Delivery-Date: Sat, 04 Jun 2016 20:43:29 -0400
Return-Path: <tor-talk-bounces@lists.torproject.org>
X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on moria.seul.org
X-Spam-Level: 
X-Spam-Status: No, score=-4.2 required=5.0 tests=BAYES_00,RCVD_IN_DNSWL_MED,
	T_RP_MATCHES_RCVD autolearn=ham version=3.3.1
X-Original-To: archiver@seul.org
Delivered-To: archiver@seul.org
Received: from eugeni.torproject.org (eugeni.torproject.org [138.201.14.202])
	(using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits))
	(No client certificate requested)
	by khazad-dum.seul.org (Postfix) with ESMTPS id BC30E1E08BC;
	Sat,  4 Jun 2016 20:43:27 -0400 (EDT)
Received: from eugeni.torproject.org (localhost [127.0.0.1])
	by eugeni.torproject.org (Postfix) with ESMTP id 7B57EE08C0;
	Sun,  5 Jun 2016 00:43:17 +0000 (UTC)
Received: from localhost (localhost [127.0.0.1])
 by eugeni.torproject.org (Postfix) with ESMTP id 278CFE0EB6
 for <tor-talk@lists.torproject.org>; Sun,  5 Jun 2016 00:43:11 +0000 (UTC)
X-Virus-Scanned: Debian amavisd-new at 
Received: from eugeni.torproject.org ([127.0.0.1])
 by localhost (eugeni.torproject.org [127.0.0.1]) (amavisd-new, port 10024)
 with ESMTP id aBbL2P_3Upmk for <tor-talk@lists.torproject.org>;
 Sun,  5 Jun 2016 00:43:10 +0000 (UTC)
Received: from mx1.sigaint.org (mx2.sigaint.org [62.113.238.120])
 (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
 (Client CN "mx1.sigaint.org", Issuer "mx1.sigaint.org" (not verified))
 by eugeni.torproject.org (Postfix) with ESMTPS id 0854DE0EAB
 for <tor-talk@lists.torproject.org>; Sun,  5 Jun 2016 00:43:00 +0000 (UTC)
Received: from sigaintevyh2rzvw.onion (localhost [127.0.0.1])
 by localhost (OpenSMTPD) with ESMTP id 2ec7dbda
 for <tor-talk@lists.torproject.org>;
 Sun, 5 Jun 2016 00:42:50 +0000 (UTC)
Received: from 127.0.0.1 (HTTP authenticated user torleaks)
 by localhost with HTTP; Sun, 5 Jun 2016 00:42:50 -0000
Message-ID: <3a3efb54e95615c6882892ea0adc8efd.webmail@localhost>
Date: Sun, 5 Jun 2016 00:42:50 -0000
From: torleaks@sigaint.org
To: tor-talk@lists.torproject.org
MIME-Version: 1.0
X-Priority: 3 (Normal)
Importance: Normal
Subject: Re: [tor-talk] Traffic shaping attack
X-BeenThere: tor-talk@lists.torproject.org
X-Mailman-Version: 2.1.15
Precedence: list
Reply-To: tor-talk@lists.torproject.org
List-Id: "all discussion about theory, design,
 and development of Onion Routing" <tor-talk.lists.torproject.org>
List-Unsubscribe: <https://lists.torproject.org/cgi-bin/mailman/options/tor-talk>, 
 <mailto:tor-talk-request@lists.torproject.org?subject=unsubscribe>
List-Archive: <http://lists.torproject.org/pipermail/tor-talk/>
List-Post: <mailto:tor-talk@lists.torproject.org>
List-Help: <mailto:tor-talk-request@lists.torproject.org?subject=help>
List-Subscribe: <https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk>, 
 <mailto:tor-talk-request@lists.torproject.org?subject=subscribe>
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: tor-talk-bounces@lists.torproject.org
Sender: "tor-talk" <tor-talk-bounces@lists.torproject.org>

My two cents to previous discussions:
https://lists.torproject.org/pipermail/tor-talk/2016-March/040639.html
https://lists.torproject.org/pipermail/tor-talk/2016-April/040816.html
https://lists.torproject.org/pipermail/tor-talk/2016-June/041058.html

Admin of another hidden service told people he saw the same thing.
One day before his server was seized by authorities he found
frequently jumping connection speed from 500 Kbit/s to 15 Mbit/s.
It isn't clear when the attack was started, but one week before
the server's seizure he didn't see anything suspicious.

A total lifetime of his server was about 3 months. Admin thinks
it could be remote traffic shaping attack (DoS) which helped
authorities to discover IP address of his hidden service.

In normal operation mode the server speed was about 1 Mbit/s
without any jumps. During attack he saw these speed jumps on the
client side, but cannot sure the same was seen on the server side.
To get more information he wants to enable advanced network
logging for his other hidden services which can be attacked.

His hidden service was running inside VM, Tor client was running
on real hardware and iptables rules were blocking all non-Tor
connections from VM. Most likely it isn't a problem on the
application side (HTTP server).


-- 
tor-talk mailing list - tor-talk@lists.torproject.org
To unsubscribe or change other settings go to
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk

