[nycbug-talk] A Friday Brain-Teaser, Fwd: (Theory) The BGP exploit: Effects on Tor routing and overall anonymity?

Isaac Levy ike at lesmuug.org
Fri Aug 29 12:16:23 EDT 2008 

Hi All,

So this is a bit of a cross-post, I thought it was relevant/ 
interesting, since we've all been buzzing about our very own Alex, and  
the wild Defcon demo on scary BGP re-routing; and many folks here have  
an interest in the TOR network.

ike-summary:

- Essentially, the first poster asks if the BGP attack could be used  
to break TOR anonynimity.

- The second poster explains a quick no, and then a sort of 'yes but  
it's not in the realm of sanity', in good detail.

Interesting stuff- sorry again for the cross-post!

Best,
.ike





 From the TOR project 'or-talk' mailing list,
   Their mailing list can be found over here, for the record:
   <http://www.torproject.org/documentation.html.en>

On Aug 29, 2008, at 1:21 AM, F. Fox wrote:

> Once I read about the recent BGP exploit (
> http://blog.wired.com/27bstroke6/2008/08/revealed-the-in.html ) -  
> which
> has the potential to re-route the traffic of millions of users - I  
> had a
> question, from a theoretical standpoint:
>
> If such siphoning drew in traffic passing in between Tor nodes, would
> this have an effect on reducing anonymity for the users having their
> traffic relayed by these nodes? If so, how?
>
> - --
> F. Fox

On Aug 29, 2008, at 1:46 AM, John Brooks responded:

> The short answer is no, not much. The long answer is a lot longer  
> than that, so get ready :P
>
> This would serve the person intercepting the traffic in near exactly  
> the same way it does the operator of the node - entry nodes know the  
> client, middle nodes know the entry and exit nodes, exit nodes know  
> the destination (and the traffic to that destination). You would  
> still need to intercept a significant amount of nodes before being  
> able to break anonymity and tell which users are responsible for  
> what traffic - which is a problem because the entire reason this  
> attack works is that it targets more specific IP blocks. That many  
> announcements (for various nodes) would be pretty easy to see. If an  
> attacker were able to intercept traffic on the entry and exit nodes,  
> or the client and destination, they could use timing and bandwidth  
> correlations to tell (with high probability) that this client is  
> accessing this destination. But this is no different from an  
> attacker with control of the entry node or exit/destination.
>
> The only way to make use of it that doesn't involve guessing at what  
> nodes are in use would be to start at one end and work backwards or  
> forwards in realtime. Essentially, you start by intercepting traffic  
> to a target destination, then intercept traffic to the exit node  
> contacting that destination, then intercept traffic to the middle  
> node contacting that exit, then the entry node contacting that  
> middle node, and finally to the client. The problem here is that  
> you'd need a consistant (and obvious) traffic pattern sustained  
> throughout that time (which would be long, due to the large amount  
> of traffic most nodes handle and that BGP is not instantaneous),  
> which is not generally true of HTTP requests. The complexity of such  
> an attack would be problematic, and it still involves quite a lot of  
> guesswork.
>
> So no, this isn't a significant risk to tor anonymity, it's at best  
> a quicker way to intercept traffic and follow a node path to its  
> source, and I would be amazed if that were pulled off successfully.  
> Remember that this exploit only allows you to intercept traffic *to*  
> a specific destination, and in that situation you have no more  
> information than the real destination does (less, in fact, because  
> you don't see the traffic going the other direction unless you  
> intercept that too).
>
> - John Brooks

More information about the talk mailing list