Delivery-Date: Sun, 09 Nov 2014 08:31:59 -0500
Return-Path: <tor-talk-bounces@lists.torproject.org>
X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on moria.seul.org
X-Spam-Level: 
X-Spam-Status: No, score=-4.7 required=5.0 tests=BAYES_00,DKIM_ADSP_CUSTOM_MED,
	DKIM_SIGNED,FREEMAIL_FROM,RCVD_IN_DNSWL_MED,RP_MATCHES_RCVD,T_DKIM_INVALID
	autolearn=ham version=3.3.1
X-Original-To: archiver@seul.org
Delivered-To: archiver@seul.org
Received: from eugeni.torproject.org (eugeni.torproject.org [38.229.72.13])
	(using TLSv1.2 with cipher ADH-AES256-GCM-SHA384 (256/256 bits))
	(No client certificate requested)
	by khazad-dum.seul.org (Postfix) with ESMTPS id 1DC561E08B9;
	Sun,  9 Nov 2014 08:31:58 -0500 (EST)
Received: from eugeni.torproject.org (localhost [127.0.0.1])
	by eugeni.torproject.org (Postfix) with ESMTP id 2B9AE31887;
	Sun,  9 Nov 2014 13:31:54 +0000 (UTC)
Received: from localhost (localhost [127.0.0.1])
 by eugeni.torproject.org (Postfix) with ESMTP id 2E1E73170A
 for <tor-talk@lists.torproject.org>; Sun,  9 Nov 2014 13:31:51 +0000 (UTC)
X-Virus-Scanned: Debian amavisd-new at 
Received: from eugeni.torproject.org ([127.0.0.1])
 by localhost (eugeni.torproject.org [127.0.0.1]) (amavisd-new, port 10024)
 with ESMTP id dmPdHsuEx35r for <tor-talk@lists.torproject.org>;
 Sun,  9 Nov 2014 13:31:51 +0000 (UTC)
Received: from mail-lb0-x22f.google.com (mail-lb0-x22f.google.com
 [IPv6:2a00:1450:4010:c04::22f])
 (using TLSv1 with cipher ECDHE-RSA-RC4-SHA (128/128 bits))
 (Client CN "smtp.gmail.com",
 Issuer "Google Internet Authority G2" (not verified))
 by eugeni.torproject.org (Postfix) with ESMTPS id C809D31703
 for <tor-talk@lists.torproject.org>; Sun,  9 Nov 2014 13:31:50 +0000 (UTC)
Received: by mail-lb0-f175.google.com with SMTP id n15so4731561lbi.34
 for <tor-talk@lists.torproject.org>; Sun, 09 Nov 2014 05:31:47 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113;
 h=mime-version:in-reply-to:references:date:message-id:subject:from:to
 :content-type; bh=u+N/Zrta1C4yDll3Il7rMIaKPr/A8DfBZyyKl9JwYpQ=;
 b=osW6WV0WM3cUMt8SqN8Utocp/gl/lspZ5wMzmu3D9y/pWyBTlwr5mHfnU8BZ3cJZTh
 75ocWLxLuEf6XC6BjBNNgszkEV1I3uA2Gdf+jS3B3e2SkGUz8bDe+E5HVSfYvLxtRNKT
 WrSHzaKaZdjvSwUwnn8VZGBXJHZVSlPodACILbmdlU/DPi6k6vmvKvhWMip78Iqmo93l
 F6W6vLMNU5sbkQjlq7xxve5Kr/GKBSmuh0tB4CUaCEgebFkjTXY7kQ939R9+Bhh/9nKy
 QP8nDu0szTf4qTu9pUNBsswei00+dUtpudhg8zOVNFbugEHK3hQl2sgRKCdC9NL3ukgP
 xKxw==
MIME-Version: 1.0
X-Received: by 10.152.87.67 with SMTP id v3mr2030798laz.97.1415539907583; Sun,
 09 Nov 2014 05:31:47 -0800 (PST)
Received: by 10.112.156.225 with HTTP; Sun, 9 Nov 2014 05:31:47 -0800 (PST)
In-Reply-To: <CAJVRA1SGKkYQ-hk2RiciMAVvG-UR8nX2okmgvb7tD6nyyN9_ZQ@mail.gmail.com>
References: <CAJVRA1Qc_oDPMyiTKKETqqRrWkTK3j8qwi37ELhOk2xVTyvxqg@mail.gmail.com>
 <CAJVRA1SGKkYQ-hk2RiciMAVvG-UR8nX2okmgvb7tD6nyyN9_ZQ@mail.gmail.com>
Date: Sun, 9 Nov 2014 05:31:47 -0800
Message-ID: <CAJVRA1Smof5HKJAPCEg-CKTErnM8g0BJDTiyv6TpR0B4Mpv_0g@mail.gmail.com>
From: coderman <coderman@gmail.com>
To: tor-talk <tor-talk@lists.torproject.org>, nachash@observers.net
Subject: Re: [tor-talk] insufficient hidden service performance is potential
 de-anonymizing DoS [was Re: [tor-dev] yes hello, internet supervillain here]
X-BeenThere: tor-talk@lists.torproject.org
X-Mailman-Version: 2.1.15
Precedence: list
Reply-To: tor-talk@lists.torproject.org
List-Id: "all discussion about theory, design,
 and development of Onion Routing" <tor-talk.lists.torproject.org>
List-Unsubscribe: <https://lists.torproject.org/cgi-bin/mailman/options/tor-talk>, 
 <mailto:tor-talk-request@lists.torproject.org?subject=unsubscribe>
List-Archive: <http://lists.torproject.org/pipermail/tor-talk/>
List-Post: <mailto:tor-talk@lists.torproject.org>
List-Help: <mailto:tor-talk-request@lists.torproject.org?subject=help>
List-Subscribe: <https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk>, 
 <mailto:tor-talk-request@lists.torproject.org?subject=subscribe>
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: tor-talk-bounces@lists.torproject.org
Sender: "tor-talk" <tor-talk-bounces@lists.torproject.org>

On 11/9/14, coderman <coderman@gmail.com> wrote:
> ...
> your ConstrainedSockets experiments are exactly what i would expect to
> see if this technique were used, since reducing socket buffers would
> allow you to have more concurrent connections open (and thus thwart a
> DoS at lower limits).

someone asked, "then why the names and ..?"

if i was implementing this attack, i would want the attacked to assume
it was a mis-configured bot. this looks like a mis-configured bot.

only by watching established connections, and the rate of client
request data sent over them, would you be able to identify this type
of malicious attack was taking place.

morals of this story:
- never assume a crash or DoS is innocuous on the Tor network.
- always get packet captures to diagnose trouble! (not just request logs)
- "the old tricks, still the best tricks..."
- and DON'T record traffic on a relay or exit! this is likely to harm
others while you attempt to be proactive. the last thing Tor needs is
relays and exits breaking the very privacy it is intended to provide
:)


best regards,
-- 
tor-talk mailing list - tor-talk@lists.torproject.org
To unsubscribe or change other settings go to
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk

