Tor traffic confirmation attacks

I operate the apx family of exit nodes. [1]

It may be valuable to know that traffic confirmation attacks [2] are seemingly taking place. [3]

[1] apx1 apx2 apx3

[2] http://www.ohmygodel.com/publications/usersrouted-ccs13.pdf

[3] Regular 30 second windows with around 1.8 Gbit/s - 2.1 Gbit/s of traffic on each of the exits which are also guards (apx1, apx2) while the exit which isn't a guard sees stable traffic of only ~ 1 Gbit/s (apx3). Circuits to hidden services include guards and middle nodes (rendevouz point). DDoS attacks against hidden services do not affect exit nodes unless they are also guard nodes.


Comments


[79 Points] None:

[deleted]


[18 Points] FrozenSignal:

Ive be experiencing the same thing.

Creating new onion Circuit results in 3 Us Ip's for every single node in the circuit. Ive been noticing this going on since last night.

Theres no easy way ive found to contact Tor. You would think they would have a special support for something like this.

IF ANYONE FROM THE TOR PROJECT READS THIS PLEASE FOR FUCK SAKE CHECK THE US RELAYS IN THE NETWORK!

Something is going on!


[14 Points] 02dfe10:

i2p and Monero, people. This use case is pretty much exactly what these technologies were built to handle.

https://getkovri.org

Tor and Bitcoin should be considered compromised by now. Bitcoin addresses can be traced (trivial to do, actually), and Tor can be de-anonymized given enough resources.

New markets should not rely on these technologies.


[13 Points] MT_Merchant_Mangler:

Welp...they've got their decloaking method down. This RPG was fun while it lasted.


[7 Points] Tasmra:

Can you write about your observations on one of the Tor mailing lists? It would be interesting to see if other see the same effect. I will also check my nodes for similar patterns


[6 Points] MandyThatGirl:

Can anyone recommend a good dark Web dating sights?


[4 Points] wook_throwaway:

I asked about this on the #tor IRC, and either I don't understand OP's point or what he's suggesting doesn't follow from how the current network operates. Here is the convo, clarification from the OP would be great:

wook: Could you guys help me understand how regular bursts of increased traffic through guard nodes evidence confirmation attacks? https://www.reddit.com/r/DarkNetMarkets/comments/6oocii/tor_traffic_confirmation_attacks/?st=j5e8t72s&sh=1e4e02d9 pastly: You should ask that guy. It isn't obvious to me what his point is regarding his relays. pastly: Especially since he thinks having the guard flag as an exit changes anything in the current network wook: I am not an expert (hence my q), but I read it as 2 of the 3 nodes are dual-purpose, while the 3rd is just exit. I'm guessing node operators cannot see which function their node is performing, so the operator is inferring suspicious 'guard' activity is occurring based on the fact said activity is isolated to his two dual-purpose nodes (their activity differing from his third exit-only node). He is suggesting the suspicious activity may be confirmation attacks because of its regularity in time. wook: Am I off-base though? pastly: In the current tor network, a relay with the Exit flag will never be used as a guard by well-behaved tor clients even if it has the Guard flag too. wook: OK so either he misunderstands how Tor and his nodes operate, or I misunderstand his point. Reddit can be so full of BS when it comes to the technicalities of Tor. Would you mind if I copy+pasted this chat to that thread to try and get clarification?

(this throwaway is so throwaway that I can't be bothered to save the password, so probably will be responding to this thread under a different name, if at all)


[2 Points] FrozenSignal:

Contacted Tor Devs and awaiting their response.


[3 Points] totallynottappedbro:

Noticing the same thing with multiple PCs in the US as well. All of them have US IP and no amount of removing / clearing cache or restarting Tor seems to shake them.

Find it kind of odd nobody has commented in this thread for 8 hours about what is a pretty big issue.

Open up Tor Browser and got to a site and click the onion icon and take note of the Tor Circuit being used. I did some "backtracing" and all the US nodes I get like this are from Digital Ocean.


[1 Points] Wamboz:

This is bad


[1 Points] Frenchstery:

Surely if you're using a bridge you'd be safe right?


[1 Points] penguinmixer:

Mass deanonymization attacks on Tor are nothing new. Look up operation onymous.

Use public WiFi, not your home internet, and you'll escape the dragnet.

OK, so POSSIBLY if LE wants to catch you bad enough they will infect the local Starbucks router that you use with malware that will take advantage of an exploit in your wireless driver, or POSSIBLY they will review security camera footage from whatever WiFi spot you use. But probably not.


[1 Points] NoFreedomWoAnonymity:

defcon starting in a few days, maybe someone needs a PoC for their panel presentation? shrugs


[1 Points] fnufnir:

Honestly, traffic confirmation attack is not very effective. They have to suspect you first to do traffic confirmation attack. And even then, they just know you used a .onion site, maybe with correlation to message size what pages you saw (even less effective). It's cheaper to have you followed by people in flesh than doing this on global scale.

The only significant attack on Tor was the RELAY/RELAY EARLY attack in 2014, which I have to say was clever (FBI paid $1M for that to CMU). It deanonymized onion sites for Operation Onymous. They still needed sybil attack first (introduce many nodes to pull it off).


[2 Points] Notmyrealnameasshole:

So all this shit Ive been led to believe that tor and Tails is "The Shit" and you cant be found is all bullshit? Sounds as anonymous as Google when you add this to whats happened with those markets. Im done risking my freedom, I just feel sorry for those people who depend on it to stay alive in shit countries if said countries can find them in 90 days or so.