Re: [tor-relays] Exit Concentration vs Bulk filters?
> So what can we do to achieve the ideal distributed network? > Throttle all (nodes) to the slowest... to get the best diversity? > We need all (nodes), whether high or small capacity. Don't we? Tor is a form of gravity well. If the cloud is not saturated, adding more nodes increases odds of traffic analysis. Among other things, tor's utilization falloff curve should probably not give many users and use cases much comfy feels. Tor's design doesn't provide a way to distributively utilize excess nodes safely, it cannot, so it tries to game and manage that as best it can. Such global throttle could help, but access to throughput will disappear, and it's still subject to same class of analysis. Tor's design can't really do much here while still being called tor. Look elsewhere for other designs. ___ tor-relays mailing list tor-relays@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
Re: [tor-relays] Exit Concentration vs Bulk filters?
Such a clear explanation would be good to see on torproject.org. -Original Message-From: nusenu-li...@riseup.netSent: Sat, 04 Jan 2020 11:44:00 +To: tor-relays@lists.torproject.orgSubject: Re: [tor-relays] Exit Concentration vs Bulk filters?> I never heard a real technical reason to avoid> high concentration of Tor exit capacity. Let me give you a few examples why a distributed network is in some waysmore resilient to attacks and harder to observe than a centralized.ObservabilityIf all traffic leaves the tor network at a single or very few places, surveillance becomes a lot easier and cheaperwhen compared to a network that is distributed and has many exit locations.Resiliency against outagesIf all capacity is concentrated around just a few locations, local issues/outages have a bigger impacton the overall availability and capacity of the network.Resiliency against software vulnerabilitiesA single operator tends to setup their systems in a relatively similar manner.Most of its relays will use the same OS, OS version, SSL library, tor version, hardware architectureand have a similar good or bad patch level.In such an environment it is more likely that a single vulnerability affects large portions when comparedto a diverse ecosystem. A homogeneous ecosystem also reduces the cost for exploit development.Resiliency against security breachesIf an hypothetical operator controlling 1/2 of the network gets compromised the impact is a lot bigger thanif they were to run 1%. The incentive for an attacker to compromise an operator running 50%of the network is also a lot higher than attacking an operator of 1%.Risk of detectionThe risk of detection is likely higher for an attacker that compromises multiple organizations compared to a singlevictim.Cost of attacksCompromising all relays operated by a single entity is likely cheaper than compromising all relaysrun by multiple independent organizations.Performing a hijacking attack against a single prefix is probably easier than successfully hijacking multiple independentprefixes with different upstream providers concurrently and harder to remain undetected.A DDoS attack against a single AS is likely cheaper than against many targets at the same time.There are also non-technical (organizational and legal) reasons why having a distributed network capacity is beneficial to the tor network.Legally attacking many organizations is more expensive than a single one.If a single operator no longer has the financial capacity or motivation the removal of their relays should nothave a existential impact on the network.If the policy of a hoster changes from 'tor relays allowed' to 'tor relays forbidden'than we better not run all our capacity at a single hoster.In short, you don't want to make the tor network depend on 1-2 or 10 but many.So if a few operators disappear the network remains functional and availableand is generally harder to attack.kind regards,nusenu-- https://mastodon.social/@nusenuhttps://twitter.com/nusenu ___ tor-relays mailing list tor-relays@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
Re: [tor-relays] Exit Concentration vs Bulk filters?
Hi nusenu Thanks for your explanation. You are right in all points. But they are a bit of theoretical, because we don't have big choice here. Further I don't think a big exit is the opposite of our goals, it's just the beginning. Theoretical So what can we do to achieve the ideal distributed network? Throttle all exits to the slowest exit, to get the best diversity? It would be awesome if we only have exit families with max 0.05% overall capacity (with each multiple gigabits). But currently we need only 5GBit/s bandwidth and 2 office computers for ~7%. That's ridiculous, it's year 2020! Diversity Shouldn't the tor software handle the diversity? So what if an intelligence adds an exits with ~100 GBit/s? Will it gain all exit traffic? And if so, is that a real problem for a tor user (which uses end to end authentication etc)? And if so, why don't we change the software? Am Samstag, den 04.01.2020, 11:44 + schrieb nusenu: > > I never heard a real technical reason to avoid > > high concentration of Tor exit capacity. > > In short, you don't want to make the tor network depend on 1-2 or 10 > but many. > So if a few operators disappear the network remains functional and > available > and is generally harder to attack. Maybe my point wasn't clear.. my mistake. While the tor network currently depends on some high exit capacity families, it's not the mistake of them. Instead it's the mistake of all others which don't provide exit capacity. The right way besides throttling The only right solution can be to encourage others to add more exit capacity. So instead to throttle the available resources and blame the people behind them, we should say a big "thank you" to all people and orgs that provide us with exit resources. Besides the resources, these providers handle all the troubles with police and other annoying things and that is the really hard work of an exit relay. We need all exits, whether high or small capacity. Don't we? Tim signature.asc Description: This is a digitally signed message part ___ tor-relays mailing list tor-relays@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
Re: [tor-relays] Exit Concentration vs Bulk filters?
> I never heard a real technical reason to avoid > high concentration of Tor exit capacity. Let me give you a few examples why a distributed network is in some ways more resilient to attacks and harder to observe than a centralized. Observability If all traffic leaves the tor network at a single or very few places, surveillance becomes a lot easier and cheaper when compared to a network that is distributed and has many exit locations. Resiliency against outages If all capacity is concentrated around just a few locations, local issues/outages have a bigger impact on the overall availability and capacity of the network. Resiliency against software vulnerabilities A single operator tends to setup their systems in a relatively similar manner. Most of its relays will use the same OS, OS version, SSL library, tor version, hardware architecture and have a similar good or bad patch level. In such an environment it is more likely that a single vulnerability affects large portions when compared to a diverse ecosystem. A homogeneous ecosystem also reduces the cost for exploit development. Resiliency against security breaches If an hypothetical operator controlling 1/2 of the network gets compromised the impact is a lot bigger than if they were to run 1%. The incentive for an attacker to compromise an operator running 50% of the network is also a lot higher than attacking an operator of 1%. Risk of detection The risk of detection is likely higher for an attacker that compromises multiple organizations compared to a single victim. Cost of attacks Compromising all relays operated by a single entity is likely cheaper than compromising all relays run by multiple independent organizations. Performing a hijacking attack against a single prefix is probably easier than successfully hijacking multiple independent prefixes with different upstream providers concurrently and harder to remain undetected. A DDoS attack against a single AS is likely cheaper than against many targets at the same time. There are also non-technical (organizational and legal) reasons why having a distributed network capacity is beneficial to the tor network. Legally attacking many organizations is more expensive than a single one. If a single operator no longer has the financial capacity or motivation the removal of their relays should not have a existential impact on the network. If the policy of a hoster changes from 'tor relays allowed' to 'tor relays forbidden' than we better not run all our capacity at a single hoster. In short, you don't want to make the tor network depend on 1-2 or 10 but many. So if a few operators disappear the network remains functional and available and is generally harder to attack. kind regards, nusenu -- https://mastodon.social/@nusenu https://twitter.com/nusenu signature.asc Description: OpenPGP digital signature ___ tor-relays mailing list tor-relays@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
