a paper that lays out an attack against Tor (PDF) in enough detail to cause Roger Dingledine a fair amount of heartburn. The essential avenue of attack is that Tor doesn't verify claims of uptime or bandwidth, allowing an attacker to advertise more than it need deliver, and thus draw traffic. If the attacker controls the entry and exit node and has decent clocks, then the attacker can link these together and trace someone through the network."

29 of 109 comments (clear)

Min score:

Reason:

Sort:

Well, not just that. by James_Duncan8181 · 2007-02-25 09:02 · Score: 4, Interesting

If the attacker advertises absolutely massive values (and hey, it's only a string) they can time out all of the packets and DoS the network too.

This actually makes me wonder if there is a military/intel datacentre that does this already.

--
"To any truly impartial person, it would be obvious that I am right."
1. Re:Well, not just that. by Kadin2048 · 2007-02-25 09:36 · Score: 5, Interesting
  
  The military and secretive NSA operations do not care about you or your open source proxy software. Stop trying to make yourself feel special by writing convoluted conspiracy theories.
  
  No, but the Chinese equivalent of the FBI probably cares a lot about what its citizens are doing on the net, and the ability of users living under hostile regimes to get unfettered network access is one of the goals of projects like Tor.
  
  There are people with resources besides the NSA.
  
  --
  "Ladies and gentlemen, my killbot features Lotus Notes and a machine gun. It is the finest available."
2. Re:Well, not just that. by TubeSteak · 2007-02-25 09:41 · Score: 2, Informative
  
  If the attacker advertises absolutely massive values (and hey, it's only a string) they can time out all of the packets and DoS the network too.
  Wouldn't that only last as long as [max client timeout]?
  At which point the client seeks another route. Right?
  
  What I'm saying is that I don't think this would be effective with only one or two nodes.
  Though on a larger scale, I agree that this tactic could effectively DOS the network.
  
  --
  [Fuck Beta]
  o0t!
3. Re:Well, not just that. by Wonko+the+Sane · 2007-02-25 09:44 · Score: 4, Informative
  
  The military and secretive NSA operations do not care about you or your open source proxy software. Stop trying to make yourself feel special by writing convoluted conspiracy theories.
  
  If only that was true...
4. Re:Well, not just that. by bhsx · 2007-02-25 12:35 · Score: 2, Insightful
  
  Of course there are going to be police at protests. Blending in with the crowd just makes it easier to take care of things if an incident occurs. Is this supposed to be surprising, scandalous, conspiratorial? Because it's not. It's perfectly logical to anyone with a lick of sense. This is from the second link of the GP:
  The officers hoist protest signs. They hold flowers with mourners. They ride in bicycle events. At the vigil for the cyclist, an officer in biking gear wore a button that said, "I am a shameless agitator." She also carried a camera and videotaped the roughly 15 people present. Beyond collecting information, some of the undercover officers or their associates are seen on the tape having influence on events. At a demonstration last year during the Republican National Convention, the sham arrest of a man secretly working with the police led to a bruising confrontation between officers in riot gear and bystanders. Perfectly logical? Really?
  
  --
  put the what in the where?
5. Re:Well, not just that. by Anonymous Coward · 2007-02-25 17:27 · Score: 2, Interesting
  
  Exactly. I used to work for a spook house. If I described what lengths they went to keep data secret, people here on slashdot would offer me a nice tin foil hat and a pair of plastic unbreakable no-sharp-edge spoons to play with, and offer me a coat (with long sleeves that seem to buckle in the back). The thing to remember though, is that with all the technology we had, we had to assume that everyone else had at least as much. Pointing a laser at a window 2 miles away and receiving the reflection (non-visible part of the spectrum) and comparing the source with the reflection would give you a vibration ...created by sound outside the glass, but also by sound inside the room. A mic outside would pickup sound outside the glass, filter that and all you are left with is sound inside the room ...from 2 miles away. It was considered old technology 15 years ago. Now imagine a country with 1.1 billion people. Imagine that they aren't all Albert Einstein. Imagine only 1% are engineers. Imagine only half are willing to work for the government. Imagine only 1% of the available engineers are really gifted. 1 in 10 is an electrical engineer. That leaves you with 5500 really gifted electrical engineers working for the government of this country with 1.1 billion people. Could 5500 really gifted engineers create a device at least as good as what I have described? Think hard!
Not quite so oblig SW reference.. by SocialEngineer · 2007-02-25 09:06 · Score: 2, Funny

"I felt a great disturbance in the Internet, as if millions of child-pornographers suddenly cried out in terror and were suddenly silenced. I fear something terrible has happened."

Now now, I know Tor isn't just used for naughty stuff. I just thought it was funny. Sorta.

--
"Better to be vulgar than non-existent" -Bev Henson
1. Re:Not quite so oblig SW reference.. by Ice+Wewe · 2007-02-25 09:19 · Score: 4, Informative
  
  Seriously, this is why Tor tells you at the start that you shouldn't rely on it for strong anonymity.
  "Feb 25 16:16:02.628 [notice] Tor v0.1.1.xx. This is experimental software. Do not rely on it for strong anonymity."
  Thus proving, once again, that Tor is only for the Quasi-anonymous group.
In Soviet Russia... by Anonymous Coward · 2007-02-25 09:11 · Score: 2, Funny

In Soviet Russia, Tor attacks YOU!
How Many Nodes Do You Need to Own? by quanticle · 2007-02-25 09:15 · Score: 4, Insightful

"We show that even if an adversary can control a few malicious nodes -- 3 to 6 with a PlanetLab network of 60 honest servers -- the adversary can still compromise the identity of a significant fraction of the connections from new clients."

3 to 6 servers out of 60 is still 5 to 10 percent. That's fine for small networks, but for a network with hundreds or thousands of nodes, controlling 5 to 10 percent may become infeasible. Does this attack require the number of nodes to scale with network size?

--
We all know what to do, but we don't know how to get re-elected once we have done it
1. Re:How Many Nodes Do You Need to Own? by TheRaven64 · 2007-02-25 09:33 · Score: 3, Interesting
  
  It doesn't tell you anything meaningful unless it tells you what the requirements on the distribution of the nodes is. You could, hypothetically, run a few thousand tor nodes on a single machine. Would this allow you to compromise a network of a few tens of thousands of nodes?
  
  --
  I am TheRaven on Soylent News
2. Re:How Many Nodes Do You Need to Own? by mrogers · 2007-02-25 21:41 · Score: 2, Informative
  
  That's fine for small networks, but for a network with hundreds or thousands of nodes, controlling 5 to 10 percent may become infeasible.
  Tor scales to a few hundred nodes, but it doesn't scale indefinitely - all the routers are listed in a central directory to ensure that all clients use the same set of routers and the same set of public keys.
3. Re:How Many Nodes Do You Need to Own? by mrogers · 2007-02-25 21:54 · Score: 2, Interesting
  
  TOR has never claimed to provide strong anonymity, you need something like Herbivore for that.
  
  Herbivore isn't vulnerable to traffic analysis but it's vulnerable to DoS: the attacker's nodes follow the secure entry protocol and get assigned to random cliques. Then they transmit in every round, jamming communication within their cliques. Jamming doesn't require any more bandwidth than normal participation in the protocol, and the source of the jamming can't be detected because communication within a clique is completely anonymous. With cliques of 128 nodes, an attacker who controls 1% of the nodes can jam 72% of the cliques at any given time. If the innocent nodes move to different cliques to escape the jamming, the attackers can move too.
welcome to the watchlist by twitter · 2007-02-25 09:19 · Score: 2, Funny

So, ze kiddie porn is on vor mind, eh Social Engineer? Very interesting. Who besides grandstanding politicians, media whores and actual pedophiles actually thinks or talks about kiddie porn? You must be one of the bag guys. The FBI vill be watching everything you do for the next ten years.

--
Friends don't help friends install M$ junk.
Anonymity Vs Performance in Multi-Hop Networks... by Roger+Wilcox · 2007-02-25 09:22 · Score: 5, Interesting

...is really what the article is about. Granted, I only read the abstract, but someone here at /. seems too intent on making a dramatic headline out of this.

It has been known for some time that anyone with the resources to do so could launch an end-to-end attack on Tor. That someone with relatively few resources could launch the same attack is newsworthy, perhaps, but far more interesting is the observation that optimizing network traffic flow in order to improve performance is the direct cause of this weakness.
Could this be avoided? by DogDude · 2007-02-25 09:26 · Score: 4, Informative

From what I can tell, it sounds like an attack can be either minimized or avoided completely if there are enough "server" nodes in the network. The "server" nodes, or the nodes that are exposed to the potential naughtiness, are always in short supply due to people understandably not wanting the FBI to show up to their door, hauling them off to Guantanamo Bay for a round of government-sanctioned torture. The thing is, for the time being, we're seeing a proliferation of completely open (untraceable) wireless networks that could potentially solve this problem. If a relatively large number of geeks were to throw a machine at their local free wireless connections, then they could potentially help out the TOR network for people who don't have access to such an "open" network. Now, we will eventually see these wide open free-for-alls shut down once the feds get their heads out of their asses and start taking Net-based crime seriously. But for the time being, we should all pitch in and take advantage of these networks while we've got 'em. I'm working on putting together a few Frankenstein PC's now and they'll be sitting within range of my town's wireless network, and they'll be routing TOR traffic. If somebody does some truly nasty stuff, and it comes out via one of my TOR nodes, then all the federales will be able to see will be the MAC addresses of my network cards, and have no idea where to find said network cards on the wireless network.

--
I don't respond to AC's.
1. Re:Could this be avoided? by Kadin2048 · 2007-02-25 09:44 · Score: 3, Interesting
  
  Well, if they knew the access point you were using (based on the IP address, which they'd then take to the ISP and demand to know the customer address), they'd just go down there and sniff packets for your MAC address. It's fairly trivial at that point to determine the direction that the radio signals are coming from. (There are guys that do it as a hobby.)
  
  Probably your best bet would be to use a spoofed MAC address, and change both the AP you connect to, the MAC address you report, and the PC's physical location, on a regular and frequent basis. That would make it difficult to determine whether you were a single location that's moving a lot and using different MAC addresses, or were multiple computers each just using the AP periodically.
  
  Still, there's no foolproof way to avoid discovery against an omnipotent adversary.
  
  --
  "Ladies and gentlemen, my killbot features Lotus Notes and a machine gun. It is the finest available."
2. Re:Could this be avoided? by kennygraham · 2007-02-25 09:44 · Score: 2, Informative
  
  then all the federales will be able to see will be the MAC addresses of my network cards, and have no idea where to find said network cards on the wireless network.
  Unless you purchased your network card on a credit card at a place that scans the MAC address along with the UPC when they ring you up, like CompUSA does. (to make sure you don't return a different network card for a refund)
3. Re:Could this be avoided? by Kjella · 2007-02-25 10:35 · Score: 2, Insightful
  
  Omnipotence is hardly required. "Moving it around" doesn't happen on the same timescale as tracking it down, I'm sure it'd only take a few minutes with pro gear and at least two listening posts to cross-reference. Generating a new MAC from time to time then reconnecting would probably work just fine though, so that when they come for the old MAC address it's no longer broadcasting. Basicly, if it's still active when they come looking, you've pretty much already lost.
  
  --
  Live today, because you never know what tomorrow brings
Re:I for one.. by slashbob22 · 2007-02-25 09:26 · Score: 3, Funny

I for one cry for our new onion-sniffing overlords.

--
Proof by very large bribes. QED.
COMSEC, not SIGINT by dr.badass · 2007-02-25 09:50 · Score: 4, Interesting

This actually makes me wonder if there is a military/intel datacentre that does this already.

Probably, but not for the reasons you think. Tor is known to be used by the military (how much is anybody's guess) for the same reasons anybody else would use it.

--
Don't become a regular here -- you will become retarded.
1. Re:COMSEC, not SIGINT by hotdiggitydawg · 2007-02-25 10:25 · Score: 5, Funny
  
  Tor is known to be used by the military ... for the same reasons anybody else would use it. Downloading pr0n?
Constant data stream by ishmalius · 2007-02-25 10:04 · Score: 3, Interesting

Some military broadband links send a constant stream of encrypted data, whether real data or filler. This "hiding in plain sight" reduces the ability of someone to perform traffic analysis on the network in precisely such a manner. This would be awful on the Net, of course, if everyone did it. But people should be aware that encryption is not the only facet of communications security that they need to worry about.
Even if you can't become both the entry/exit... by twistah · 2007-02-25 10:08 · Score: 4, Interesting

Even if you aren't able to become both the entry and exit mode, using the technique of faking your bandwidth/uptime can lead to more traffic for your exit node, which means more passwords to sniff. Not everyone seems to realize that just because the Tor protocol is encrypted doesn't mean the exit node can't sniff unencrypted traffic. Granted, the exit node has no idea where the traffic came from, but often information such as login information for a personal account can give that away. That's even better than having just an IP. All it takes is to set yourself up as a Tor node (the uptime/bandwidth faking helps) and run a tool like Cain or dsniff.
Re:WTFITOREH? by Nasarius · 2007-02-25 10:10 · Score: 2, Insightful

Come on, if you're going to troll, at least put some effort into it. Nowhere in the summary is it mentioned that Tor is an acronym. It's not written as TOR. Those ignorant of the project would assume that it was just a silly name.

--
LOAD "SIG",8,1
Re:WTFITOREH? by Ephemeriis · 2007-02-25 10:21 · Score: 3, Insightful

I hate to point this out but to anyone not in the know. the Acronym TOR means absolutely NOTHING. why post a warning about something if you do not explain the acronym. WHAT THE HELL IS WITH THE EXCESSIVE ACRONYMS? You all afraid to speak a fully qualified language or are you all afraid someone might notice you have no idea what the hell you're talking about? How about expanding on the acronyms a bit eh?
Thanks.

To anyone not in the know, the fact that the TOR protocol has a weakness means absolutely NOTHING regardless of whether they know what TOR stands for or not.

Granted, there is such a thing as TLA-overload...but I don't think this is it. If you don't know that TOR stands for The Onion Router, then why the hell do you care whether it is vulnerable to attack or not? You obviously aren't using it... You don't care about the technology or implementation... You are apparently not even curious enough to Google it... So why bother clicking through to post such a rant?

--
"Work is the curse of the drinking classes." -Oscar Wilde
No love for Freenet? by makomk · 2007-02-25 10:24 · Score: 4, Funny

Hmmm... I'm sure Freenet didn't get this much attention when they discovered that their encryption code was only actually encrypting half the data (128 bits out of every 256 bit word). Must be because no-one actually uses Freenet...
1. Re:No love for Freenet? by makomk · 2007-02-25 21:25 · Score: 2, Informative
  
  A casual googling didn't reveal anything, and I'm feeling really curious about how that happened.
  
  As the above AC said, a lot of the discussion was on Frost, which doesn't have any publicly-accessible archives. You can find the mailing list thread here, though. In particular this and this
  
  Of course, I'm not sure if this really matters that much; last I heard, Freenet was known to be vulnerable to man-in-the-middle attacks, and fixing it wasn't considered a priority...
Official Tor response by shava · 2007-02-26 09:06 · Score: 2, Informative

Please check out http://blogs.law.harvard.edu/anonymous/2007/02/26/ the-rumors-of-our-demise/ for The Tor Project's official response to this paper.

Shava Nerad
executive director
The Tor Project