[nycbug-talk] A Friday Brain-Teaser, Fwd: (Theory) The BGP exploit: Effects on Tor routing and overall anonymity?
Isaac Levy
ike at lesmuug.org
Fri Aug 29 12:16:23 EDT 2008
Hi All,
So this is a bit of a cross-post, I thought it was relevant/
interesting, since we've all been buzzing about our very own Alex, and
the wild Defcon demo on scary BGP re-routing; and many folks here have
an interest in the TOR network.
ike-summary:
- Essentially, the first poster asks if the BGP attack could be used
to break TOR anonynimity.
- The second poster explains a quick no, and then a sort of 'yes but
it's not in the realm of sanity', in good detail.
Interesting stuff- sorry again for the cross-post!
Best,
.ike
From the TOR project 'or-talk' mailing list,
Their mailing list can be found over here, for the record:
<http://www.torproject.org/documentation.html.en>
On Aug 29, 2008, at 1:21 AM, F. Fox wrote:
> Once I read about the recent BGP exploit (
> http://blog.wired.com/27bstroke6/2008/08/revealed-the-in.html ) -
> which
> has the potential to re-route the traffic of millions of users - I
> had a
> question, from a theoretical standpoint:
>
> If such siphoning drew in traffic passing in between Tor nodes, would
> this have an effect on reducing anonymity for the users having their
> traffic relayed by these nodes? If so, how?
>
> - --
> F. Fox
On Aug 29, 2008, at 1:46 AM, John Brooks responded:
> The short answer is no, not much. The long answer is a lot longer
> than that, so get ready :P
>
> This would serve the person intercepting the traffic in near exactly
> the same way it does the operator of the node - entry nodes know the
> client, middle nodes know the entry and exit nodes, exit nodes know
> the destination (and the traffic to that destination). You would
> still need to intercept a significant amount of nodes before being
> able to break anonymity and tell which users are responsible for
> what traffic - which is a problem because the entire reason this
> attack works is that it targets more specific IP blocks. That many
> announcements (for various nodes) would be pretty easy to see. If an
> attacker were able to intercept traffic on the entry and exit nodes,
> or the client and destination, they could use timing and bandwidth
> correlations to tell (with high probability) that this client is
> accessing this destination. But this is no different from an
> attacker with control of the entry node or exit/destination.
>
> The only way to make use of it that doesn't involve guessing at what
> nodes are in use would be to start at one end and work backwards or
> forwards in realtime. Essentially, you start by intercepting traffic
> to a target destination, then intercept traffic to the exit node
> contacting that destination, then intercept traffic to the middle
> node contacting that exit, then the entry node contacting that
> middle node, and finally to the client. The problem here is that
> you'd need a consistant (and obvious) traffic pattern sustained
> throughout that time (which would be long, due to the large amount
> of traffic most nodes handle and that BGP is not instantaneous),
> which is not generally true of HTTP requests. The complexity of such
> an attack would be problematic, and it still involves quite a lot of
> guesswork.
>
> So no, this isn't a significant risk to tor anonymity, it's at best
> a quicker way to intercept traffic and follow a node path to its
> source, and I would be amazed if that were pulled off successfully.
> Remember that this exploit only allows you to intercept traffic *to*
> a specific destination, and in that situation you have no more
> information than the real destination does (less, in fact, because
> you don't see the traffic going the other direction unless you
> intercept that too).
>
> - John Brooks
More information about the talk
mailing list