On Sat, Jan 23, 2016 at 11:38:00PM +0200, s7r wrote: > The attacker is also a Sybil (holds an unknown % of the bandwidth in > the Tor network). By making the hidden service server build many > circuits to his evil rendezvous points, the attacker gets a high > probability that the hidden service server will eventually pick his > evil relays in a circuit, so the attacker will trivially perform a > successful hidden service guard discovery attack or, with more luck, > discover the real location of the hidden service server.
That 'more luck' would involve becoming the guard of the hidden service, yes? I think at that point it doesn't matter whether the attacker controls the rendezvous point. > The hidden service server can only defend itself by building a 3 hop > circuit to the rendezvous point, but in practice this is not always > enough. A few more details about "this is not always enough" would be helpful here. In particular, is it not always enough because sometimes even 3 hops is not safe enough, or not always enough besides sometimes making a 3-hop circuit isn't what the HS wants to do? Or something else? > In simple words, we count and keep track of how many rendezvous > circuits a hidden service server built and to which rendezvous points. > Then, based on the weight (middle probability fraction) of each > rendezvous point, we determine if one was insanely overpicked by > clients. A) Can I deny service to a hidden service by methodically pretending to attack it from each honest relay, one at a time, causing it to become upset at each of these relays? B) Can I fool your reputation system by raising the total number of rendezvous attempts that I attempt, in effect making the hidden service feel more popular so it's not alarmed as much by any single rendezvous point? I could imagine ways to launch a rendezvous attempt that are quite cheap on the part of a client who has no plans to follow through. > Even if accidentally (low chances) an innocent relay will be banned, > this will be something local to the hidden service server. It won't > affect that relay at all, nor how other client or hidden service > servers treat that relay. It has nothing to do with the network wide > consensus as well. > > A honest client will always retry with a different rendezvous point, > so honest clients should not experience reachability issues. Actually, I don't think this is client behavior right now. (It could be if somebody changed the design of course.) --Roger _______________________________________________ tor-dev mailing list tor-dev@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-dev