Delivery-Date: Sun, 09 Nov 2014 11:27:14 -0500
Return-Path: <tor-talk-bounces@lists.torproject.org>
X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on moria.seul.org
X-Spam-Level: 
X-Spam-Status: No, score=-4.9 required=5.0 tests=BAYES_00,RCVD_IN_DNSWL_MED,
	RP_MATCHES_RCVD autolearn=ham version=3.3.1
X-Original-To: archiver@seul.org
Delivered-To: archiver@seul.org
Received: from eugeni.torproject.org (eugeni.torproject.org [38.229.72.13])
	(using TLSv1.2 with cipher ADH-AES256-GCM-SHA384 (256/256 bits))
	(No client certificate requested)
	by khazad-dum.seul.org (Postfix) with ESMTPS id 2AFDB1E019F;
	Sun,  9 Nov 2014 11:27:13 -0500 (EST)
Received: from eugeni.torproject.org (localhost [127.0.0.1])
	by eugeni.torproject.org (Postfix) with ESMTP id 563B6315C6;
	Sun,  9 Nov 2014 16:27:09 +0000 (UTC)
Received: from localhost (localhost [127.0.0.1])
 by eugeni.torproject.org (Postfix) with ESMTP id 8CAB931298
 for <tor-talk@lists.torproject.org>; Sun,  9 Nov 2014 16:27:06 +0000 (UTC)
X-Virus-Scanned: Debian amavisd-new at 
Received: from eugeni.torproject.org ([127.0.0.1])
 by localhost (eugeni.torproject.org [127.0.0.1]) (amavisd-new, port 10024)
 with ESMTP id Gj4HC5-0H6WM for <tor-talk@lists.torproject.org>;
 Sun,  9 Nov 2014 16:27:06 +0000 (UTC)
Received: from orcus.persephoneslair.org (orcus.persephoneslair.org
 [IPv6:2605:2700:0:17::4713:9bba])
 (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
 (Client CN "mail.persephoneslair.org",
 Issuer "persephoneslair.org CA (RSA-4096)" (not verified))
 by eugeni.torproject.org (Postfix) with ESMTPS id 56BB7310B0
 for <tor-talk@lists.torproject.org>; Sun,  9 Nov 2014 16:27:06 +0000 (UTC)
X-Greylist: delayed 1089 seconds by postgrey-1.34 at eugeni;
 Sun, 09 Nov 2014 16:27:06 UTC
Received: from dysnomia.persephoneslair.org (77-64-253-34.dynamic.primacom.net
 [77.64.253.34])
 by orcus.persephoneslair.org (8.14.7/8.14.7) with ESMTP id sA9G8rY2032148
 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK)
 for <tor-talk@lists.torproject.org>; Sun, 9 Nov 2014 08:08:54 -0800
Received: (from andrea@localhost)
 by dysnomia.persephoneslair.org (8.14.7/8.14.7/Submit) id sA9G8aLW009758
 for tor-talk@lists.torproject.org; Sun, 9 Nov 2014 16:08:36 GMT
Date: Sun, 9 Nov 2014 16:08:36 +0000
From: Andrea Shepard <andrea@torproject.org>
To: tor-talk@lists.torproject.org
Message-ID: <20141109160835.GC26807@dysnomia.persephoneslair.org>
References: <CAJVRA1Qc_oDPMyiTKKETqqRrWkTK3j8qwi37ELhOk2xVTyvxqg@mail.gmail.com>
 <CAJVRA1SGKkYQ-hk2RiciMAVvG-UR8nX2okmgvb7tD6nyyN9_ZQ@mail.gmail.com>
 <CAJVRA1Smof5HKJAPCEg-CKTErnM8g0BJDTiyv6TpR0B4Mpv_0g@mail.gmail.com>
MIME-Version: 1.0
In-Reply-To: <CAJVRA1Smof5HKJAPCEg-CKTErnM8g0BJDTiyv6TpR0B4Mpv_0g@mail.gmail.com>
User-Agent: Mutt/1.5.21 (2010-09-15)
Subject: Re: [tor-talk] insufficient hidden service performance is potential
 de-anonymizing DoS [was Re: [tor-dev] yes hello, internet supervillain here]
X-BeenThere: tor-talk@lists.torproject.org
X-Mailman-Version: 2.1.15
Precedence: list
Reply-To: tor-talk@lists.torproject.org
List-Id: "all discussion about theory, design,
 and development of Onion Routing" <tor-talk.lists.torproject.org>
List-Unsubscribe: <https://lists.torproject.org/cgi-bin/mailman/options/tor-talk>, 
 <mailto:tor-talk-request@lists.torproject.org?subject=unsubscribe>
List-Archive: <http://lists.torproject.org/pipermail/tor-talk/>
List-Post: <mailto:tor-talk@lists.torproject.org>
List-Help: <mailto:tor-talk-request@lists.torproject.org?subject=help>
List-Subscribe: <https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk>, 
 <mailto:tor-talk-request@lists.torproject.org?subject=subscribe>
Content-Type: multipart/mixed; boundary="===============4460665434625966161=="
Errors-To: tor-talk-bounces@lists.torproject.org
Sender: "tor-talk" <tor-talk-bounces@lists.torproject.org>


--===============4460665434625966161==
Content-Type: multipart/signed; micalg=pgp-sha512;
	protocol="application/pgp-signature"; boundary="lMM8JwqTlfDpEaS6"
Content-Disposition: inline


--lMM8JwqTlfDpEaS6
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable

On Sun, Nov 09, 2014 at 05:31:47AM -0800, coderman wrote:
> On 11/9/14, coderman <coderman@gmail.com> wrote:
> > ...
> > your ConstrainedSockets experiments are exactly what i would expect to
> > see if this technique were used, since reducing socket buffers would
> > allow you to have more concurrent connections open (and thus thwart a
> > DoS at lower limits).
>=20
> someone asked, "then why the names and ..?"
>=20
> if i was implementing this attack, i would want the attacked to assume
> it was a mis-configured bot. this looks like a mis-configured bot.

Yes, and that is what it looks like.  The strings 'code', 'old' and 'fail' =
in
the URLs seen in nachash's logs were also present as top-level directories =
on
his site, and he apparently had a 404 redirect to his index page - so a
buggy crawler might well produce something like the observed pattern.  Who
would leave an obviously broken crawler producing nothing of interest like
that running for such a long time and O(1M) requests, though?  An attack
designed to look like skiddie bullshit is starting to sound plausible.

--=20
Andrea Shepard
<andrea@torproject.org>
PGP fingerprint (ECC): BDF5 F867 8A52 4E4A BECF  DE79 A4FF BC34 F01D D536
PGP fingerprint (RSA): 3611 95A4 0740 ED1B 7EA5  DF7E 4191 13D9 D0CF BDA5

--lMM8JwqTlfDpEaS6
Content-Type: application/pgp-signature

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.20-ecc (GNU/Linux)

iKIEARMKAAYFAlRfkYMACgkQCqXGPswvBxIWGgIJAaNbapyFH9EFkp525URkdKjL
TQZdsjwuruQfsLwqwys5ZAV4lPDfm1xA9mdjoxBkh4VezeDL61+zzh6qn8+qZXL6
AgkBoylPmiNcDjB8N+AjXZEhCW6FGGGalO4sYwmB6yYWw0YMQPP0vau9iMk3XcdT
dWNp3qsmGutjysZ975ex4m2Mf3c=
=sFjS
-----END PGP SIGNATURE-----

--lMM8JwqTlfDpEaS6--

--===============4460665434625966161==
Content-Type: text/plain; charset="us-ascii"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
Content-Disposition: inline

-- 
tor-talk mailing list - tor-talk@lists.torproject.org
To unsubscribe or change other settings go to
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk

--===============4460665434625966161==--

