Such a simple technique and yet in this age of >10 megabit connections it is still not used. Why not? Here΄s what I am talking about: Instead of a TOR node sending packets to another TOR node only when there is data to send, they could maintain a continuous stream of dummy data that only carries actual data packets when there is data to send. That way the timing of data packets is unknown to eavesdroppers. Crucially: every such carrier stream is only transient, living as long as a data connection exists between the two nodes (or client and node). Doesn't this beat traffic analysis attacks? Why is it not used at all? Or is there an alternative to TOR that uses such streams?
Yes, that is one of the standard obfuscation methods. As I recall, Mixmaster and JonDonym both do that, plus mixing. So does Pond, over Tor.
You could also run "padding" from your end. A couple of posts are around here about the benefits. If YOU were sending lots/tons of automated meaningless traffic all day long it would be tough to distinguish when your "real" traffic left the network. Its kind of like a TOR exit node operator letting his personal traffic mix in at the exit. It would be quite tough to differentiate between his traffic and the TOR network's. A different way of looking at crowding!! I am lucky enough to have an ISP that is virtually unlimited with bandwidth for high package users. The "padding" traffic does not have to be multi-Gig files just traffic going all over the place.
With the do-it-yourself meaningless traffic approach, doesn't the instantaneous MB/s glitch a little when you add real traffic?
I am not currently "padding" still. However; I have the fortune of a 100 + meg connection. It is virtually undetectable.
Wouldn't constant traffic make a particular Tor client stand out? The entire system needs to be padding (and mixing aka randomly changing packet order) in order to provide better anonymity. Tor developers decided against padding and mixing in order to get better performance. But there's a lot more bandwidth now, so maybe they ought to revisit the issue.
The Tor community has already answered this question in their website's documentation. Tor already uses a proprietary system of traffic obfuscation, involving formatting variable length packets to all be the same length, and a sort of round robin method of transmission, so that packets never leave a relay in the same order they are received. They add that increasing obfuscation through sending phony packets to random destinations in no way increases the security of Tor, but only slows the throughput of legitimate traffic, and strains the network's limited bandwidth. Actually, user Ulysses_, is correct, that it really doesn't matter how much you obfuscate the traffic flow, because all you need to do is make a small change to a packet on one end of the network, and watch for the evidence of the change coming out the other. It's sort of like throwing a leaf into rushing water, and watching it go under a bridge. You can't see through the bridge, or what path the leaf takes while under it. But, all you really need to do is, run to the other side, and watch as it emerges from beneath, to determine that it's the same leaf as went in before. This is a known attack against Tor, and one for which Tor was never designed to defend against. In other words, one does not need to watch the route which traffic takes through Tor. They only need to determine who is receiving certain traffic, and this can be accomplished by altering traffic going in at the opposite end. Accedemics have tested that this attack does in fact work. If you're concerned about anonymity, then I'd suggest not using the internet at all, or using the internet ONLY when you're internet use can not be tied back to your real world identity, at which point, Tor would offer no additional protection. However, this is difficult to achieve. Think, fingerprints, facial recognition cameras, and liscence plate readers. Best bet, don't break the law, and be nice to others. Don't get rich, or have something someone else wants. Of course, if we all followed these rules, there'd be no need for Tor.
I was not proposing ADDING phony packets to normal packets, but WRITING normal packets into a non-stop stream of phony packets that is not affected traffic-wise by the presence or absence of normal packets written into it. With TOR as it is, no leaf going under the bridge looks the same as one coming out the other side as different keys are used, the only hope is with the statistics of the distance between leaves that shows a detectable glitch when you go to a site, and I think no such glitch exists if connections are non-stop phony streams with data written over the phony packets instead of added. We have to consider the possibility that TOR devs are deliberately keeping TOR crippled so traffic analysis by the powers-that-be has a chance. Or maybe they made their statements above in an age of a much slower internet, and are now too scared to make it too effective.
Why don't you just play a random Youtube video in the background to add a constant stream of packets over the Tor network? Or torrent something over your VPN (assuming you trust it) while you use Tor?
Because it's not the same as writing over a non-stop stream, it would add little if anything as a defence against traffic analysis attacks.
