On Sat, Aug 20, 2011 at 05:18:38PM +0200, [email protected] wrote: > Okay, but my question was, how traffic could be correlated if the > atttacker has traffic-logs from all servers a possible user could > use (e.g. all server operated by one provider/in one country) - but > he does not know the user himself. > > So, he could follow the tcp-stream,i think: At first, he examines > the log of the exit-node, an he detects, that there is some > specific traffic ingoing and ountgoing at the same time. And then, > he follows this stream through the other relays... > You mentioned having traffic logs from all possible servers. If by "servers" you mean 'honestly and properly run Tor relays', then those logs do not exist, so what you are saying is not possible.
But if the adversary is watching both ends of the connection, he will know which user IP address is connected to which destination. This is much easier than following the stream through the relays. "Watching both ends" could be any of many things. Here are a few. He could be at the user ISP and at the destination server. Or he could be at an AS or IX between the user and the first Tor relay and also between the last Tor relay and the web server the user is connecting to. Or he could have compromised or simply own the Tor relay at both ends of the circuit at the time the connection is made. If any of those are true, he does not need to look at all the relays in the circuit. He can easily correlated the traffic patterns at both ends to determine which connections match up. In a 2007 paper, Bauer et al., showed that it was not even necessary to send any traffic over the circuit to do the correlation. It is enough to watch the circuit creation. The too-terse way we have said this since about 1996 is that onion routing protects against traffic analysis, not traffic confirmation. The countermeasure you suggested is one of many that have been investigated. State of the art is probably the following. http://www.cs.yale.edu/homes/jf/FJS-PETS2010.pdf But nothing that is both adequately practical and effective has been discovered by any of the researchers who have investigated it, nor do I think ever will be, at least for general purposes. As Curious Kid noted, Tor does not attempt to prevent this because there is no practical way for it to do so. HTH, Paul _______________________________________________ tor-talk mailing list [email protected] https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
