www.hackerfactor.com
Open in
urlscan Pro
65.183.76.50
Public Scan
URL:
http://www.hackerfactor.com/blog/index.php?%2Farchives%2F896-Tor-0day-Finding-IP-Addresses.html
Submission Tags: falconsandbox
Submission: On March 07 via api from US — Scanned from DE
Submission Tags: falconsandbox
Submission: On March 07 via api from US — Scanned from DE
Form analysis 1 forms found in the DOM
POST /blog/index.php?archives/896-Tor-0day-Finding-IP-Addresses.html#feedback
<form id="serendipity_comment" action="/blog/index.php?archives/896-Tor-0day-Finding-IP-Addresses.html#feedback" method="post">
<div><input type="hidden" name="serendipity[entry_id]" value="896"></div> <br><b>Code of conduct</b>
<ul>
<li class="serendipity_commentsLabel">Name calling and anti-social comments will not be posted. </li>
<li class="serendipity_commentsLabel">Comments must be related to the topic. Unrelated comments will not be posted. Make sure you are submitting your comment to the correct blog entry; Yes, people have submitted great comments to the wrong blog
entries. </li>
<li class="serendipity_commentsLabel">Comments should be rational and logical, citing findings as appropriate. </li>
<li class="serendipity_commentsLabel">Opinions and speculations are desired and welcome, but if they are represented as fact then they may be moderated or censored. </li>
<li class="serendipity_commentsLabel">The moderator reserves the right to end tangential discussions and censor offensive or inappropriate content.</li>
</ul>
<table border="0" width="100%" cellpadding="3">
<tbody>
<tr>
<td class="serendipity_commentsLabel"><label for="serendipity_commentform_name">Name</label></td>
<td class="serendipity_commentsValue"><input type="text" id="serendipity_commentform_name" name="serendipity[name]" value="" size="30"></td>
</tr>
<tr>
<td class="serendipity_commentsLabel"><label for="serendipity_commentform_email">Email</label></td>
<td class="serendipity_commentsValue"><input type="text" id="serendipity_commentform_email" name="serendipity[email]" value=""></td>
</tr>
<tr>
<td class="serendipity_commentsLabel"><label for="serendipity_commentform_url">Homepage</label></td>
<td class="serendipity_commentsValue"><input type="text" id="serendipity_commentform_url" name="serendipity[url]" value=""></td>
</tr>
<tr>
<td class="serendipity_commentsLabel"><label for="serendipity_replyTo">In reply to</label></td>
<td class="serendipity_commentsValue">
<select id="serendipity_replyTo" onchange="" name="serendipity[replyTo]">
<option value="0">[ Top level ]</option>
<option value="4456">#1: Nate on 2020-09-16 00:09</option>
<option value="4457"> #1.1: Dr. Neal Krawetz on 2020-09-16 07:39</option>
<option value="4486"> #1.1.1: Jimmy on 2020-09-18 16:12</option>
<option value="4520"> #1.2: RKL on 2020-10-03 13:27</option>
<option value="4575"> #1.2.1: Kumamon on 2020-12-11 10:11</option>
<option value="4458">#2: J. Wick on 2020-09-16 08:54</option>
<option value="4459"> #2.1: Dr. Neal Krawetz on 2020-09-16 09:25</option>
<option value="4462"> #2.1.1: J. Wick on 2020-09-16 14:04</option>
<option value="4464"> #2.1.1.1: Dr. Neal Krawetz on 2020-09-16 18:16</option>
<option value="4494"> #2.1.1.1.1: The Rock on 2020-09-19 13:27</option>
<option value="4495"> #2.1.1.1.1.1: Dr. Neal Krawetz on 2020-09-19 15:36</option>
<option value="4505"> #2.1.1.1.1.1.1: The Rock on 2020-09-21 09:25</option>
<option value="4512"> #2.1.1.1.1.1.1.1: The Rock on 2020-09-23 17:44</option>
<option value="4507"> #2.1.1.2: /u/notme on 2020-09-21 10:00</option>
<option value="4511"> #2.1.1.2.1: The Rock on 2020-09-23 17:37</option>
<option value="4460">#3: Pirate Party on 2020-09-16 09:32</option>
<option value="4461"> #3.1: Dr. Neal Krawetz on 2020-09-16 12:41</option>
<option value="4476"> #3.1.1: Tom on 2020-09-17 08:34</option>
<option value="4463">#4: Ben on 2020-09-16 14:28</option>
<option value="4465">#5: sneak on 2020-09-16 23:35</option>
<option value="4467">#6: noname on 2020-09-17 00:31</option>
<option value="4468">#7: benno on 2020-09-17 01:25</option>
<option value="4469">#8: Tony on 2020-09-17 02:00</option>
<option value="4472"> #8.1: Dr. Neal Krawetz on 2020-09-17 07:01</option>
<option value="4470">#9: Misguided on 2020-09-17 04:31</option>
<option value="4473"> #9.1: Dr. Neal Krawetz on 2020-09-17 07:04</option>
<option value="4471">#10: unknown001 on 2020-09-17 04:49</option>
<option value="4474"> #10.1: Dr. Neal Krawetz on 2020-09-17 07:16</option>
<option value="4475"> #10.1.1: unknown001 on 2020-09-17 08:10</option>
<option value="4477">#11: abcd on 2020-09-17 10:05</option>
<option value="4478"> #11.1: Dr. Neal Krawetz on 2020-09-17 12:27</option>
<option value="4479">#12: joseph on 2020-09-17 18:59</option>
<option value="4480"> #12.1: Dr. Neal Krawetz on 2020-09-17 22:49</option>
<option value="4482">#13: Dean Valentine on 2020-09-18 00:50</option>
<option value="4484"> #13.1: Dr. Neal Krawetz on 2020-09-18 07:24</option>
<option value="4485"> #13.1.1: Dean Valentine on 2020-09-18 11:04</option>
<option value="4487">#14: C U Anon on 2020-09-18 20:33</option>
<option value="4488"> #14.1: Dr. Neal Krawetz on 2020-09-18 21:18</option>
<option value="4489">#15: ghrt on 2020-09-19 01:11</option>
<option value="4490">#16: Aki009 on 2020-09-19 01:23</option>
<option value="4492">#17: hello on 2020-09-19 05:55</option>
<option value="4493">#18: asdf on 2020-09-19 12:45</option>
<option value="4496">#19: eloyesp on 2020-09-20 19:56</option>
<option value="4497"> #19.1: Dr. Neal Krawetz on 2020-09-20 21:48</option>
<option value="4499"> #19.1.1: eloyesp on 2020-09-21 05:58</option>
<option value="4500">#20: eloyesp on 2020-09-21 06:04</option>
<option value="4501">#21: questioner on 2020-09-21 06:26</option>
<option value="4502"> #21.1: Dr. Neal Krawetz on 2020-09-21 07:11</option>
<option value="4503"> #21.1.1: unknown001 on 2020-09-21 07:41</option>
<option value="4504"> #21.1.1.1: Dr. Neal Krawetz on 2020-09-21 07:56</option>
<option value="4506"> #21.1.1.1.1: questioner on 2020-09-21 09:52</option>
<option value="4508"> #21.1.1.1.1.1: Dr. Neal Krawetz on 2020-09-21 10:07</option>
<option value="4509"> #21.1.1.1.1.1.1: questioner on 2020-09-21 11:05</option>
<option value="4510">#22: questioner on 2020-09-21 11:07</option>
<option value="4522"> #22.1: joedoe47 on 2020-10-05 22:28</option>
<option value="4521">#23: joedoe47 on 2020-10-05 22:20</option>
<option value="4523"> #23.1: Dr. Neal Krawetz on 2020-10-06 07:16</option>
<option value="4524"> #23.1.1: joedoe47 on 2020-10-07 05:53</option>
<option value="4525"> #23.1.2: joedoe47 on 2020-10-07 06:06</option>
<option value="4563">#24: Yo on 2020-11-19 17:48</option>
</select>
<script>
var V = '(/td)(/tr)(tr) \
(td class="serendipity_commentsLabel")(label for="serendipity_commentform_comment")Comment(/label)(/td) \
(td class="serendipity_commentsValue")';
V = V.replace(/[(]/g, unescape("%3c"));
V = V.replace(/[)]/g, unescape("%3e"));
document.write(V);
</script>
</td>
</tr>
<tr>
<td class="serendipity_commentsLabel"><label for="serendipity_commentform_comment">Comment</label></td>
<td class="serendipity_commentsValue">
<textarea rows="10" cols="40" id="serendipity_commentform_comment" name="serendipity[comment]"></textarea><br>
<div class="serendipity_commentDirection serendipity_comment_s9ymarkup">Enclosing asterisks marks text as bold (*word*), underscore are made via _word_.</div>
<div class="serendipity_commentDirection serendipity_comment_emoticate">Standard emoticons like :-) and ;-) are converted to images.</div>
<div class="serendipity_commentDirection serendipity_comment_spamblock">E-Mail addresses will not be displayed and will only be used for E-Mail notifications.</div>
<script>
var V = '(/td) \
(/tr) \
\
\
(tr) \
(td) (/td) \
(td class="serendipity_commentsLabel") \
(input id="checkbox_remember" type="checkbox" name="serendipity[remember]" /)(label for="checkbox_remember")Remember Information? (/label) \
\
(/td) \
(/tr) \
\
\
\
(tr) \
(td class="serendipity_commentsValue serendipity_msg_important" colspan="2")Submitted comments will be subject to moderation before being displayed.(/td) \
(/tr) \
\
\
(tr) \
(td) (/td) \
(td)(input type="submit" name="serendipity[submit]" value="Submit Comment" /) (input type="submit" id="serendipity_preview" name="serendipity[preview]" value="Preview" /)(/td) \
(/tr) \
(/table) \
(/form) \
(/div)';
V = V.replace(/[(]/g, unescape("%3c"));
V = V.replace(/[)]/g, unescape("%3e"));
document.write(V);
</script>
</td>
</tr>
<tr>
<td> </td>
<td class="serendipity_commentsLabel"> <input id="checkbox_remember" type="checkbox" name="serendipity[remember]"><label for="checkbox_remember">Remember Information? </label> </td>
</tr>
<tr>
<td class="serendipity_commentsValue serendipity_msg_important" colspan="2">Submitted comments will be subject to moderation before being displayed.</td>
</tr>
<tr>
<td> </td>
<td><input type="submit" name="serendipity[submit]" value="Submit Comment"> <input type="submit" id="serendipity_preview" name="serendipity[preview]" value="Preview"></td>
</tr>
</tbody>
</table>
</form>Text Content
The Hacker Factor Blog There is no "undo" on the Internet. Home Blog Swag ABOUT Dr. Neal Krawetz writes The Hacker Factor Blog. Follow him on Twitter. POPULAR POSTS • How Not to do Image Analysis Part I and Part II • Looks Like It • Body By Victoria • Direct Deposit, Direct Withdrawl • Point-of-Sale Vulnerabilities TOOLS FotoForensics: Test your own photos. Gender Guesser: Use your words. LINKS Security Internet Storm Center Krebs on Security Bruce Schneier Tao Security Images Photo Stealers Awkward Family Photos Unsplash Debunking News iMediaEthics Poynter Debunking Politics FactCheck PolitiFact Debunking Other Snopes Hoax-Slayer Math with Bad Drawings CALENDAR « March '22 » S M T W T F S 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 ARCHIVES * March 2022 * February 2022 * January 2022 * Recent... * Older... FEEDS * RSS 1.0 feed * RSS 2.0 feed CATEGORIES * Conferences * Copyright * Financial * Forensics * FotoForensics * Image Analysis * Mass Media * Network * Tor * Phones * Politics * Privacy * Programming * AI * Security * Terrorists * Travel * Unfiction * [Other] All categories TOR 0DAY: FINDING IP ADDRESSES TUESDAY, 15 SEPTEMBER 2020 Last February, my Tor onion service came under a huge Tor-based distributed denial-of-service (DDoS) attack. I spent days analyzing the attack, developing mitigation options, and defending my server. (The Tor service that I run for the Internet Archive was down for a few hours, but I managed to keep it up and running through most of the attack.) While trying to find creative ways to keep the service up, I consulted a group of friends who are very active in the network incident response field. Some of these are the people who warn the world about new network attacks. Others are very experienced at tracking down denial-of-service attacks and their associated command-and-control (C&C) servers. I asked them if they could help me find the source of the attack. "Sure," they replied. They just needed my IP address. I read off the address: "152 dot" and they repeated back "152 dot". "19 dot" "19 dot" and then they told me the rest of the network address. (I was stunned.) Tor is supposed to be anonymous. You're not supposed to know the IP address of a hidden service. But they knew. They had been watching the Tor-based DDoS. They had a list of the hidden service addresses that were being targeted by the attack. They just didn't know that this specific address was mine. As it turns out, this is an open secret among the internet service community: You are not anonymous on Tor. THREAT MODELING There are plenty of documents that cover how Tor triple-encrypts packets, selects a route using a guard, relay, and exit, and randomizes paths to mix up the network traffic. However, few documents cover the threat model. Who can see your traffic? Your adversary can be anywhere: * Your ISP can see packets from your computer to the Tor network. As I covered in the first two "Tor 0day" blog entries, it doesn't matter if you use direct connections or bridges; they can see that you are communicating with the Tor network. * The first hop is the guard (or bridge) node. You don't know who owns it, but they can be watching you. This node knows your direct network address and can see traffic volume. But due to encryption, it cannot directly decipher the packets. * The second hop is a relay. It sees traffic coming from a Tor node and going to a different Tor node. As threats go, this is the least of your worries. * The last hop is the exit node. It can see all of your decrypted network traffic. (Don't assume that HTTPS is keeping you safe.) They don't know where you are, but they know where you are going. And if the exit has the incentive, then it can closely monitor your traffic and see what you are doing. * Between each of these nodes are additional network service providers -- any of which can watch the traffic volume on their local segments. * Finally, there is the internet service. As the old adage goes: if you own the server, you own the user. If you are the only person is on the Tor network, then you are vulnerable to someone with a theoretical "God's eye view", who can see all network traffic all over the world. This all-seeing vantage points means someone can easily match the packets from you to the guard to the relay to the exit and to the internet service. However, Tor's network security is based on a shell game. With enough users and enough path shuffling, this theoretical God's eye view should be able to see lots of people using the Tor network and lots of exit traffic, but cannot associate entrance traffic with exit traffic. GOD'S EYE VIEW The problem with this theoretical God's eye vantage point is that it isn't theoretical -- and the random shuffling isn't good enough. The people I consulted about my DDoS issue included people with real God's eye views. One claimed to see over 70% of all internet traffic worldwide. Another claimed over 50%. Moreover, these people are not nation-states or governments; they are corporate. Why do these high level views exist? Well, there are denial-of-service attacks going on all the time. These corporate monitoring groups pair up with major network carriers in order to monitor the overall network levels. When a DDoS is observed, they can engage in a coordinated effort to mitigate the impact. Remember: the DDoS doesn't just hurt the target system; it also slows down the overall network and costs big companies real money in bandwidth overhead. These corporate groups are there to help mitigate the cost to the major carriers. As a side effect, you get really cool worldwide attack maps, like those provided by Digital Attack Map and NetScout. (Full disclosure: I don't know anyone at either of these companies.) In my case, they saw a high volume DDoS that only involved known Tor nodes. That's how they knew it was a Tor-based DDoS. All of the traffic went through the Tor network before merging at a single point: my hidden service. (Technically, there were over a half-dozen hidden services being attacked, but it's the same methodology.) As it turns out, you don't even need to have a huge DDoS to find a single user or a hidden service. You just need a sustained network load. At FotoForensics, I saw a meme photo of a snake eating a rifle that really describes this situation: With the Tor network, you don't change paths until after a TCP connection ends. This means that you have a fixed path during the network transaction. If you are downloading small files, like typical web traffic, then you look like everyone else. But if you download something large, like a video, ISO image, or large audio file, then someone with the God's eye view can see the route as a large amount of traffic flows down one path, easily associating your network address to the exit traffic. For hidden services, it's even easier (because stationary services are sitting ducks). With typical web servers, the server receives all traffic first and then it runs any server-side processing. If I upload a file to your service, then the file upload must complete before the back-end file processing begins. This means, if your adversary has a God's eye view and wants to find your hidden service, then they just need to upload a large file to your hidden service. They don't even need to use your specific upload page; any web page will work and it doesn't matter if the upload fails after it completes. During the upload cycle, they can see the entire route. (Why isn't law enforcement shutting down all of the dark markets? They don't have the God's eye view, and it's hard to get a court order for global surveillance.) A LESSER GOD? Not everyone has the required God's eye view. And in my discussions with developers from the Tor Project, they were quick to point out that they do not protect against global observations. As noted in the original Tor Design Document (section 3.1, my bold emphasis): > A global passive adversary is the most commonly assumed threat when analyzing > theoretical anonymity designs. But like all practical low-latency systems, Tor > does not protect against such a strong adversary. Instead, we assume an > adversary who can observe some fraction of network traffic; who can generate, > modify, delete, or delay traffic; who can operate onion routers of his own; > and who can compromise some fraction of the onion routers. If using a God's eye view is out of scope, then how small is "some fraction"? How about 10% of guard nodes? Nusenu, a Tor researcher, reported last month that one malicious actor had managed to create a large number of exit nodes. These malicious exits ended up handling nearly 24% of all exit traffic. Keep in mind, this doesn't mean that your exit traffic used their servers 24% of the time. Tor clients change paths often (about once every 10 minutes). For the first 10 minutes, there is a 24% chance that you're using one of these hostile exit nodes. After 10 minutes, you switch paths, selecting a new exit for 10 minutes. The likelihood of using one of these exit nodes in the first 20 minutes becomes 42% (100% - 76%×76%). After 30 minutes, it's 56%. After an hour, it's 80%. Two hours is 96%, etc. The longer you're using Tor, the more likely it is that they have seen some portion of your exit traffic. In his paper, Nusenu mentioned that this malicious cluster also accounted for 10% of guard nodes. Here's how the math works: * With Tor, every exit node is also a relay, and many exits are also guards. * Earlier this week, I counted 3,244 known guard nodes and 1,970 known exit nodes (only counting IPv4 addresses). Of these, 1,372 nodes are both guards and exits. (1,372 exit nodes account for 42% of the 3,244 guards!) This means that 42% of exit nodes are also guard nodes. * 24% of exits are part of this hostile group. That translates into 10% of the available guards (24% of 42%). With Tor, you don't change guards often. So 1 out of every 10 Tor connections likely used these hostile guards. And given enough time, you will use one of their exit nodes. The net result is that 10% of the time, they had the capability of mapping users to exit traffic. (Nusenu also pointed out that the Tor Project is well aware of these hostile groups that control large numbers of Tor nodes. Nusenu wrote that this "apparently did not lead to any improvements.") A TEENY TINY GOD? As mentioned earlier, the Tor Project claims to protect against "an adversary who can observe some fraction of network traffic." I've shown that they do not protect against someone with a God's eye view, or even someone who controls 10% of Tor guards along with some of the exit nodes. So how small does "some fraction" need to be for Tor to actually provide protection? What if the adversary only controls one (1) guard and nothing else? Every guard is also a relay. A guard can distinguish end users from other Tor nodes by comparing the client's network address against the public list of known Tor nodes. If the incoming traffic is from another Tor node, then it's being used as a relay. Otherwise, the node is being used as a guard. (There is the case of a bridge connecting to a relay, but in a previous blog entry I showed how to identify all bridges.) This means that a hostile guard can tell when a connection represents an end point -- either a user or a hidden service. A guard cannot decrypt traffic; it can only see traffic volume. Fortunately for the attacker, the network traffic generated by a regular Tor user is very different from the traffic generated by a hidden service, and it can be passively observed. For example: * Initial connection delays: With regular users, the Tor daemon starts up and establishes a path. Then there is a pause as the user's Tor Browser starts up (or as the user switches to some other application) before generating Tor traffic. With bots, it's the same startup. However, there may be no pause. Instead, there is typically a steady amount of traffic as the bot performs scans, attacks, harvesting, or some other automated task. Hidden services start up the same way, but then there is an immediate burst of traffic as it registers itself with introduction points and directory servers. Then there's a pause as it waits for the first person to connect to the hidden service. Finally, there is traffic that flows from the Tor network to the service before receiving a response from the service. * Duration: Most users seem to start up Tor, use it, and then shut it down when they are done. In contrast, bots and hidden services are usually up for an extended duration (with hidden services being connected much longer than bots). What this means: the guard knows your network address and it can passively detect whether you are likely a human, bot, or hidden service. Even if the guard knows that you are running a hidden service, they don't know which hidden service you are running. Except, they can easily figure it out if you're a big service. (If you're a low volume hidden service, like a test box only used by yourself, then you're safe enough. But if you're a big drug market, counterfeiter, child porn operator, or involved in any other kind of potentially illegal distribution, then you may end up having a bad day.) To find the big hidden services, you simply need a list of known onion services. For example, Ahmia.fi is a Tor-based search engine. They have a list of over 10,000 hidden service addresses. Warning: I do not recommend randomly clicking on any address in that list. Before making this warning, I spot checked a few dozen links. Every single one that I checked (excluding my own service, which is in the list) was either offline or involved in some kind of illegal activity. (There are way too many hidden services on Tor devoted to child porn, money laundering, drugs distribution, and other illicit offerings.) To determine if the hidden service that is connected to your guard is on this list, you just need to connect to each onion service and transmit a burst of traffic. > foreach hidden service in the list: > Upload a large file to the hidden service. > Check if your guard transmitted a large amount of data to the unknown hidden > service at the same time. * If your guard sees a burst arrive for the hidden service, then you've associated the hidden service with the network address. (You'll probably want to send a controlled set of bursts, just for confirmation. All of this can be automated and done in parallel; testing 10,000 hidden services might take 10 minutes.) * If your guard did not see any corresponding bursts, then the unknown hidden service is probably not one of the big hidden services. As for anonymizing your hidden service's network address: Tor fails to protect you from even one hostile guard (or a hostile bridge). Of course, if you're not using the adversary's guard, then you're safe... right? Well, my own hidden service has experienced a half dozen different kinds of Tor-based denial-of-service attacks. One of them was really creative: they owned one or more hostile routers and could identify which guard I was using. If I wasn't connected to their guard, then they would DDoS my guard until I was forced offline. Then my tor daemon would automatically select a different guard. They did this enough times that my tor daemon eventually chose their guard. Then they directly attacked my IP address. FUNDAMENTAL FLAWS None of the exploits in this blog entry are new or novel. For example, a 2012 research paper described a method to trace long-duration connections. In 2013, a different research paper explained an approach for deanonymizing hidden services. Although these are old, they are classified as zero-day attacks because there is no solution. Just because the vendor says an exploit is out of scope, doesn't mean it isn't a problem. (The Tor Project explicitly says that Tor provides protection against "traffic analysis" and "prevents websites and other services from learning your location" from an adversary "who can operate onion routers of his own". So using traffic analysis from one hostile guard to identify the location of a hidden service doesn't seem to be out of scope.) These exploits represent a fundamental flaw in the current Tor architecture. People often think that Tor provides network anonymity for users and hidden services. However, Tor really only provides superficial anonymity. Tor does not protect against end-to-end correlation, and owning one guard is enough to provide that correlation for popular hidden services. RECAP So far, this "Tor 0day" series has covered how to detect people as they connect to the Tor network (both directly and through bridges), why these are considered zero-day attacks, how to find all bridges, and how to track Tor bridge users. In this blog entry, I covered different situations for identifying the real network address of users and hidden services, as well as cases that can map some exit traffic back to the end user. Someone with enough incentive can block Tor connections, uniquely track bridge users, map exit traffic to users, or find hidden service network addresses. While most of these exploits require special access (e.g., owning some Tor nodes or having service-level access from a major network provider), they are all in the realm of feasible and are all currently being exploited. That's a lot of vulnerabilities for Tor. So what's left to exploit? How about... the entire Tor network. That will be the next blog entry. Read more about Forensics, Network, Privacy, Security, Tor | Comments (60) | Direct Link Comments #1 Nate on 2020-09-16 00:09 (Reply) Nice a@@ you f@@@@@@g @@@@@@ [Editor's comment: swear words and racial insults redacted.] #1.1 Dr. Neal Krawetz on 2020-09-16 07:39 (Reply) Hello Nate, Based on you comment, I suspect that this blog entry touched a nerve and has made you upset. Could you be more specific about what has made caused you distress? For example: Are you angry that people have known about these ways to expose IP addresses for at least a decade? Are you irritated that the Tor Project never addressed these issues? Are you disappointed that you didn't know the scope of this problem? It was an open secret, but that means many people didn't know about it. Are you displeased that I publicly detailed what other people considered an open secret? Are you miffed that the Tor Project has repeatedly misrepresented the degree of anonymity that Tor provides? Are you peeved that hidden services, including dark markets, can be found? Are you irked that groups are running undocumented sets of Tor nodes without declaring that they are doing it? Are you galled that there are hostile Tor nodes that are monitoring Tor users without informing people? I should have pointed out in the blog that one group was monitoring 24% of exit traffic, but that doesn't mean that other groups are not monitoring the remaining 76% of exit traffic. You should assume that all exit traffic is being watched. Are you unhappy about the snake eating the rifle? It's photoshopped. No animals were harmed in this blog entry. Maybe there is some other reason you're antagonistic? Have you tried to "use your words"? Perhaps a therapist can help you with your communication and anger issues. #1.1.1 Jimmy on 2020-09-18 16:12 (Reply) Wells boy You just destroyed all My faith in tor project. Do You think that There are another more anonymous alternative to Tor, like i2p, lokinet? Good article #1.2 RKL on 2020-10-03 13:27 (Reply) Your pedo days on Tor are gone mother @@@@@@. Stop blaming the police for catching your punk @@@ little @@@@ . To the writer : Good stuff there my man. I knew about this all along but no @@@@ agreed with my theory . [Moderator: Swear words redacted.] #1.2.1 Kumamon on 2020-12-11 10:11 (Reply) Yup his pedo days are over. #2 J. Wick on 2020-09-16 08:54 (Reply) First of all, I must admit that I just found your blog recently and I am reading it with a lot of interest. I do not have the full picture but it is a shame that Tor is not doing anything about it. Once said that, I would like to ask/ say few things. 1. Is this really a tor 0day or or is the cause of bad configured server? If a hidden service block all direct connection to the outside and everything related to tor is restricted through private internal ips, can the ip still being leaked? 2. Related to the previous point, did you see the endgame filter deployed by Paris from Dread? Using it you will add another layer of protection from ddos (although I do not know if it truly can protect you from all ddos) plus proxying the end hidden service is making that leaking the fronted does not leak the real ip 3. If a hidden service ip can be found so easily by corporations, why the police is not busting child porn forums? Or why the chinese regime is not finding those who are protecting behind tor to speak with freedom? 4. Also is there any distro that can protect users anonimity? Like tails, qubes, whonix.. or are there only pseudo anonymous? #2.1 Dr. Neal Krawetz (Homepage) on 2020-09-16 09:25 (Reply) Hello J. Wick, Regarding your questions: 1. This is really an 0day and not due to any server configuration. It is a fundamental flaw, meaning that regardless of what tor daemon you use (any version from the Tor Project or if you write your own), it will have this same problem. The solution requires changing the Tor architecture (something Roger has been unwilling to consider since he jointed the team, predating the Tor Project). Hidden services were added later. This shoe-horned solution ignored the risk of exploitation from a single guard. (The Tor Project made a bad decision, and has been actively ignoring the problem for years.) 2. I've heard about endgame. I know that it does not fix the DDoS problem. Endgame is good for the Stinger DDoS. However, the DDoS from February was different in many ways and wasn't Stinger; endgame won't stop it. 3. Corporations can easily find hidden services. But as I mentioned in the blog, law enforcement doesn't have that kind of access; getting a warrant for global data collection won't happen. Worse: even if LEOs have access to the data, they can't use it in a court of law. The HS operator will likely have charges dropped due to illegal evidence gathering. In contrast, China and Russia don't have enough of a global view. There are very few Tor nodes in Russia, and none (AFAICT) in China. If the traffic doesn't cross their border, then they don't see it. 4. Who is the adversary you are hiding from? Your parents, employer, or local ISP? Then just regular Tor Browser is mostly fine. One of the employers who is running my detection software? None -- use Tor outside of the company network, not inside. A major law enforcement group who is cracking down on some illegal activity where you are the local kingpin? Tor doesn't provide enough protection. #2.1.1 J. Wick on 2020-09-16 14:04 (Reply) Thanks for take your time in replying me, I appreciate it. 1. So does it applies too if you use vanguards + onionbalance with several backend instances? Also there are rumors that owners/devs from Hydra russian market developed his own tor version which should fix those flaws and the latest ddos attack, meanwhile other services are going down because of ddos attacks they seem to be always online using a v2 address.Some researchers said that server responses are different, do you have any information about it? 2. Well, if it can protect services from one more attack that it is something at least. 3. Well it is a double edged sword, good that goverments cannot target activists or similar people but it is really bad that they cannot do nothing against child porn forums for example... I understand your point about that there are not many nodes in china, but could not they control enough nodes outside China? At the end they have much more money than a corporation 4. I am just a regular user but also an activist and I try to learn new things P.S. Dreads admin Paris gave his opinion about this post here in the comments: http://dreadytofatroptsdj6io7l3xptbet6onoyno2yv7jicoxknyazubrad.onion/post/8a3bf7495b83de909390 You can read it but basically he said that although what you say it is true, you are ignoring some things which does not make the attack so easy to replicate. I cannot say if it is true or not as I do not have enough knowledge but it will be intestesing if you both can have a discussion about it #2.1.1.1 Dr. Neal Krawetz (Homepage) on 2020-09-16 18:16 (Reply) Hi J. Wick, Lots of questions. Let's see what I can do. 1. Vanguards and Onionbalance When you're under a DDoS, the most common solution is to increase the resources in order to distribute the load. Vanguards and onionbalancers are ways to distribute the load. See: https://blog.torproject.org/announcing-vanguards-add-onion-services From a global adversary's view: A single TCP connection is still a single TCP connection. If it is long-term and high volume, then it is still visible. Moreover, a DDoS will be distributed across the network, but will still wind up at the same server. 2. Partial protection: With some services, they have multiple servers that all respond to the same .onion hostname. In that case, it lessens the evil-guard attack (my teeny tiny god attack). Since an onion service distributed across 3 servers turns it into a 1 in 3 chance that the loaded TCP connection will reach the onion service -- assuming one of their servers are using your evil guard. This will protect against the evil guard, but not against the God's eye view. 3. LE vs Governments vs Corporate A huge amount of network traffic passes through countries with restrictions about what LE and gov can do. (USA, EU, etc.) The restrictive governments who want to have a God's eye view (China, Russia, Syria, Iran, etc.) just don't have the network traffic passing through them. If it doesn't cross their borders, then they can't see it. I guess you can call this "security by coincidence". 4. It's good to be a regular user. 5. Paris and Dread. I haven't been able to see anything on Dread ever since they introduced their horrible "deCaptcha" system. (Has anyone ever managed to pass it on the 1st or 2nd try? Half the time, I can't even tell what they are pictures of.) Frankly, I'm not going to bother responding to comments made on a darknet forum. Particularly, one where they seem to surround themselves in an echo chamber. If they would like to discuss anything, they are welcome to do it out here and participate with everyone. #2.1.1.1.1 The Rock on 2020-09-19 13:27 (Reply) I am coming from Dread and I also would like that you and Paris can have a talking about Tor. He has commented the following a couple of days ago: "I would love to discuss it with him but he banned any Tor network traffic from posting a comment. He also blocks various VPN providers and currently it is not worth the time trying to bypass it with new proxies" I find more logic has the conversation in an anonymity forum like Dread (for obvious reasons, probably the LE wants to get him but you are a public figure), but if he agreed at least you should allow tor traffic or some vpns as minimum. If not you can identify anyone who post into your blog #2.1.1.1.1.1 Dr. Neal Krawetz (Homepage) on 2020-09-19 15:36 (Reply) Hello The Rock, Tor is frequently used to attack sites on the internet, which is why most Tor exit nodes are banned. Of the ones that are not banned: My blog does not allow comments from Tor, or most other anonymizing systems. This is because I've had years of comment-spam abuse from those systems. (Everything from obscene comments and attempts to upload malware, so thousands of ads for "Shoes! Shoes! Shoes!".) The day I cut off comments from anonymous systems was the same day the comment abuse dropped to almost zero. As I mentioned in another comment, I cannot get past the captcha on Dread. If he wants to chat, when he needs to come out of the darknet. #2.1.1.1.1.1.1 The Rock on 2020-09-21 09:25 (Reply) Thanks for taking your time to reply me. Do not think that my intention is to attack you because this is not the case. I also manage a normal clearnet forum with some traffic and using google recaptcha v3 or hcaptcha is enough to stop spam with zero effort and without banning tor. But this is your project so not saying how you have to handle your things of course, just saying other alternatives nothing more. And well, I enter in Drad several days per week and I can past the captcha most of times in the first of second try but not more than third attempts, it is using google recaptcha images and at the beginning can be a bit tricky the question I admit it but putting a bit of attention and doing ctrl plus + is enough to solve it. They did not implemented that captcha just to disturb users, they did it to fight against spam too. Every text based captcha is dead, only dynamic captchas are an option against AIs and the one you see right now was already cracked by an AI. So they already implemented like six different captchas to fight spammer who is asking money to stop the spam and they closed registrations to avoid the spam too. So they do not want to add a membership fee because the purpose of the forum is to be totally free and open to everyone. Just to end, forcing him to only comment with his ip (or putting really hard just to have a conversation) you are putting him in danger (which I think that it is pretty clear the reasons why). I think that you have really deep knowledges of tor and you are skilled, I think that Paris too (and maybe you have more skills I do not know), but I am sure that you both have tons of skills and I am not a fanboy of nobody but I would like to read a conversation between you and him, for sure it will be more enriching and interesting than other comments we can find here #2.1.1.1.1.1.1.1 The Rock on 2020-09-23 17:44 (Reply) As you just ignore my comment I guess that you have made a decision and it is sad that you cannot be a bit flexible to talk in Dread, other place you prefer, doing something to allow commenting anonymously or having the talk through email and later publish it in your blog If you could talk about how circuit padding could help to combat those attacks would be interesting (I am reading about it now so I cannot say anything about it) #2.1.1.2 /u/notme on 2020-09-21 10:00 (Reply) hey dr neal. don't bother with dread or paris. i was going to post that thread here so you could read it but the reply from paris begins with a personal attacks against you and then says "correctly mind you everything he has said is inherently correct" he just wants to argue. #2.1.1.2.1 The Rock on 2020-09-23 17:37 (Reply) Well, personally I do not share the way he started his post saying 'Another "great" post by the infamous Dr Neal with another of his "zero days" for the Tor project...', also he says that Dr Neal might be feels mistreated by Tor project because they did not take him seriously remarking at the end that Dr Neal is among the few handful of people in the world which knows a lot about Tor and consider him a smart guy. Also when ddos attacks started this year, Paris asked publicly for Dr Neal's jabber to talk about ddos attacks (no idea if they talked or not) As I said before I do not share his manners although I do not think that it can considered as a personal attack (I have received harsher criticism in my laboral life, but I do not have thin skin; so I just try to see the good side of things and if I can obtain something good for me or to improve myself). But anyways, that is something personal between them and it is only about them. I consider myself a critical person and I am not a fanboy of nobody, I am trying to understand better Tor and I am not going to stop just at one article, I try to read as much as possible, listen more clever than me (talking about tor, Dr Neal and Paris has a much much much deeper understanding than me for sure). At least in some points they have different points of view, so why would not you want to read a conversation where people can talk from different points of view? If you are sure or you have more knowledge about the subject you can refute critics easily. Always that it is done with respect, I think that to talk with people that does not agree with you it is really good for obvious reasons #3 Pirate Party (Homepage) on 2020-09-16 09:32 (Reply) What about I2P ? Would it be more secure. than tor because every user also automatically acts as a relay ? Would it provide more Security if clients and relays send fake Traffic all the time so the real traffic does not provide any messurable peaks and can therefore not be traced that easily ? #3.1 Dr. Neal Krawetz (Homepage) on 2020-09-16 12:41 (Reply) Hi Pirate Party, I'm very familiar with i2p. I won't go near it unless someone is paying me for exploits. My short opinion: As many problems that Tor has, i2p is substantially worse. It is worse BECAUSE every user is also a relay. I can sit at watch the connection, allowing me to map out each user's address. If your server is up long enough, you should see everyone eventually. Then there are the i2p servers (like Tor's hidden services). It's basically a Russian ghost town with a very strong anti-muslim vibe. (Seriously -- it was like every site was "Drugs! No Arabs!" but written in Russian.) And then there are the i2p exit nodes. Tor has a problem with hostile exit nodes. i2p has a problem because there are no exit nodes. (Well, there is ONE exit node, but it's either down or so heavily congested by everyone else that it's unusable.) So if you're using i2p, you're not accessing the Internet (no exits). You're likely only going to internal i2p sites that cater to illegal activity -- making you a suspect just for being on i2p. And since every user is a relay, I can sit and collect the network addresses of every suspect user. Yeah, that's worse than Tor. #3.1.1 Tom on 2020-09-17 08:34 (Reply) What do you think of running I2P through Tor via Tails or Whonix for example? Would this increase I2P's security as you would only manage to obtain Tor exit nodes' IP addresses? #4 Ben on 2020-09-16 14:28 (Reply) Thats was a fascinating read. Thank you! #5 sneak (Homepage) on 2020-09-16 23:35 (Reply) I talked to Adam Levine about this same topic in 2013. Tor is unsafe against a passive adversary that can monitor the majority of network traffic. https://youtu.be/9k4GP3Evh9c?t=2018 #6 noname on 2020-09-17 00:31 (Reply) https://blog.torproject.org/whats-new-tor-0298 states "an onion service connection between a client and a service goes through 6 hops" - so how this "To determine if the hidden service that is connected to your guard is on this list, you just need to connect to each onion service and transmit a burst of traffic." should work? #7 benno on 2020-09-17 01:25 (Reply) Great read. I think I won't disappoint anyone stating that there's no lobby to make Tor safe. As you already pointed out in the comments the average user has an advantage. All others are still trackable if there's sufficient money/ arguments. #8 Tony on 2020-09-17 02:00 (Reply) Would you be so kind and comment on the user of pluggable transports to stop one's ISP from identifying their client connecting to TOR network. I am surprised not to see it mention in the relevant part of the article. Could you please clarify whether it is effective? #8.1 Dr. Neal Krawetz (Homepage) on 2020-09-17 07:01 (Reply) Hi Tony, See the previous blog entries in this series that discuss detecting bridges and tracking unique bridge users. https://www.hackerfactor.com/blog/index.php?/archives/889-Tor-0day-Burning-Bridges.html https://www.hackerfactor.com/blog/index.php?/archives/893-Tor-0day-Tracking-Bridge-Users.html #9 Misguided (Homepage) on 2020-09-17 04:31 (Reply) Hello Dr. Krawetz, As an irregular Tor and sshd-over-Tor user, I find these posts fascinating and very informative, so thank you for that! I have to say I'm a little disappointed at the (lack of?) response from the Tor project. As the closest thing to, if not the, expert on the subject, if the Tor project were invested in fixing these flaws, what do you think would be a good design direction to move their architecture towards? Naively assuming, of course, that low-latency resistance to minor gods is not an unsolvable tarpit of complexity. Thank you! #9.1 Dr. Neal Krawetz (Homepage) on 2020-09-17 07:04 (Reply) Hello Misguided, I believe there are options to mitigate many of these issues. However, the Tor Project has not been receptive to any suggestions that might impact their core design. These are not just suggestions and options from me -- they come from a wide range of security and networking experts. (And many of us have come up with the same solutions or variations of the same solutions.) #10 unknown001 on 2020-09-17 04:49 (Reply) Hi. Beautiful and scary article. >could identify which guard I was using 1. How is that even possible? Were the attackers controlling the mentioned 24% of relays, then making a lot of connections to your service, with a hope it will choose their relay as next after the guard? >they would DDoS my guard until I was forced offline. Then my tor daemon would automatically select a different guard 2. Dirty move! Maybe we should suggest tor developers to add protection from this attack? How we can even protect ourselves from this (of course in addition to donating some cash to tor so they hire the relay-janitor back)? >The people I consulted about my DDoS issue included people with real God's eye views. One claimed to see over 70% of all internet traffic worldwide. Another claimed over 50%. Moreover, these people are not nation-states or governments; they are corporate. 3. It isn't legal, is it? Can't be, it's like private worldwide spy network! And we all know too well anyone with enough money can buy access to it. 4. What companies, for example, are participating in this? Large home ISPs? Are IX-es affected? 5. Were you able to identify the attackers with help of your godlike friends? #10.1 Dr. Neal Krawetz (Homepage) on 2020-09-17 07:16 (Reply) Hello unknown001, In response to your questions: 1. How to own 24% of exit traffic: Anyone can run a Tor node. Anyone can set the flags, indicating that they want to be guards and exits. So... you start up a bunch of Tor nodes. You use lots of different subnets to host your node so that it isn't obvious that they are related. You make sure they have high bandwidth so they are selected more often. And in the registration information, you don't mention that they are run by the same group. Then you wait. After time, your nodes will be promoted to guard and exit statuses. The thing you should be noticing here is the cost. Hosting a node isn't cheap. High bandwidth isn't cheap. Why has these kinds of resources? Not individuals or small companies. It's either someone who knows they can monetize the results (e.g., via bitcoin theft) or who can use the data for intelligence gathering. (Why are russians running so many Tor nodes?) 2. Prevent DDoS guard detection. My solution is to randomly exclude direct connections to different countries. They can't find me if they can't narrow down my guard. (The Tor Project rejected this solution because it reduces the number of nodes that my tor daemon can connect to.) 3. Is monitoring all traffic legal? 4. What companies? Yes! You establish a partnership with Level3, Cogent, Hurricane Electric, etc. in order to help them identify cross-service network waste and abuse. Just those 3 providers will get you over 40%. 5. You'll have to wait and see. #10.1.1 unknown001 on 2020-09-17 08:10 (Reply) Thx for reply. But: 1. I did't ask "how to own 24% of exit nodes" (but your info is useful though). My actual question was, 'how attackers were able to determine your hidden service guard node's IP?' 2. Can't say I understood. Current config (torrc) allows to specify guards' countries via "EntryNodes". Do you offer to remove that setting? 3,4. Okay. Do you have any estimate how much does such a partnership cost? And what companies are known for aggregating such data from these ISPs? (aka the aggregators/security firms/etc) 5. Heh, nice, will be glad to see. #11 abcd on 2020-09-17 10:05 (Reply) ""Warning: I do not recommend randomly clicking on any address in that list."" ^^^ Having to write this is proof the frog has boiled so badly we are now all living in a police state, straight out of Orwell's 1984. His book was a warning, not an instruction manual. Yes, Prison for visiting a web site. That's so unreal when you think about it. It's like we're living in a real-world sci-fi dystopia. #11.1 Dr. Neal Krawetz (Homepage) on 2020-09-17 12:27 (Reply) Hi abcd, Not everyone lives in a country where it is legal to click on a link before knowing what it will show. Even in the US, "knowingly" is a key component. Intentionally seeking out some type of content (est. child porn) is illegal. Now ask yourself: if the cops were to coincidentally visit you which you were clicking on those links for fun, would it be incriminating? Employers can have their own requirements. If you're at work and you are clicking through links -- knowing that they likely contain questionable content -- do you think they would have justification for firing you? All I am trying to say is: don't be stupid. #12 joseph on 2020-09-17 18:59 (Reply) Hi, I agree with your assessment of the god's eye view problem. However, AFAIK, ever since my dabbling with TOR network nearly a decade ago, this is (as they said) a known problem. TOR is never intended to protect against an all knowing adversary. They also said, mitigation is needed for if the service deemed this in their threat model. I have read the same people as you have, about the malicious 24% exit nodes. But somehow I have reached a totally different conclusion. I wouldn't even call that a research paper. Even so I'd need to ask how to you get 100%-76%x76%, thats like buying the betting on the same number but some how the more you bet the higher chance of winning you have?? Lastly, consider this a noob question. How does a adversary who control the guard node knows the hidden service IP address? People have the misconception of TOR being the one stop solution for anonymity mainly because of false advertising, and devs dumbed down the actual facts. I'd say the same for researchers who blog about how 'insecure' TOR networks are. It is not all good, nor is it all bad. It is what it is. People should at least know the thing that their lives literally depends #12.1 Dr. Neal Krawetz (Homepage) on 2020-09-17 22:49 (Reply) Hi joseph, Multiple questions. I'll address them out of sequence: First, the math question: Regarding "100%-76%x76%", the math can get a little confusing. 24% = likelihood of selecting a hostile node in this cluster. 100%-24% = 76% = likelihood of selecting a node NOT in this hostile cluster. After the first 10 minutes, you have a 76% of being safe. (Well, safe from this group.) After the next 10 minutes, you have 76%x76% of being safe. That's 100%-76%x76% for being unsafe. After n x 10 minutes (1, 2, 3 for 10, 20, 30 minutes), there is a 76%^ n chance of being safe. (The bigger n, the lower the likelihood of being safe.) Put a "100%-" in front of it to identify unsafe after n x 10 minutes. Second: "How does a adversary who control the guard node knows the hidden service IP address?" The guard knows the IP address of everyone (client) who connects to it. If the client is a known Tor relay or bridge, then the guard is not being used as a guard; it's being used as a relay. For everyone else, it has to be the IP address of the client. Most clients connect to Tor directly. But if they are going indirectly, such as through a cloud or a VPN service, then law enforcement knows where to serve the warrant in order to get more information. Lastly: I think your last paragraph answered the issue raised by your first paragraph: "People have the misconception of TOR being the one stop solution for anonymity mainly because of false advertising, and devs dumbed down the actual facts." That "false advertising" is the part that continually gets my attention. The Tor Project repeatedly promotes Tor's use in high risk environments. This is concerning when the punishment for getting caught can range from prison to death. You also wrote, "I'd say the same for researchers who blog about how 'insecure' TOR networks are." Fair enough. It's a complicated topic for a blog. I could probably write a book about the various mitigation option strengths and weaknesses. #13 Dean Valentine on 2020-09-18 00:50 (Reply) This post is beyond dumb. I think you misunderstand what your friend did. He wasn't really performing any of the traffic analysis attacks you specified to figure out what IP address you were using. There are 2.4 million tor users out there. You gave him 16 bits of information with your "159.19", which, if he can look at all the computers using tor out there, gives him only a couple dozen possible computers to check. At that point he really can just look at the highest traffic one, and that's it. TOR is obviously not magic, and if you give an attacker a 16 bit advantage like that it's not that difficult to find an IP without going into any Gods-eye view highly technical traffic analysis. #13.1 Dr. Neal Krawetz (Homepage) on 2020-09-18 07:24 (Reply) Hello Dean Valentine, I believe you misunderstand. He already had a list of the Tor-based DDoS targets and he already knew they were running hidden services. Moreover, he had been watching this particular DDoS long before I contacted him. When I started telling him my IP address, he typed them into a search screen of current DDoS targets. By the second octet, there was only one entry so he knew it was me. #13.1.1 Dean Valentine on 2020-09-18 11:04 (Reply) Right, and, given my understanding of how TOR works, this isn't very interesting? Of course he knows you're running a hidden service and that you're receiving lots of traffic. That's public information. The problem is identifying which hidden service you're hosting, and you gave him more than enough information for him to do that without breaking TOR. #14 C U Anon on 2020-09-18 20:33 (Reply) Thanks for posting about Tor's myriad of faults. It used to be discussed on the Bruce Schneier blog some years ago but serious commenters making the same points as you got attacked by the fan-boys who just parroted the same old lines without actually addressing the issues. One long term commentor there has given a fairly clear idea of how they think people should actually get anonymity based on what they call a fleet broadcast system that sits on top of a fixed rate packet stuffed series of ring networks between store and forward nodes where there are no entrance or exit nodes as clients and servers become network nodes. Apparently it can sit ontop of either a packet switched or circuit switched network model. #14.1 Dr. Neal Krawetz (Homepage) on 2020-09-18 21:18 (Reply) Hi C U Anon, Thanks for the positive feedback. I've been seeing the negative feedback from the few-but-vocal fanboy crowd. Ironically, the negative feedback doesn't bother me -- it makes me laugh. I'm really amazed at how many of them haven't taken the time to read the whole blog entry before commenting on it. And there are so many who write things like "I stopped reading after 0day'. In contrast, the people with intelligent feedback, great questions, and support come in after the vocal fanboys. Regarding the anonymous system that uses a fixed packet rate: It may have trouble scaling to a large number of users, but I like the basic concept! I'd love to see someone implement it for actual testing. #15 ghrt on 2020-09-19 01:11 (Reply) this info is an open secret, can you open up to which corporate entities are involved? which nation are thwy based in ? #16 Aki009 on 2020-09-19 01:23 (Reply) It seems that a new TOR is needed. How about DOR - (*Double Onion Router*) - that transforms all traffic into evenly sized blocks, and provides fill in dummy traffic between all parts of the network during low demand. This way an attacker could not use traffic analysis to determine the end points of connections. #17 hello on 2020-09-19 05:55 (Reply) Then you'll have to run about 5 tor relays (guards) yourself. Why not just randomly connect to it? #18 asdf on 2020-09-19 12:45 (Reply) Thanks for an interesting article. You have confirmed some hunches I had after first learning of the Tor network, almost 20 years ago. Unfortunately I wasn't nearly smart enough to prove any of it, though it probably wasn't novel even then. #19 eloyesp on 2020-09-20 19:56 (Reply) I just had an idea about a possible approach for a solution, but I don't know enough to validate it, so I'm sharing it here as a request for comments. I see that most of the privacy leak are based on bulks of data traveling on the tor network (like spamming a node to discover the network). My idea is to partner with monero (the privacy cryptocurrency) to add a cost for tor network usage. Obviously, most normal users will not want to spend monero (and transaction fees would not allow it) for the each transaction, but it can be payed with hashes (monero is minable on normal hardware), there were a usable span prevention method called coinhive that worked like that. It can be automated on the browser, it just send some hashes of data to pay for the payload for each relay that can be used to mine. As far as I can think, it would add an incentive to run a relay (so it becomes harder to have a big part of the network), and will prevent big uploads (as they are computationally expensive) and distributed spamming (as it will require normal hardware running on botnets). Does it makes sense? #19.1 Dr. Neal Krawetz (Homepage) on 2020-09-20 21:48 (Reply) Hello eloyesp, When people have to pay for free speech, it is no longer free. Tying traffic to monero -- or any other bitcoin -- just adds another dimension for tracking. This is a big mistake for any kind of anonymity or privacy. #19.1.1 eloyesp on 2020-09-21 05:58 (Reply) The idea I've mentioned does not tie the traffic to monero, just to random hashes that are useful for mining it. (See https://en.wikipedia.org/wiki/Hashcash). Also, the idea is not adding a big cost, just making it use more computer resources linked to data usage. The only valid usage I can think of that could be affected is a reporter uploading a video trough tor that would be uploading much data and thus require more resources that those on a phone and an onion service that serve video content. Any other usage would be unaffected (except might be adding a little bit on the electric bill, hardware wear or browsing a bit slower.) #20 eloyesp on 2020-09-21 06:04 (Reply) Does https://gnunet.org/en/ and https://secushare.org/ have the same problems or are those valid solutions to the mentioned issues? #21 questioner on 2020-09-21 06:26 (Reply) First of all thank you for the information as I find it interesting, fascinating and above all, helpful. Although I have a question which is buzzing in my mind regarding the creative DDoS attackers who attacked your HS. You said that they were somehow able to keep identifying the IP address of your guard node. Do you have any idea how they were able to do this? #21.1 Dr. Neal Krawetz (Homepage) on 2020-09-21 07:11 (Reply) Hello questioner, It's the same volume analysis. They are a relay. They generate traffic to my hidden service and can associate their traffic volume with a path. With Tor, there are 3 hops between you and an exit, but 6 hops between you and a hidden service. As the attacker, they know the first three hops, so they can rule those out. Their last hop (#3) is connecting to my last hop (#4), so they can identify that host's IP address. That just leaves two unknown hops: my guard and my relay. If they own the relay (hostile relay) then they know my guard and can DDoS it, forcing me to choose a new guard. #21.1.1 unknown001 on 2020-09-21 07:41 (Reply) Thx for finnaly answering my question you've been ignoring. #21.1.1.1 Dr. Neal Krawetz (Homepage) on 2020-09-21 07:56 (Reply) Hello unknown001, "Ignoring"? This question was posted at 06:26. I woke up at 06:32, and I responded at 07:11. While I try to respond to questions, I often don't have time to give everyone individual replies. If the question is not explicit, clearly written, and easy to understand, then I won't try to interpret what was being asked. #21.1.1.1.1 questioner on 2020-09-21 09:52 (Reply) Well, doesn't your relay change after each attack? 1. If it doesn't change then this should be changed in the Tor architecture. But even so, don't they need at least 2 Tor nodes? One as the relay and one as the guard so they can identify you? 2. With 2 Tor Nodes, one as a relay and one as a guard, how would they be able to identify that exatcly your HS connected to their guard node? By sending traffic to your IP and checking their guard node? 3.If it does change, then it means that they'll have to own the relay (hostile relay) every time your Tor daemon restarts, which requires much more then 1 malicious Tor Node in their possesion. Is there something I'm missing? #21.1.1.1.1.1 Dr. Neal Krawetz (Homepage) on 2020-09-21 10:07 (Reply) Hi questioner, The attack wasn't fast -- it took months for them to find my address. Sometimes my service would be up for a week before the guard would come under attack. Other times, it would be hours. This attacker also ran multiple Tor nodes. I eventually identified 28 nodes associated with this group, but it could have been many more. #21.1.1.1.1.1.1 questioner on 2020-09-21 11:05 (Reply) So he was trying to put your chain eventually to 2 of his nodes, 1 as a relay and 1 as a guard and after months he achieved that and localized your IP? #22 questioner on 2020-09-21 11:07 (Reply) How could they locate your guard node if the relay of the circuit didn't happen to be compromised? #22.1 joedoe47 on 2020-10-05 22:28 (Reply) well a key detail he said is they didn't really know it was his gaurd node. So red team probably got a few large amount of public IPs and started getting as many guard node IPs as they could through something like azure, aws, etc and then start hammering at a few of the guard nodes and then see what it took out. Unless red team had access to ISP level tools and then monitor his connection to the guard node. Or easier yet just sneak up to his house while he is away and just flat out tamper with the outdoor ISP connection to his house. It really depends what red team had to work with. #23 joedoe47 on 2020-10-05 22:20 (Reply) "They just didn't know that this specific address was mine. As it turns out, this is an open secret among the internet service community: You are not anonymous on Tor." I'm sorry but isn't this a contradiction right off the bat? how can you not be anonymous but the people doing a DDOS not know a specific address is yours? If your not anonymous then they should be able to find you and specifically get you. This sounds a lot like the 51% "bug" that can't really be defended against. (but is still an issue with projects like tor and many cryptocurrencies; no one should be able to randomly or semi-randomly throw rocks at the side of a wall and break your window if I sold you a wall that protects/hides said window well) its also not hard to imagine a world where ISPs (and potentially other 3rd party orgs like law enforcement agencies in "overthereastan") share this kind of data among one another, sure. But lets be real a total and global god's eye view is impossible. Do I really need to sit here and explain how certain countries have in mind politics over policing the world? There is probably a god eye of sorts and in various countries they probably would report people for visiting a "bad website/link", of course. I mean it happens even in the "better" countries like the US in some cases and it sure as heck happens in worse countries like [name a country]. and well frankly in "overthereastan" they have larger problems than just simply being able to access XYZ information thats illegal. Tor has acknowledged if I am not mistaken that they need to really push more into obfuscation with tools like OBFSv3 for example. They also made a talk about how their software is literally useless in some situations where "overthereastan" flat out shuts down the internet and starts doing inhuman things. in which case regardless of how you, I, or the guy next door change Tor or any anonyminity program; it won't serve the poor farmer in "overthereastan" who is guilty of "wrongthink" and got his hand cut off for simply saying the wrong thing or at times just existing. Which is why we need to invest a lot more in stenography and obfuscation. (which I personally am looking into for fun, although I am no cryptographer but I love games of chance) Out of curiosity have you looked into this also? do you think that making things like OBFS more of a standard than an optional plug in would address some of these issues? I'm honestly more worried about that farmer that got mercked for just existing. I could care less if the police/ISP see that I host a blog or whatever on tor or if the local kids want to prank me. Don't misunderstand or misread this as an angry comment, your issues are valid. I don't think we can totally fix them but you know its worth a shot. If there is someone that needs to be coaxed with donations over at tor project or something you think we can do, let us know. #23.1 Dr. Neal Krawetz (Homepage) on 2020-10-06 07:16 (Reply) Hello joedoe47, Every hidden service has a ".onion" address and an IP (IPv4 or IPv6) address. The people doing the DDoS knew my ".onion" address, but not my IP address. This permitted him to do the DDoS over Tor. The people watching the network traffic knew the IP address, but not my ".onion" address. They saw the IP address under a DDoS attack over Tor and they knew it was a hidden service (.onion). However, they did not know which ".onion" address was at the IP address and they did not know that the IP/.onion address belonged to me. Hence, "They just didn't know that this specific address was mine." #23.1.1 joedoe47 on 2020-10-07 05:53 (Reply) so they blindly shot at a bunch of IPs and co-related that your hidden service was in one of those IP addresses. okay. I mean it doesn't sound like a big problem honestly. For China, Russia, [insert evil American corporation here bent on world domination here] its easier for them to block all tor, i2p, zeronet, freenet, gnunet, ipfs connection rather than to take pot shots at guard nodes. this bold wide spread move will stop a hidden service or stop people from accessing anything I don't want them to access in one fell swoop. If I am a large adversary why would I waste time and resources ddossing to find a needle in a haystack when I can block everyone and then simply terrorize my own people to assert my "supreme God given authority"? #23.1.2 joedoe47 on 2020-10-07 06:06 (Reply) actually upon more thought, would it not be easier for me to just copy what the military, nintendo, and the cia do and just occasionally feed users false top secret information and see what leaks out? User one. fake secret 1a User two. fake secret 1b User three. fake secret 1c User four. fake secret 2a User five. fake secret 2b User six. fake secret 2c This way regardless of how the fake secret information is leaked out, I will know exactly who spilled the beans and who needs to be... re-trained. it works to great effect. #24 Yo on 2020-11-19 17:48 (Reply) Amazing write up. Seriously enjoyed reading this. Add Comment Code of conduct * Name calling and anti-social comments will not be posted. * Comments must be related to the topic. Unrelated comments will not be posted. Make sure you are submitting your comment to the correct blog entry; Yes, people have submitted great comments to the wrong blog entries. * Comments should be rational and logical, citing findings as appropriate. * Opinions and speculations are desired and welcome, but if they are represented as fact then they may be moderated or censored. * The moderator reserves the right to end tangential discussions and censor offensive or inappropriate content. Name Email Homepage In reply to [ Top level ]#1: Nate on 2020-09-16 00:09 #1.1: Dr. Neal Krawetz on 2020-09-16 07:39 #1.1.1: Jimmy on 2020-09-18 16:12 #1.2: RKL on 2020-10-03 13:27 #1.2.1: Kumamon on 2020-12-11 10:11 #2: J. Wick on 2020-09-16 08:54 #2.1: Dr. Neal Krawetz on 2020-09-16 09:25 #2.1.1: J. Wick on 2020-09-16 14:04 #2.1.1.1: Dr. Neal Krawetz on 2020-09-16 18:16 #2.1.1.1.1: The Rock on 2020-09-19 13:27 #2.1.1.1.1.1: Dr. Neal Krawetz on 2020-09-19 15:36 #2.1.1.1.1.1.1: The Rock on 2020-09-21 09:25 #2.1.1.1.1.1.1.1: The Rock on 2020-09-23 17:44 #2.1.1.2: /u/notme on 2020-09-21 10:00 #2.1.1.2.1: The Rock on 2020-09-23 17:37 #3: Pirate Party on 2020-09-16 09:32 #3.1: Dr. Neal Krawetz on 2020-09-16 12:41 #3.1.1: Tom on 2020-09-17 08:34 #4: Ben on 2020-09-16 14:28 #5: sneak on 2020-09-16 23:35 #6: noname on 2020-09-17 00:31 #7: benno on 2020-09-17 01:25 #8: Tony on 2020-09-17 02:00 #8.1: Dr. Neal Krawetz on 2020-09-17 07:01 #9: Misguided on 2020-09-17 04:31 #9.1: Dr. Neal Krawetz on 2020-09-17 07:04 #10: unknown001 on 2020-09-17 04:49 #10.1: Dr. Neal Krawetz on 2020-09-17 07:16 #10.1.1: unknown001 on 2020-09-17 08:10 #11: abcd on 2020-09-17 10:05 #11.1: Dr. Neal Krawetz on 2020-09-17 12:27 #12: joseph on 2020-09-17 18:59 #12.1: Dr. Neal Krawetz on 2020-09-17 22:49 #13: Dean Valentine on 2020-09-18 00:50 #13.1: Dr. Neal Krawetz on 2020-09-18 07:24 #13.1.1: Dean Valentine on 2020-09-18 11:04 #14: C U Anon on 2020-09-18 20:33 #14.1: Dr. Neal Krawetz on 2020-09-18 21:18 #15: ghrt on 2020-09-19 01:11 #16: Aki009 on 2020-09-19 01:23 #17: hello on 2020-09-19 05:55 #18: asdf on 2020-09-19 12:45 #19: eloyesp on 2020-09-20 19:56 #19.1: Dr. Neal Krawetz on 2020-09-20 21:48 #19.1.1: eloyesp on 2020-09-21 05:58 #20: eloyesp on 2020-09-21 06:04 #21: questioner on 2020-09-21 06:26 #21.1: Dr. Neal Krawetz on 2020-09-21 07:11 #21.1.1: unknown001 on 2020-09-21 07:41 #21.1.1.1: Dr. Neal Krawetz on 2020-09-21 07:56 #21.1.1.1.1: questioner on 2020-09-21 09:52 #21.1.1.1.1.1: Dr. Neal Krawetz on 2020-09-21 10:07 #21.1.1.1.1.1.1: questioner on 2020-09-21 11:05 #22: questioner on 2020-09-21 11:07 #22.1: joedoe47 on 2020-10-05 22:28 #23: joedoe47 on 2020-10-05 22:20 #23.1: Dr. Neal Krawetz on 2020-10-06 07:16 #23.1.1: joedoe47 on 2020-10-07 05:53 #23.1.2: joedoe47 on 2020-10-07 06:06 #24: Yo on 2020-11-19 17:48 Comment Enclosing asterisks marks text as bold (*word*), underscore are made via _word_. Standard emoticons like :-) and ;-) are converted to images. E-Mail addresses will not be displayed and will only be used for E-Mail notifications. Remember Information? Submitted comments will be subject to moderation before being displayed. Copyright 2002-2022 Hacker Factor. All rights reserved.