Attacking and Defending the Tor Network

Trailrunner7 writes "In a talk at the USENIX LEET workshop Tuesday, Nick Mathewson of the Tor Project discussed the group's recent challenges in responding to suppression efforts by governments in Egypt, China and elsewhere. What the Tor members have learned in these recent incidents is that while governments are becoming more up front about their willingness to shut off Internet access altogether or censor content, users are also becoming more resourceful. Mathewson said that the group is working on methods for alleviating the problems that national-level restrictions cause for Tor users. One method involves moving to a modular transport method in order to get around some of the throttling that ISPs perform on encrypted traffic in order to make Tor usage more difficult. In a separate talk at LEET, Stevens LeBlond of INRIA in France presented research on methods for tracing Tor users back to their IP address. One of the attacks, which LeBlond and his co-authors titled 'Bad Apple,' used an exit node that the researchers controlled in order to trace the streams of data sent by users of BitTorrent over Tor back to their IP addresses."

Information Is Like Water

[WrongSizeGlass]

Information is like water and it will always find a way to get through.

Re:

[bknabe]

Yes, but it would be nice if the source survived the sending.

Re:

[RazzleFrog]

And like water it can get flavored or poisoned as it goes through. Or it can just get completely frozen.

Re:

[gnick]

So... Are you saying "You can't stop the signal"?

I tried Tor....

[joocemann]

... and it was too slow to do anything at all.

meh...

Re:

[GameboyRMH]

I dunno what you were doing wrong. It's fine for web surfing as long as you don't try to run videos through it.

Re:

[joocemann]

Really? I found that even using slashdot takes like 30-60 secs just to load the one page I'm trying to look at... I click something to move forward in my surf, and there goes another 30-60 seconds. Without tor its like 1 second. I'm just too busy/impatient/american to wait so long after each click. Anyway, I just go without and tell myself that I'm not as interesting as I might think I am. This has worked so far.... oh wait, there's a knock at the door... brb.

Re:

[GameboyRMH]

Even when I surf Tor on my PDA via SSH tunnel to one of my Tor nodes, pages generally load in under 10secs...are you going through a caching proxy server (like Polipo) to Tor or directly to Tor? Connecting directly to the Tor proxy itself with your browser is going to be slower and more unreliable.

Re:

[Hatta]

If you're going through a proxy server to get to Tor, the proxy server knows your IP and everything you've browsed. This defeats the purpose of using Tor.

Re:

[GameboyRMH]

You misunderstand. The proxy server runs on the same box as Tor (Polipo is installed with Tor by default on the 'buntus and Debian). The caching proxy server is used to smooth out Tor's unreliability. If anyone can see what your proxy server is doing you have much bigger problems.

Re:

[Hatta]

Oh right. It was privoxy last time I tried Tor, but whatever. Don't see how much that will really help, since the caching proxy can't know what you're going to want to see in the future. The first time you access any resource will be as slow as plain Tor.

Re:

[GameboyRMH]

Polipo also works like a download accelerator, which is a big help over Tor.

Re:

[spidr_mnky]

Exactly. They recommended Privoxy in the past, because it worked, but it didn't do any favors for performance. I used it then, and it was indeed terrible. Polipo is not designed with privacy concerns in mind, but focuses on performance. No, it's not going to magically make Tor un-slow, but it will make the most of a low throughput high latency network. I recently tried out Tor with Polipo, and it was impressively better. It could be that the Tor network has improved, but I'm crediting Polipo.

I read s

Re:

[Tolkien]

That's because the number of exit nodes isn't very large. If there were more, a corresponding increase in speed would be the result.. If you want to help make Tor faster for other users, set up your own computer as an exit node.

Re:

[Kjella]

If you seriously want to deal with everyone accessing everything through your IP address. Be prepared for a world of pain, particularly as a private individual where people will automatically assume you are the guilty one. Honestly, TOR is better off when the system is closed and everything is on .onion sites. There's much less hassle for everyone involved that way.

Re:

[SuricouRaven]

If accused, you can probably prove you were not responsible. After the police have siezed every computer and mobile phone you own, the press has dragged your name through the mud, and half the town are at your door with the traditional pitchforks to expell the suspected pedophile. If you're lucky, the police might even give your computers back after a year or so, once they have finished searching it for any other crimes you may have committed they can charge you with to save face.

Re:

[Anonymous Coward]

That is why more and more .onion sites pop up every day and Freenet i2p and others exist. It is allot harder to identify the owner of the server. In these cases Tor exit nodes don't matter. Everything goes through relay nodes. Relay nodes don't really have anything to worry about. To send to a relay node you have to be the one doing the requesting and given the way the service is advertised it is unlikely the police would go after relay node operators. Doing so would be pointless. Stupidity is the main thin

Re:

[Moryath]

Secondary problem: the ISPs in the US are actively pursuing policies (Comcrap and AT&T's "monthly bandwidth cap" crap for instance) that make it very painful to use Tor in other senses.

Make yourself an exit node and watch your traffic skyrocket...

Re:

[Runaway1956]

The last time I looked, you could limit how much bandwidth you were willing to share. If your overall bandwidth skyrockets after installing Tor or some similar program, then you've failed to RTFM, and to properly configure the program.

Re:

[Rei]

That's what I2P is for. No exit nodes, purely internal. It has a number of neat architectural differences from Tor to make it harder to attack and to improve performance. Also, for those who care, unlike Tor, I2P doesn't try to block filesharing.

Downsides: I2P is Java, so it eats more CPU. Also, it has a smaller userbase, meaning it's been less studied and isn't as resistant to takeover-style attacks like Sybil. And, obviously, you don't route to the outside world from I2P.

Re:

[TheCarp]

How exactly does tor attempt to block file sharing? Aside from recommending against certain things like bittorrent (which is pretty pathological on the tor network for various reasons, the designs just do not play nice with eachother), I am unaware of any such attempt.

In fact, I believe there are a few file sharing sites in .onion space. I don't use them, but I am pretty sure I have seen them.

Re:

[Rei]

Default exit policy: Link [torproject.org]

Re:

[TheCarp]

From the same FAQ answer:
"keep in mind that, any port or ports can be opened by the relay operator"

Of course, by default, p2p services tend to be blocked, but, even looking at the original article mentions that many p2p programs present problems for anonymity, even with tor. Also, these programs tend to open ALOT of connections.... which tends to be a problem.

They also tend to be services that are more likely to cause problems for exit node operators.

All that said, like the FAQ says, any operator of an exit

Re:

[TheCarp]

Also....
Just for one service...this took all of another 10 seconds to find:

https://blog.torproject.org/blog/bittorrent-over-tor-isnt-good-idea [torproject.org]

You think other services don't have similar problems?

Re:

[GameboyRMH]

And here's another good reason why Bittorrent shouldn't be allowed over Tor:

http://www.chrisbrunner.com/2006/07/09/why-you-shouldnt-run-bittorrent-over-tor/ [chrisbrunner.com]

Re:

[Runaway1956]

"No exit nodes,"

You're sure? I'll have to look again, to be sure, but I think that it actually does support exit nodes. The problem is, no one actually creates an exit node.

Re:

[TheCarp]

I happen to mostly agree but...

I also ran a tor exit node from my home for a while. Not recommended for a few reasons, but I did. The worst that ever came from it? I found that I couldn't use my IP to post on craigslist anymore. Never heard a peep from my ISP (was comcast at the time), nothing.

Re:

[Anonymous Coward]

Chalk this up to "This is why we can't have nice things."

I ran a tor exit node, and I was pretty interested in seeing what was being accessed, so I ran it through squid.

And now, I don't run a tor exit node because as far as I can tell, unless I just got all the deviant-redirected traffic, it's not being used for much, if any, good. And I was just redirecting http traffic!

*Now, this only meant I could see what was being accessed. I still couldn't see who/where was accessing what, just looked through the ac

Re:

[royallthefourth]

If you had looked deeper, you wouldn't found an incredible quantity of passwords being sent in plaintext to login to websites that don't use SSL.

Re:

[Windwraith]

...and have tons of pedophile content routed through his computer? That doesn't sound safe.
Even if the TOR network is used for more legitimate goals, of which I am aware of, that risk can be too much if your IP happens to be involved in some way.

Re:

[Runaway1956]

I've found Tor to be slower than an unencrypted direct connection made through standard ports. I'll give you that much. But, Tor's usefulness isn't measured in speed. It's measured in anonymity. Think about it - one doesn't buy a 60 horse John Deere tractor for street racing. Why would you "buy" Tor for speed surfing?

Now, if you care to see something that is really slow, you should look at I2P. It's far more anonymous than Tor - and it's also much slower. Go on, test drive it, for educational purpose

Re:

[sticky.pirate]

I saw a presentation by Jacob Appelbaum, where he addressed these kinds of speed concerns. He said (I hope I'm getting the quote right from memory) "we can make it faster, but you have to ask yourself: how fast do you want to die?"

Never 100% safe

[Tigger's Pet]

I guess that the research demonstrated by Stevens LeBlond just goes to prove what most of us have known for a long time - even using TOR (and the same will go for any other type of encryption, IP masking etc) you are not 100% safe if somebody wants to work out who you are. The governments may not care too much if you are just sharing a few pirated movies around, although some companies may, but I can guarantee that those carrying out the real illegal activity, such as sharing child-pr0n, will be tracked down one way or another.
All that TOR does is provides people who aren't really that switched-on with a false sense of security about their activities.

Re:

[Tigger's Pet]

My biggest concern with your entire posting is not being referred to as "some asshole on slashdot", it's the fact that you talk about downloading 10000 CP videos and then later on say that those who got caught were the ones who downloaded the 'sick shit'. How the hell do you define that? ANY CP is the 'sick shit'. There's no grading whereby some of it is OK, some of it is dodgy and some of it is bad - it's ALL bad!

Re:

[Unordained]

I'm curious: what if someone downloaded 10000 videos of people being shot by their governments? Would that be sick shit? Would it be bad? Would they become responsible for the deaths of thousands? (I'm not talking about Hollywood movie clips, I'm talking about, say, amateur video of street protests being repressed violently.)

Re:

[GameboyRMH]

Careful with that username/post combo :P

Re:

[F.Ultra]

I don't that he meant what you meant. He meant that he could safely download it using TOR without fearing to be caught. That is not a statemant that he will do that or that he wants to do that. And then he writes that the ones getting caught probably was buying the sick shit or downloading it from a central location such as limewire.

Since he wrote "that sick shit" he probably would never dl any of it, how did you fail to get that?

Re:

[icebraining]

While I'm not AC, I think the difference wasn't between CP and 'sick shit', but between those who download and those who bought. It's obvious that a money trail makes it much easier to follow.

Re:

[Qzukk]

those who got caught were the ones who downloaded the 'sick shit'.

No, he said bought, as in "with their own credit card".

It's sick shit either way, it's the people dumb enough to pay for it who get caught.

Re:

[Rei]

1) Tor and other such networks haveseveral *known, unresolved* vulnerabilities. Whenever you hear about something like this, you should read it as "another vulnerability discovered". One of the biggest problems such networks have is Sybil attacks, but they're hardly the only ones.

2) While it's technically possible to fileshare over Tor, it is discouraged and they do attempt to block it. If you want to do filesharing, you should be on I2P (which is also faster than Tor -- although still nothing you'd cal

Re:

[prakslash]

The problem with anonymity, of course, is that it can be used for good or for bad.

On the one hand, these researchers are (admirably) trying to circumvent censorship put in place by repressive regimes. Of course, these regimes do not even care about Tor as they do not have the resources to attack it. Tor-Schmor, they will just throw a switch and cut off all internet access, period. On the other hand, we have sophisticated western organizations like the CIA and FBI that are hellbent on breaking Tor for the

Re:Never 100% safe

[DeadboltX]

The problem with anonymity, of course, is that it can be used for good or for bad.

Then the solution is clear! We must only allow things that can only be used for good!

Re:

[account_deleted]

Comment removed based on user account deletion

Re:Never 100% safe

[alan_dershowitz]

The attack relies on the way Bittorrent is used and the fact that it uses UDP for contacting peers (which Tor doesn't route, causing only the tracker connection to be Torified) causing information leak; controlling an exit node to do a MitM); and the fact that Tor multiplexes multiple streams through the same node for performance reasons (meaning you can observe all the traffic that someone is going to through your exit node, once you've established who they are.)

This attack won't work on you if:

1. You are only using one app, in particular it won't work on you if all you're using is a browser and TorButton
2. The same app is not sending data across both Tor and no-Tor
3. The app in question can detect tampered-with data (SSL cert mismatch, etc.)
4. As a precautionary measure, you are doing strict firewall egress filtering while using Tor.

In short, if you are technically knowledgeable and careful, this attack doesn't apply to you. So, it's not the end of the road for Tor and anonymity, although it's a problem for "regular" people using Tor who can't be expected to keep track of all the ways their computer can unmask them.

Re:

[Rei]

There are just so many ways you can bust people using Tor. Here's just some [events.ccc.de]. Any dedicated professional organization -- the RIAA, MPAA, CIA, China, etc -- can find you if they think it's worth their time and effort. Spending the resources to catch one person obviously would rarely be worth it, but the real concern is whether they feel it's worth it to laydown a blanket exploit to catch as many people as possible so they can filter through the ones they want to expose at their leisure.

Here's an example of

Re:

[alan_dershowitz]

This is mainly effective against a hidden service, not an individual doing single posts or sending messages time-to-time like presumably is happening in Iran or Egypt. Like, sending an email, posting a twitter, checking a website .And running Firefox+Torbutton with Javascript and plugins turned off mitigates many of these problems, except the DOS and Sybil attacks.

Re:

[ThunderBird89]

Well DUH...

If they control an exit node, it stands to reason they could follow the data back at the very least one node. This is the same as breaking AES: possible, if you can access the system, and run some custom code on it...

Re:

[Urza9814]

hahahahahahahaha...

Seriously, you think governments are more concerned with child porn than copyright infringement? Clearly you haven't been paying much attention to what laws have been being passed lately....child porn is something they say they're working on to make people feel good. Copyright infringement is something they actually work on, because the people pushing that have enough money to make sure things actually get done.

Re:

[Americium]

Drive around until you find an open Wifi signal. 100% untraceable back to you.

Re:

[Beetle B.]

Only if you use a disposable computer. IP addresses are not the only way to identify someone.

Re:

[Americium]

I thought all computers were disposable.

Re:

[cbiltcliffe]

And make sure you clear the router DHCP and wireless logs before you leave.

Or really, make sure you connect with a fake MAC address. Preferably a different one every time.
Otherwise you could have just been honeypotted.

Imagine this:

Someone runs a honeypot open/WEP wireless point, looking for people trying to break in and do illegal shit.

The WAP logs all connection attempts from unknown MAC addresses. When one pops up, it starts silently monitoring all traffic from that MAC. Analysis of traffic finds terro

Re:

[rpresser]

You must have a lot of faith in Slashdot's anonymity. More than I would have.

Re:

[dgatwood]

You're new here, aren't you? Do you think somebody would post a comment like that if he/she had actual child porn?

What we have here is a troll. Nothing more.

Re:

[Anonymous Coward]

Just a warning: that is CP.

...Child porn on Slashdot.... More original than the Goatse troll, but still nothing new or original. Worse stuff on /b/ all the time.

On a lighter note, Googling "tara child porn arrest" gives http://www.fbi.gov/atlanta/press-releases/2009/at030509.htm [fbi.gov] which says that he was already busted WOOHOO!

Re:

[jc79]

I suspect, if not a troll, the IP in Slashdot's server logs would correspond to a Tor exit node.

Re:

[Rei]

What makes you think you need to break crypto to crack Tor? Have you never bothered to do a google search on Tor's known and unfixed vulnerabilities? Here's a top hit [events.ccc.de].

Re:

[TheCarp]

Depends on your definition of "broken". Tor tries to do more than obscure what you are sending. Anyone who has an exit node can sniff your traffic unencrypted... anyone with enough middle nodes is likely to own a whole circuit of yours eventually.

Even without enough to get your whole circuit, packet timing on the end server could be enough, if they have your entry node, to tie the whole connection back, even without the middle hops.

I am sure there are even more clever attacks....none of which involve actual

Re:

[SuricouRaven]

I've been urging that someone more capable than myself look into that. Unfortunatly routing would be a nightmare and latency just as bad - I imagine that it would be unuseable for real-time communcations, certainly so in sparsely populated areas. But it could still function using some sort of shared caching system, similar to Freenet - or even just using Freenet, with adaptations to run on portable devices and with ad-hoc connections between nodes.

integrate Tor and Incognito Mode?

[Speare]

I'd like to see better integration with Tor and Chrome's Incognito Mode. Normal plain-jane internet route for all my apps, but route all incognito traffic through Tor. Otherwise, I find it a pain in the rear (not to mention more error prone) to keep toggling OSX between "performance mode" and "tinfoil hat mode." Doesn't really matter what I'm viewing in tinfoil hat mode, I just would rather have the same kind of barriers on my local cookie/history storage as I have out in the world.

One word

[Locke2005]

Steganography. Make it impossible to determine what traffic is encrypted by embedding the encrypted traffic as noise in, say, a video extolling the virtues of the dictator.

Re:One word

[SuricouRaven]

Massive, massive overhead. Also, only any use for private communications where both parties have already exchanged some form of key.

Re:One word

[Locke2005]

Correct on both counts. But any system that allows new people to join in without being referred by a trusted party invites participation by government infiltrators. Consider key exchange as a form of formal introduction, like a fraternity handshake.

Re:

[SuricouRaven]

Depends on your aim. Freenet is one of the more prominant projects in this area, and it's designed for anonymous publication - that is, you don't mind the government seeing it so long as everyone else can, and it can't be traced to the source. Great for spreading videos of government abuse of power, leaked documents, counterpropaganda, surpressed books, etc. Anything you want everyone to see, but can't risk being identified as a distributor for. There is no invite needed, and yet finding the source of a doc

Re:

[Americium]

Incorrect on one account. Quantum cryptography got rid of the need to exchange keys before hand.

Re:

[Actually, I do RTFA]

Quantum cryptography got rid of the need to exchange keys before hand.

Not if you want to use public keys to confirm identity.

"Security through obscurity."

[westlake]

Steganography. Make it impossible to determine what traffic is encrypted by embedding the encrypted traffic as noise in, say, a video extolling the virtues of the dictator.

and when the secret police begin asking the right questions about the source of the video, what then?

Steganography is all about blending into the background.

Not drawing attention to yourself.

clandestine exit nodes

[circletimessquare]

everywhere

supported by western governments

you would be correct to assert that western officials have their heads up their asses and won't immediately grasp that tor is a friend, not an enemy, and an excellent way to bring down beijing, tehran, havana, and harare cheaply. but they'll warm up to the possibilities

Re:

[royallthefourth]

an excellent way to bring down beijing, ... havana,

People in China are generally enjoying a steadily rising quality of life, regardless of how politically repressive the state may be. Revolutions don't happen because some blogger got arrested or a site was blocked. If anything will cause real unrest there, it will be the sort of falling wages that caused Tienanmen.

People in Cuba are well educated and free from disease and starvation. Unlike China, the internet isn't very prolific and is difficult to use at all. They really can't even use Tor because the USA

Re:

[circletimessquare]

cuba jails political prisoners. period. do you find that acceptable?

iraq and afghanistan's governments are obviously orders of magnitude better than the governments they replaced. true or false?

i really don't have a problem with people who criticize the usa. what drives me nuts are morons who make out the usa's enemies as better than they really are, out of some misguided sense of false equivalency. the usa does plenty wrong in this world. true. but if that observation changes your perception of the usa'ss

Re:

[TheCarp]

Yup. Though, I tend to include the USAs rather broken form of "Democracy" on the "nondemocracy" list.... alot of people don't get.... I ONLY criticize the US (generally). Its not that I think Cuba is great... or that China is wonderful (but truth be told, they seem to be way more open and making a lot more progress towards openness than I ever would have predicted 10 years ago, never mind 20.... not giving them a pass, just, some credit for improvement).

I always get "Where would you rather live". Nowhere, I

Re:

[Billly Gates]

Reading this I feel the US is going to have some revolts very soon.

In America we are technically still better but we are falling very very fast. In China the country is much poorer but they rising and getting better. If wages fall people protest and the problems at home are always the issue that drives people first regardless if the government is a democracy or a dictatorship.

I am not a tea partier or anyone who hates Obama, but how many banks will we keep bailing out, how many more jobs must we outsource,

Re:

[account_deleted]

Comment removed based on user account deletion

Re:

[Actually, I do RTFA]

you would be correct to assert that western officials have their heads up their asses and won't immediately grasp that tor is a friend, not an enemy

Considering TOR was an invention of the US Navy, you'd assume that the military, at least, considers it a boon.

Re:

[circletimessquare]

thanks for your input, crackpot

One Bad Apple

[value_added]

Recently discussed on Bruce Schneier's blog ("Identifying Tor Users Through Insecure Applications"):

http://www.schneier.com/blog/archives/2011/03/identifying_tor.html [schneier.com]

oblig.

[ilsaloving]

IP over Avian Carrier could bypass the problem entirely! http://www.faqs.org/rfcs/rfc2549.html [faqs.org]

Re:

[F.Ultra]

No it doesn't, in fact it makes it far easier since you can track the pigeons. Some stupid criminals way back in the 70:s or 80:s in the Swedish town of Ystad tried that trick (tried to receive a kidnap ransom safely by having the senders deliver via postal pigeons, so all the police had to do was to track the birds..).

Re:

[ilsaloving]

Only because the criminals didn't protect the pigeon's identity by having them wear masks and spandex tights during their flight.

TOR needs more intermediate nodes too!

[xororand]

I used to think that it's the lack of exit nodes that makes TOR somewhat slow until I tried some internal services, i.e. *.onion. So I proceeded to configure an unthrottled intermediate node on a box with a 100/100 Mb/s connection. After 1-2 weeks of warming up, the node routed over 1 TB of traffic _daily_. As my monthly cap is 5 TB, I had to throttle it, unfortunately.

TL;DR: If you have spare bandwidth and want to help the TOR network without the potential risks of an exit node, please setup an intermediat

Re:

[jc79]

+1 to this. Running a relay also provides greater anonymity to your own Tor activity, as it is very hard to show whether traffic originated with your node or was just relayed.

Re:

[Anonymous Coward]

Ugh. Goatse. You asshole.

Re:

[Kjella]

Ugh. Goatse. You asshole.

UID >2000000 and blog.com. Coincidentally the same problem with anonymous networks, except it's more extreme there. No, goatse is not the worst you can see.

Re:

[0100010001010011]

hello.jpg EXIT! DO NOT CLICK.

Hopefully this does more help than a mod down.

Re:

[GameboyRMH]

Ohoho, nice try, but you won't goatse me today! ;)

Re:

[rpresser]

Rest assured, your webcam WAS recording. Just not to your hard drive.

Re:

[Tolkien]

As far as I understand it, if you want to host a Tor exit node it should be public knowledge that the address serves as a Tor exit node. This means you should advise your ISP that it is, and list the reasons.

Re:

[Deekin_Scalesinger]

I would be interested in the possible reasons one could come up with that would have your ISP say "oh, OK, that's fine - exit node away" At least in the US, an ISP will be far more concerned with maintaining good relations with the Gov't than with an individual end user...

Re:

[cool_arrow]

And why not just host the node at a hosting service and not on your personal machine. I recall reading that it's best to set it up that way but I'm not sure where I read it - perhaps the TOR site. The TOR site has a list of "tor friendly" ISP's.

Re:

[Tolkien]

You're using a hosting service and thus are still to be held responsible if used improperly, the hosting service will hold you accountable which they can easily do because you're paying the bills. This is why what I said still applies even if you use a hosting service. It must be public knowledge that your host is a Tor exit node.

Re:

[cool_arrow]

Right. But I'm assuming that if you hosted at an ISP that you might avoid a visit to your personal residence by the authorities. I'm probably wrong though and some over zealous jackasses will still come and kick your door down.

Re:

[Tolkien]

My guess is the authorities would have no problem finding a reason to knock on your door if shady things are done using your hosted exit node.

Re:

[Tolkien]

Oh geez. I replied without clicking the link. It's a goatse. Don't go.

Re:

[Qzukk]

Because "One bad apple spoils the bunch" as the old saying goes.