XeroBank: Timing-Based Attacks

Note: This thread is a spin-off from Tor Anonymity Compromised: GPA Attack, beginning with post #4.

* * * * * * * * * * * * * * * * * * * * * * * * * * * * * *​

Steve, for educational purposes, can you kindly take a few minutes to carefully explain why the XeroBank network would be immune to timing-based attacks that are designed to reveal the IP address of a user?

Steve, it is safe to assume that XeroBank 2.0 (like any product) has not yet reached a state of “perfection” - i.e., there are many more improvements to come over time. Therefore:

1. What aspects of XeroBank currently fall short of your expectations and high-standards?
2. What features of competitive (commercial or non-commercial) anonymity services are currently superior to those now implemented in XeroBank? In other words, what features of the competition might XeroBank wish to “copy” in the future?

Thank you.

 

Let's see. Timing attacks. Well, we aren't a public network so the IP addresses of the users are not published, so you don't have any list with which to perform timing attacks. I'll ask some of the network engineers to give me more details.

The design is quite naturally perfect; it is a work of art, flawless, sublime. </architect> So far I'm pretty happy with it. I want to see it under heavy load from new users, then I can make a comment.

One thing I really like is the unobservability of I2P and of the now defunct Zero Knowledge Systems.

 

This statement seems to imply that XeroBank will never experience upgrades or improvements at any time in the future, since it has already achieved “perfection.” I am sure it was not your intention to suggest this corollary. Therefore, looked at from another angle, what are the major enhancements planned for “XeroBank 3.0” (i.e., the network and the associated xB applications)?

Thanks.

 

It would be more succinct to say that the current units of xb2.0 are great. It will still change however. The reason being is that xb2 is modular. We can symmetrically expand the network as needed. After a critical mass of users is reached, the network will undergo another evolution be converted into a massive multi-Gbps mux, fully unobservable, virtually immune to even global adversaries.

 

I was talking with an engineer about it, and he said a linkwidth attack could start to work on any network that is observable and has low latency. I asked how that would apply to xb, and he said it could in theory if there was a large enough global adversary, but an adversary that large would already have superpower access and not need such an attack.

 

That is amazing. I hope it pans out.

 

I presume you mean XB nodes rather than XB users? (Tor users' IP addresses aren't published either, though Tor nodes' are). It isn't a great defence (security through obscurity) since an attacker could sign up as an XB customer to collect network data.

My first impression is that XB could be initially more vulnerable (due to traffic involving 2 hops rather than 3) but if so, could also address this more quickly via changes to their server configurations (as suggested in the original thread, silently discarding connections to closed ports and blocking incoming Pings).

 

I do mean users, but the point is moot. The nodes are discoverable, they aren't designed to be a secret. As for linkwidth attacks, it doesn't matter if you have 2 hops or 2000 hops, it makes no difference. Any network that is low latency can be vulnerable to this attack. My understanding, without further investigation, is that it is easier on the tor network because you can participate and discover information. For xerobank you can't participate, and the passive adversary is going to have to be truly global external to the network instead of peripheral.

 

I beg to differ - an attacker would need to probe each node with linkwidth so every hop adds more variability (from background traffic, node IO bottlenecks, differences between attacker/victim network connections, etc) reducing the likelihood of successful route discovery - in much the same way as adding more hops increases overall latency.

Additionally, more nodes in the network increases the number of probes an attacker has to run to gain (and maintain) visibility of a prospective victim.

 

All the attacks happen at the same time, and assuming the adversary is global, "20 minutes" solves all routes, regardless of node hops. I really don't know enough about the attack personally, but this was a detail of the report back from the CSO.

 

As published, the document only addresses routes using 3 nodes and under "good" circumstances (where they controlled the traffic flow and knew the destination) had just over a 50% sucess rate.

A "global" adversary, as noted elsewhere, would have no need of probes - passive monitoring would provide more accurate results.