Silk Road forums
Discussion => Security => Topic started by: MagicKillerMan on July 29, 2011, 04:50 am
-
Not a new attack but indeed a very dangerous attack against hidden services.
"The attack works because hidden services build new circuits to every rendezvous node a client asks them to connect to. A malicious client can add some nodes to the network (this is called a Sybil attack and is the foundation of all other active attacks). Next, the attacker forces the hidden service to open a ton of new circuits to different rendezvous nodes. The hidden service opens a lot of circuits, and chances are the client can get it to select at least one of its nodes in one of its circuits. The attacker then sends a stream with a specific pattern in the modulation and looks for this modulation at the nodes they have added to the network. When this pattern in modulation is found, the node knows it is on the path to the hidden service. Doing this for long enough, and it was only about twenty four hours when the attack first came out, results in the hidden service being located. They added entry guards to combat this attack. Entry guards are three nodes selected the first time you run Tor which are used as your entry node for every stream you send, unless they are all down simultaneously. So now the attacker can not trace to the hidden service in 24 hours, but they can quickly locate three seperate nodes which are all one hop away from the hidden service. After doing this it will be trivial to deanonymize the hidden service still, a simple pen register / trap and trace order on one of the entry guards will locate the hidden service. So Tor hidden services have shitty anonymity still. The devs should have them use multiple guard chains and more than three nodes, but imo they seem to not give a fuck that hidden services are so easy to trace / deny they are even though its obviously B.S. I have a copy of a thesis paper from the Airforce Academy of USA which indicates to me that the military may be using a custom Tor client that uses long circuits like this for their hidden services. Then an attacker will only be able to easily trace the hidden service to the first guard node they own, and then they have to force the nodes/infrastructure to cooperate one at a time after that. This can potentially add a lot of anonymity not only to the hidden service but to clients connecting to it."
-Magic