New attack-vector via covert and side channel
I dunno how public it is but I found today this dissertation by Steven Murdoch about attacking the tor-network via covert- and sidechannels: http://www.cl.cam.ac.uk/techreports/UCAM-CL-TR-706.pdf greets -- kazaam [EMAIL PROTECTED] pgpft0S0eAfki.pgp Description: PGP signature
Re: New attack-vector via covert and side channel
On Tue, Dec 11, 2007 at 03:59:59PM +0100, kazaam wrote: I dunno how public it is but I found today this dissertation by Steven Murdoch about attacking the tor-network via covert- and sidechannels: http://www.cl.cam.ac.uk/techreports/UCAM-CL-TR-706.pdf This results discussed aren't actually that new. Chapters 4 and 5, which are on Tor, are based on papers published in May 2005 and October 2006 respectively. http://www.cl.cam.ac.uk/~sjm217/papers/oakland05torta.pdf http://www.cl.cam.ac.uk/~sjm217/papers/ccs06hotornot.pdf I've now published the thesis version of these papers, which have more diagrams and other improvements, but the underlying data and conclusions are the same. To quote from my previous message: To avoid any misunderstanding, I should add that there is no reason to panic. Primarily the paper is designed to feed into the future design of Tor rather than suggest any short term fixes. There are already known attacks on Tor which will probably work better than this, but the proposed defences to these will not fix the problem I discuss in the paper. Also, in the paper, I say that for clarity the results in the paper are mainly from a private Tor network and running it in reality will be more messy. However, as the performace of the Tor network improves, the attack will be more effective, so is worth bearing in mind for the future. -- http://archives.seul.org/or/talk/Sep-2006/msg00080.html Steven. -- w: http://www.cl.cam.ac.uk/users/sjm217/
possible DoS attack?
In the last couple of days, I've noticed my tor server maxing out the transmit side (~110-~115 KB/s) of my ADSL while typically using 10 KB/s of the receive side, usually for long periods of time. Curious about this oddity, I began looking at netstat output more frequently to see what was up. What I found that seemed out of the ordinary was many dozens of connections to my directory mirror port from 83.103.38.65 (fastweb65.ietnet.net), most with 32 KB or more in the output queue for the ethernet interface. Occasionally, these mostly go away for a while, and the transmit rate begins to fluctuate more normally between 10 KB/s and, say, 60 KB/s, as traffic begins to adapt to the increase in available bandwidth. Often these breaks in the demand by fastweb65.ietnet.net last no more than a couple of minutes before fastweb65.ietnet.net resumes connecting and demanding directories at its previous pace. 83.103.38.65 does not appear in my cached-consensus or cached-descriptors* files, so these are not simply tunneled directory connections from random sites getting funneled through one tor server in Italy. Can anyone tell me whether this is legitimate activity or whether I should begin blocking it at my router to encourage it to go away? Scott Bennett, Comm. ASMELG, CFIAG ** * Internet: bennett at cs.niu.edu * ** * A well regulated and disciplined militia, is at all times a good * * objection to the introduction of that bane of all free governments * * -- a standing army. * *-- Gov. John Hancock, New York Journal, 28 January 1790 * **
Why does TOR stream data when it#8217;s not in use?
Hi, I#8217;m new to TOR. I#8217;ve been using it for some weeks for online privacy. I#8217;ve installed TOR and Privoxy from the latest Windows Vidalia Bundle and configured my Internet Explorer 7 manually. Everything seems to work fine when I test my connection on such testing sites on the internet. My question is: When I start Privoxy and TOR, my computer starts immediately to stream data over the internet. It mostly downloads, and sometimes it downloads 1MB of data each minute, or more, for a long while. It also sends data, but in a much lower rate. This seems to be strange, because I don#8217;t have any active internet application running - and as soon as I shut down the TOR engine, the streaming stops. The reason for me looking at this as strange or suspicious is because sometimes this happens and sometime it doesn#8217;t when I start the TOR engine. Sometimes I just need to shut it down and restart it, and after a new circuit is made, the connection is inactive unless I start to use internet application, such as browsing the web. Why does this happen? Is every TOR user a TOR Server or Exit Node as well? Thanks in advance, Greetings from Norway -- 10 Great Gift Ideas- Take a Look! http://mail.shopping.com/?linkin_id=8033174
Re: possible DoS attack?
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Scott Bennett wrote: (snip) What I found that seemed out of the ordinary was many dozens of connections to my directory mirror port from 83.103.38.65 (fastweb65.ietnet.net) (snip) 83.103.38.65 does not appear in my cached-consensus or cached-descriptors* files, so these are not simply tunneled directory connections from random sites getting funneled through one tor server in Italy. Can anyone tell me whether this is legitimate activity or whether I should begin blocking it at my router to encourage it to go away? (snip) It sounds mighty suspicious, in my opinion. If I recall correctly, directory mirroring is based on HTTP (hence, why it's encouraged to host it on port 80 for fascist firewalled folks, if at all possible). Therefore, it would be vulnerable to any fundamental attack (i.e., based on the nature of TCP or HTTP) that any Web server would be. Given that the system you mention doesn't seem to be a Tor node, I say that if it's not an attack, then something's pretty weird. I'm no expert, but I say block the offending system. Does anyone else concur? - -- F. Fox Owner of Tor node kitsune CompTIA A+, Net+, Security+ -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.7 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFHXzJobgkxCAzYBCMRArCRAJ0Xv7oRjoXcnHuETZ7vn6k4IpsaGwCfcJ9t sfTLWKVAzbOMtURdnEswPW0= =F8zz -END PGP SIGNATURE-
Re: Why does TOR stream data when it#8217;s not in use?
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 MORTEN HAGEN wrote: Hi, I’m new to TOR. I’ve been using it for some weeks for online privacy. I’ve installed TOR and Privoxy from the latest Windows Vidalia Bundle and configured my Internet Explorer 7 manually. Everything seems to work fine when I test my connection on such testing sites on the internet. My question is: When I start Privoxy and TOR, my computer starts immediately to stream data over the internet. It mostly downloads, and sometimes it downloads 1MB of data each minute, or more, for a long while. It also sends data, but in a much lower rate. (snip) AFAIK, when activated, Tor will: 1.) Download some directory information - this can be quite a bit, if it's the first time Tor's been run on a particular install; 2.) Send some data for the purpose of opening up a few circuits, so it's ready for use when an application wants it. If by a long while you mean more than a couple of minutes, I'd say that's pretty odd - that's much more than is needed for a directory download (IIRC). Is every TOR user a TOR Server or Exit Node as well? (snip) By default, Tor will act only as a client; it will not relay data, nor act as an exit node. - -- F. Fox: A+, Network+, Security+ Owner of Tor node kitsune http://fenrisfox.livejournal.com -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.7 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFHXzbFbgkxCAzYBCMRAs3NAJ4pKP3bfyZ33mxLYGc61TrdKINUOQCfZ6iR KqdImPJTy/ch46FoTiLAI3w= =T8az -END PGP SIGNATURE-
