Tor Anonymity Compromised: GPA Attack

Bad news folks. There is a new attack that can unmask Tor clients remotely, and discover tor hidden services. This is truly impressive. The attack is called Global Passive Adversary, and it uses a type of denial of service and network observability to entirely reverse the routes.

This amazing breakthrough was brought by Angelos Keromytis and Sumbuddho Chakravarty.


Download the slides here.

Rememer how I was talking about you could "buy" the integrity of the Tor network through creating more nodes? This is a way to do it without having to even have them on your circuit.

How to defeat this attack right now: If you are using Tor, enter using a Bridge.

 

I can barely keep track of the number of theoretical attacks on Tor that have turned to crap in real world situations. I can see three point to be made from this.

1. Tor is still the gold-standard, by a mile. The proof is in the fact that so many people are looking for ways to attack it. That's a good thing, not a bad thing.

2. You, sir, have an agenda. If you're going to post every theoretical exploit against the Tor network, you could fill up this entire board. It's too bad your network isn't receiving this much scrutiny. You have something bad to say about every service but your own.

3. Tor works just fine as is. I'll wait for the regularly scheduled updates and announcements from the developers. I'm not going to rush to patch together my hobbled and broken security measures based on your word.

Thank you.

 

You're suffering from the shoot the messenger syndrome. This looks like a pretty serious attack. There is a written application that does this and the report I've heard about it is that it works. I can appreciate your apprehension, but your ad hominem attacks aren't appreciated. Now go use bridge connections to protect yourself from this attack. Or you can wait for the tor devs to tell you the same thing.

 

Steve, for educational purposes, can you kindly take a few minutes to carefully explain why the XeroBank network would be immune to timing-based attacks that are designed to reveal the IP address of a user?

My impression is that this assertion is a point of much debate, not a foregone conclusion.

Steve, it is safe to assume that XeroBank 2.0 (like any product) has not yet reached a state of “perfection” - i.e., there are many more improvements to come over time. Therefore:

1. What aspects of XeroBank currently fall short of your expectations and high-standards?
2. What features of competitive (commercial or non-commercial) anonymity services are currently superior to those now implemented in XeroBank? In other words, what features of the competition might XeroBank wish to “copy” in the future?

Thank you.

 

Before We get too far along with the XeroBank questions and\or discussion, I'll ask that We confine the discussion to the threads topic Please, which concerns Tor.

There are more than enough Xerobank threads going around to ask those type questions in the appropriate Xerobank threads.

 

Pleonasm,

Let's take it to another thread. I don't mind answering those questions, but I also don't want to give the impression that tor's loss is xb's gain. It isn't, especially in this case.

I think what the result is going to be, until tor is patched, is that tor related softwares are going to have to automate their bridging, which may be difficult. This is particularly bad news because i think you have to acquire bridges through email, and manually input them as they are right now.

 

As requested, please see XeroBank: Timing-Based Attacks. My apologies for moving the thrust of this thread away from TOR.

 

I'll just point out again that your network isn't receiving anywhere near the same level of scrutiny as Tor. These types of attacks are going to be good in the long term for Tor. So, you can pick apart Tor every time some new paper is published, but that doesn't change the fact that Tor is going to become stronger in the long-run, and services without this level of scrutiny won't receive the same benefits. So, yes, I'll wait for the devs to make a recommendation.

 

I love seeing clever attacks, but there is no glee in the potential problem it creates. It doesn't look like it is theoretical, considering one of the nodes in the slideshow is one of the official directory authorities. This attack is very bad if true and accurate. If it's bad for tor, it's bad for xb browser. It looks like we're going to have to make modifications to xb browser in the next release, and xb machine. For your amusement, it appears one of the tor devs commented we can use "Bandwidth Rate 25KB" and a high setting for "BandwidthBurst" to try and liquify the traction of the attack. I see that people are waiting for someone to say that the attack doesn't work, or is only in theory. But that isn't the response coming back, we'll need more info.

Keep you informed.

 

This is an interesting point made by Malwaretesting. To address the issue of peer review, Steve, has XeroBank considered the creation of a “xB Prize” (e.g., $1 million), awarded to any individual or organization that documents a breach of anonymity within the products or services of XeroBank? Such a prize would encourage independent and critical assessments of XeroBank and, as a consequence, ultimately improve the offering.

P.S.: From a marketing perspective, the "xB Prize" would provide additional credence in the confidence of XeroBank.

 

It is an eventuality I think. However, there will be lots more work to do before we get there.

 

I looked back on my comments and thought some of them came across as too harsh, so I removed them. I apologize for that.

The only point I was trying to make is that, while these theoretical attacks are of interest to you, and I understand that, newbies come here all the time. My concern is that this type of thing presents an unbalanced view of the service that may scare people away.

Thanks.

 

Tor users are not 100% anonymous. Simple as that!

 

Yea, but if someone, newbie or not, has a need for Tor or a related service, then I presume they should be educated about it..which includes theoretical attacks.
I'll assume that anyone using a privacy related service is doing so for important reasons..at least reasons that are important to them. That being the case, they should stay current on potential weaknesses and flaws.
Take for instance the case of the Princeton group that showed how they can beat certain types of encryption software. Valuable information for anyone relying on encryption software, even if it's not a common situation they might find themselves in (to have their laptop hijacked and quickly run through the 'hacking' process).

I can see how most think Steve (Xerobank) has an agenda because he represents a related product, but to be honest, I've seen a lot of useful postings from him. If stories like this scare newbies away, then perhaps they shouldn't be 'playing' in the first place.

 

For normal web browsing I don't really see the significance of this attack for the following reasons:

• it requires about 20 minutes to identify a route (Tor clients by default change routes every 10 minutes);
• it requires a high (by Tor standards, very high) throughput connection of 30-40KB/s;
• the attacker has to be able to observe the destination web server (i.e. they need to know where a Tor user is going in the first place to target them specifically).

This essentially shows that high bandwidth connections (e.g. a large file transfer) are easier to detect and that should be clear to anyone following the discussion in the XeroBank Monster Thread. Even with the above conditions, the probing worked just over 50% (7 out of 13) of the time, though a larger sample size would be needed to get something more definitive.

There is also one easy fix - block TCP RST and ICMP Echo packets to prevent LinkWidth from gathering latency figures (using ICMP Echo packets to measure latency would be less accurate since routers/PCs should treat them as low priority). A Tor node running a firewall that "stealths" ports would also be immune to such monitoring since connection attempts to closed ports are silently discarded.

 

There will always be ways to scan connections for latency/linkwidth. blocking TCP RST and ICMP will only stop this specific tiny version of the possible attack. Just look at nmaps amazing scanning ability with all types of packets/methods. Because the Tor network is connection based, there will always be something to use for scanning. It would have to go to UDP.

 

And silently discarding packets to closed ports blocks almost all of them. The only ones left are ICMP/UDP-related or half-open TCP connections. Half-open connections would be the hardest to block, but a firewall with the ability to monitor and blacklist IP addresses that create an excessive number of connections should do the job.

 

With a global adversary, a firewall won't work. You could block half-open connections on the first attempt every time, but if the attacker has unlimited nodes, they can get all the data they need.

 

A "real" global adversary wouldn't need to use LinkWidth or any active probing - they could just monitor every node and not have to deal with the variances and error factors that such probing introduces.

This technique doesn't comprehensively overturn Tor's anonymity - it's a method that could provide information similar to (but not as accurate as) wholesale monitoring, assuming that Tor nodes don't block the probes. As such, it can only provide reasonably reliable results on high-speed connections (in part, due to their relative rarity but also their longer duration).