[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Message-ID: <589e556c0606191544s67521498jfc5c935f3cd7ebdb@mail.gmail.com>
Date: Mon Jun 19 23:44:30 2006
From: mooyix at gmail.com (Brendan Dolan-Gavitt)
Subject: Re: Is there a way to trace back Tor user
On 6/16/06, Bruno Wolff III <bruno@...ff.to> wrote:
>
> On Thu, Jun 15, 2006 at 09:33:12 -0400,
> Brendan Dolan-Gavitt <mooyix@...il.com> wrote:
> > This is covered in the Tor FAQ:
> >
> http://wiki.noreply.org/noreply/TheOnionRouter/TorFAQ#head-a79d22244cc04ca5472832cbcc315198b875f34c
> >
> > The best attack that I know of right know involves measuring latency to
> each
> > Tor node and correlating that with transmissions at the destination
> server.
> > The latency goes up on those nodes carrying the traffic to the
> destination
> > server when that server is transmitting data, allowing the attacker to
> > determine the path through Tor (though not the original source of the
> > traffic). See "Low-Cost Traffic Analysis of Tor" for more details:
>
> There can be other attacks in special cases. Tor users are rare and if you
> know some other information about them (like that they are a user on your
> network) then it might not be too hard to figure out who they are.
>
> I used this idea a long time ago to figure out who sent an anonymous
> threat
> to one of our users through anon.penet.fi remailer. They were the only
> user on our system to have sent email to that remailer at a time close to
> when the threat message was received.
>
This sounds basically like an intersection attack--you take the set of
anonymous users active at the times you're interested in, and intersect them
to find out which user it was. Intersection attacks are still an open
problem for every anonymous network that I know of, but they still require
some outside knowledge that isn't usually available to an attacker--namely,
the set of people connecting to Tor at any given time. If you run a corrupt
Tor node and log the IPs of people who connect to you, there's a good chance
that eventually you'll get the information you want--but as the Tor network
grows, your chances get worse and worse.
-Brendan
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.grok.org.uk/pipermail/full-disclosure/attachments/20060619/28be14c3/attachment.html
Powered by blists - more mailing lists