* Attacker DDoS-es a hidden service, sending millions of requests to it
* Attacker hopes that at least one of these requests will be routed exclusively through their own tor nodes, thus revealing the IP address of the hidden service
That sounds neat. Is it a viable way to de-anonimize a hidden service?
That's broadly describing one possible class of attack. It looks more like a combination of attacks may have been used - traffic confirmation via timing of outages and packets is definitely a strong one, and that's what GCHQ's QUICKANT was gunning for; ONIONBREATH was targeted at hidden service enumeration and distinguishability, and Tor is seemingly not perfect at that. (I gather HSes were due for an overhaul anyway?)
Remember, Tor cannot comprehensively protect against a global passive attacker - which is what GCHQ, DSD, NSA, et al are trying to be, as well as every other kind of attacker of course. (Generally speaking, they try every possible angle at once.)
However, they have still not had much success to date identifying users, especially en masse. We're talking here about highly-targeted attacks, combined with a few OPSEC fails.
(I still prefer garlic routing in general, but Tor has a huge advantage which has little to do with tech - a massive, diverse userbase to hide amongst.)
I've studied Tor vulnerabilities for two years. I'm seeing signs of traffic confirmation (active), traffic confirmation (passive), stream watermarking, and a massive willingness to shape control of the network with DoS. Just about every attack on hidden services (active and passive), of which I am aware, was deployed, all at once. The malformed packet DoS was especially clever. And I'm sure a ton more were used that never made it to the academic research.
It was almost comical, like the star ship captain saying "now on my mark, fire all photon torpedoes!" They just revealed a massive amount of capability to send a message: Tor is not safe. They want everyone to know that despite that sticker on Snowden's laptop, Tor remains vulnerable.
But what remains interesting, and glaringly obviously absent, is user identification. The NSA does not appear to be able to deanonymize users at will. That is, given enough time and enough resources, they can ID hidden services and long-term users, but given an arbitrary Tor exit and and TCP stream, they can't simply follow it back to its origin.
A for effort. But in organizaton it looks like a military campaign, not a cyber attack. Straight out of the "total dominance" playbook.
But of course it won't work. Tor isn't a country. Its an idea. You can't force the Internet to "submit."
All this did was make blindingly obvious holes that many researchers have been asking to be fixed for a while.
This is very interesting. Are you suggesting that Facebook over Tor could be a step in the wrong direction? Official NSA Facebook partnerships are for now very unlikely, but I am interested to know how Facebook over Tor could in principle solve the user identification problem listed by grand parent.
Please correct me if I'm wrong, but if someone is logged in to Facebook while browsing over Tor, aren't you just one CSRF from getting all personal details for the user?
If you're using Facebook over Tor, you probably shouldn't be using an account that you created on an non-Tor connection or an account tied to your real-world identity.
If you are, and you're concerned about being identified... :/
Indeed, it works like freenet IRC where you have to make an account first then log in to it with Tor. This is solved by making a throwaway VPS or virtual desktop you ssh into with Tor, make your account, shred the VPS and then change the password when you log in directly to Fb with Tor.
You can also edit Torrc to temporarily only use your own Tor exit nodes if worried about malicious exits while setting up accounts.
Is that academic research, or in what context? I'd be interested to hear what you have to say on that; anything published anywhere? Email in profile if you'd be into that :)
One (rather wasteful) workaround to delay the discovery a little bit is to have each node generate an equivalent amount of traffic going somewhere else.
The concept of a hidden service is itself interesting since it must still be "visible" to some extent, or else nothing could communicate with it; but at the same time, it's attempting to hide any indications of its presence. Attacks based on a large volume of traffic will always work if the service is centralised, since that's where all the traffic will (eventually) go. The only real solution I see is to make hidden services highly distributed so that the load is spread out and largely masked by other traffic.
What I don't fully understand is why it's necessary for an adversary to have access to all nodes on the complete path from his DDoS machine to the target IP he's trying to unmask.
Wouldn't it only be necessary that I have shared knowledge of what packet I'm sending between the machine that I'm sending my DDoS from and my relay which I'm hoping is the last one that my target is connecting to? Or perhaps I don't understand Tor well enough.
You might be able to use statistics instead. If you flood Tor with requests for a particular service, that service's address should become more common at the relays you control.
Tor works by obfuscating traffic, jumping through 3 or more nodes before exiting the tor network. If an attacker controls those three nodes it is possible for them to determine the source.
ehh a Sybil attack involves breaking identification systems (eg, cracking private keys). In this case it seems like they've broken the underlying protocol (tor) to get the ip address.
A Sybil attack is any attack that involves attacking by brute forcing the number of identities. The identity need not be based on cryptographic systems -- it could simply be the number of IP addresses.
Sure but Sybil generally refers to obscuring identity as opposed to actually actively breaking into systems... This seems like a much more active attack if it involves forged packets.
I don't understand the context of this post on torproject.org
Who is this guy? Nachash? Is he an operator of one of the illegal websites that were seized as a result of Onymous? He is talking as I would expect a sysadmin, so is that what you'd call him? He talks about inheriting PHP code, is he referring to the original SR source code? If so, how could he have acquired this source code?
To add on to what tux3 has posted, nachash has been involved in various other illegal happenings on the net over the past few years, usually with other ED hackertypes.
You can just use google to find irc logs to get a general idea of who this guy is.
Not knowing much about doxbin, I don't understand why it would have been seized. It doesn't seem anywhere near in the same league as the various drug markets that were seized.
A few nodes makes it easier for a global adversary to attack, I'd think.
The FBI could seize those nodes and replace them with rooted boxes. The NSA could use their little boxes in Sprint/ATT/L3's broom closets to forward packets to Ft. Meade.
What Tor needs is lots more traffic going through lots more nodes.
Freenet doesn't have the concept of a server that hosts a site though. Data is distributed across the datastore in nodes in Freenet. When users request a site or data then it is gathered from the nodes that hold the information.
This means sites can't have dynamic functionality but for those that host only static data then it would seem to be an alternative.
They are possibly vulnerable to being discovered when inserting data if the attacker knows what they are inserting.
> They are possibly vulnerable to being discovered when inserting data if the attacker knows what they are inserting.
If we go by the theory that compromising a single Tor user is not feasible, then connecting to the Freenet network through a fresh Tor connection every time you want to insert new data should make it a lot more difficult to find the identity of the person who is inserting this data.
I'm thinking here in the context of operating a black market, where new items are signed with the operator's key, and uploaded to Freenet, along with a list of all items on the market in question, also signed by the operator (with an increasing nonce).
new items are signed with the operator's key, and uploaded to Freenet, along with a list of all items on the market in question, also signed by the operator (with an increasing nonce).
It really confuses me why people insist on thinking about electronic systems of exchange in broken physical world terms: market/store, buyer, seller. See https://github.com/OpenBazaar/OpenBazaar/issues/961
I don't see what's "broken" about these terms. People understand them, and they serve their purpose: explaining the roles of various nodes in the network.
However, I understand your argument that there's really no need to differentiate between "buyers" and "sellers": every node on the network could be either, both or neither at any point in time.
I don't think changing the language used in OpenBazaar really makes much of a difference though. I doubt people are that interested in doing barter trading via an online market. That seems very inefficient (ie. sending a pound of beef jerky in in the mail in exchange for receiving five LED bulbs). The only reason for doing this would be if the two parties don't have proper money available.
It'd be a lot more efficient for either party to sell their good (beef jerky or light bulbs) for money locally (for example bitcoins), and pay for the other item in bitcoins, so only a single good needs to be sent via mail. The party receiving money can then just buy the goods he wants locally.
From the standpoint of someone with root access to a
dedi with OpenVZ vms, finding hidden services that are
hosted by customers is a matter of looking for files
named private_key anywhere under the /vz folder.
[...]
2. Cross your fingers and pray really, really hard that
the money trail is correctly obscured.
Hetzner is a popular German hoster and as far as I know payment requires either a valid credit card or a German bank account. How is it possible to obscure the money trail at all?
There are prepaid cards in almost every US grocery and convenience store, typically Mastercard and Visa. They don't require any ID to buy and have a fee around $5. Most can't be reloaded.
You can exchange bitcoins on IRC for prepaid virtual visas and mastercards, paypal, any 3rd party payment you want. There's a few web services for exchanging coins to visa too, which I can't remember right now but are posted to bitcointalk forums.
Of course if you were setting up an illegal hidden service payment would be the least of your worries. Moving it around every few weeks inside Russia like the inter-dimensional dark fortress in Krull to prevent long term traffic analysis, maintaining your site from a moving location everyday, and making sure you don't blow opsec giving away your identity is probably more difficult than finding creative methods to pay for hosting.
They all do (maybe not Diners, I didn't realize they were still a thing). I use them from time to time to get around the geofencing of purchases, or when I really don't trust the site.
No, Direct Deposit in Germany usually refers to Giro[1] which is a payment between bank accounts. (Credit cards and even debit Visa/MasterCards are relatively uncommon in Germany)
I've never seen an actual cash deposit payment while I lived there, though we do have them in Sweden for example.
Seems like that should also open one up to an identifying attack of sorts. Find out when deposits were made (assuming there is more than one), grab all the security video from those times, and try to identify the person who is in all of those clips. Facial recognition software should get one the rest of the way. I imagine you would only need 3 or 4 deposit events to reliably identify someone?
It looks like guard discovery was one component of the attack, and DoS could have been used to boot HSes into choosing a malicious guard, or at least, a raided (but no logs?) or somehow-rooted guard. So it's probably just a badly-coded script-kiddie-grade DoS script. It doesn't have to be an amazing, novel DoS to have an effect - it just has to be a DoS, and they don't have to show their hands by using anything particularly amazing.
What I think is that they probably don't have anything that we don't know about already as being theoretically possible. They just tried every attack we do know about at once, and some of it proved fruitful given their reach. Tor stinks - but it still works, and we can improve it.
* Attacker has control of X number of tor nodes
* Attacker DDoS-es a hidden service, sending millions of requests to it
* Attacker hopes that at least one of these requests will be routed exclusively through their own tor nodes, thus revealing the IP address of the hidden service
That sounds neat. Is it a viable way to de-anonimize a hidden service?