Wouldn't your onion service uptime become correlated with the guard's uptime? DDoS probes as described in the OP plus some basic monitoring of known onion sites could discover onions paired with single guard nodes. And if I can become certain that the guard node is owned by the onion operator, you're one subpoena away from deanonymization.
>Wouldn't your onion service uptime become correlated with the guard's uptime?
Yes. This is happening on a fairly regular basis. ddos against a tor node in most cases is just trying to figure out someones IP address or guard node.
If you run a big darknet site dealing with things like drugs, CP, fraud, and you want to stay around for a while you need to run lots of nodes otherwise you will be pwned probably within hours. There is no point in doing that for legal onions sites like facebook because everyone knows their real operators.
Now when you run lots of nodes and at the same time a big website on the darknet you are in the perfect position to run traffic correlation attacks yourself.
There is some tutorial available which suggests using some deceptive methods to spoil such tracing efforts. For example when website A is going down you also shut down your site. Or when there is a big blackout of AWS US etc
Running your own guard is stupid unless you open it for the world to use.
If you're the only person using the guard, then the guard offers you zero anonymity.
And if lots of people use your guard, then make sure it doesn't violate your ISP's terms of service. (Most ISPs have a clause about residential customers not running public services.) Also, have a plan in place for when (not if) you receive legal notices about copyright infringement, child porn distribution, and other acts that could be criminal in your country/city.
As long as you're anonymous enough about it, I don't see why running your own [private bridge] is any less anonymous than using an unpublished bridge, or a snowflake proxy.
An adversary with lots of intercepts could certainly figure it out. But otherwise, how would anyone know?
And at least, it protects you from malicious guards.
Also, your point about violating a residential ISP's ToS is troubling. Because nobody in their right mind ought to be running any sort of Tor relay from home. It's a ~sure way to get your IP address on many blocklists.
And about getting notices, that only happens for exit relays. Not for guards and middle relays.
Edit: Actually, I meant running your own unpublished bridge, not guard. In the bridge torrc:
A malicious guard is just a malicious node. It can also be used as some other hop, or there can be non malicious nodes without a guard flag. I think there has been at least one publication taking a closer look at what malicious middle nodes can do.
I'm not familiar with bridges or the snowflake proxy but I think this would work:
Public bridges are public so no one cares about those. Now you run your own private bridge. First of all running your own leads directly back to you. Second it puts you on the list of even more paranoid people. Since you know and connect to that private bridge one can assume you trust that bridge for whatever reason which indicates some kind of "personal" relationship to that bridge.
The private bridge now connects to the second hop. This is a malicious one. The operator sees an IP which does not come from an official relay in the consensus. I don't know if a node knows he is in the middle (at least a guard and exit must know they are at the beginning and end of a chain, i guess?), but if he does he would now know that a private bridge is connecting to it. So you could enumerate private bridges.
If someone runs dozens of nodes, which is actually happening, this looks like a viable option. Correct me if I'm wrong.
> First of all running your own leads directly back to you. Second it puts you on the list of even more paranoid people.
It doesn't point to "me", at least in meatspace or even as Mirimir. It points to some anonymous persona, created specifically for that purpose. On its own Whonix instance, through its own nested VPN chain, and using its own multiply mixed Bitcoin. All totally disposable.
And to be clear, I'd use a different anonymous persona for the onion service itself, created specifically for that purpose. With all the features described above.
> Since you know and connect to that private bridge one can assume you trust that bridge for whatever reason which indicates some kind of "personal" relationship to that bridge.
There are numerous private bridges, and many of them have only a few users. Perhaps even just one user.
> The private bridge now connects to the second hop. This is a malicious one. The operator sees an IP which does not come from an official relay in the consensus. I don't know if a node knows he is in the middle (at least a guard and exit must know they are at the beginning and end of a chain, i guess?), but if he does he would now know that a private bridge is connecting to it. So you could enumerate private bridges.
Sure. Authoritarian regimes do that all the time.
But here's the thing. My Tor client will still only use that bridge. So it can't be tricked into using a malicious bridge. And I can change private bridges frequently, if I like. It's not at all hard to configure them.
First: If you're going to do that, then why bother with Tor? Just get a couple of private cloud boxes and make your own VPN. (You'll be just as secure. Which isn't as secure as Tor, but it's better than nothing.)
Second: "An adversary with lots of intercepts could certainly figure it out." Exactly. If you use Tor properly, then nationstates with virtually infinite resources can't figure it out. (That's why some countries block Tor; if you can't crack it, then block it.) But if you run your own guard, relay, rendezvous, or exit node -- and you're the only person who uses it -- then an adversary with lots of intercepts could certainly figure out who you are.
I bother with Tor because it's this onion routing network that's pretty large and well used. And maybe even ~secure and ~uncompromised, but counting on that is iffy.
I mistakenly said "running your own guard". What I meant was "running your own bridge". But in practice, that's basically the same.
But it's disingenuous to claim that even using a private guard (which isn't possible, as far as I know) is "just as secure" as a private VPN. Because there are still two other relays in its circuits to introduction and rendezvous points.
It is less anonymous, I admit, but it's also less vulnerable to malicious guards. And from what I'm aware of, malicious guards have deanonymized far more users and onion servers than traffic correlation attacks have.
> If you use Tor properly, then nationstates with virtually infinite resources can't figure it out.
That's just plain wrong. Even the Tor Project admits that.
But in any case, I'd never count on servers remaining uncompromised. I'm very careful to avoid associations with them.
Edit: Here's a little thing that I sometimes do, if I really want to obscure an SSH login or whatever.[0] Basically, I can do a Tor plus VPN based version of the old telnet login chaining thing.
>But it's disingenuous to claim that even using a private guard (which isn't possible, as far as I know)
I have been thinking about this for a while, too. There is some Tor fork which allows non-exit nodes to exit. It has been posted on tor-talk a while ago.
For a private guard you would need to change the local consensus file and include the private guard. Then you would also need to control the next hop so it recognizes your guard as first hop and connect you to the third hop. I don't see why this won't work in principle.
So you could have Tor exits that aren't published.
That would get around the CAPTCHA plague for Tor users.
Another option that I've considered is IPv6. Relays with both IPv4 and IPv6 must publish their IPv4, in order to get OKed for use. But as far as I know, there's no reason why they couldn't preferentially push exit traffic through IPv6. And indeed, use a different IPv6 address for each circuit.
Operators of Internet sites have the ability to prevent traffic from Tor exit nodes or to offer reduced functionality for Tor users. ... The BBC blocks the IP addresses of all known Tor guards and exit nodes from its iPlayer service, although relays and bridges are not blocked.^[110]
The above is from the Wikipedia page for Tor. If the guard IP was "unpublished", then would that be a way to access sites like BBC iPlayer in spite of their blacklisting known guard IPs. Perhaps in the BBC case some users were trying to use Tor as a "poor man's VPN" to get a free UK IP address.
I work on infrastructure at Discord. Our voice and video infrastructure gets attacked quite frequently and we have pretty good tracking about which ASNs the traffic is coming from as part of our mitigation processes.
Anyway, Choopa is a common source of DDoS in our reports, so I can corroborate the OP's comment to some degree. They aren't the largest we see, but they're in the top 10 sources for us.
As someone who used to work for a company that hosted large-scale gaming infrastructure, I can confirm that Choopa was a common source of DDoS. DigitalOcean, too, and lots of eyeball providers. Any provider who allows credit card payments has issues with outbound attacks, and some are better at responding quickly than others.
It got so bad we ended up building and deploying our own line-rate packet processing engine at our network edge to be able to deal with the weird UDP protocols gaming uses.
