[messaging] Fwd: Traffic shaping attack

grarpamp grarpamp at gmail.com
Sun Jun 5 12:17:39 PDT 2016


Links to threads on traffic analysis / news of interest
to anonymizing messaging networks...

---------- Forwarded message ----------
From: torleaks at sigaint.org
Date: Sun, 5 Jun 2016 00:42:50 -0000
Subject: Re: [tor-talk] Traffic shaping attack
To: tor-talk at lists.torproject.org

My two cents to previous discussions:
https://lists.torproject.org/pipermail/tor-talk/2016-March/040639.html
https://lists.torproject.org/pipermail/tor-talk/2016-April/040816.html
https://lists.torproject.org/pipermail/tor-talk/2016-June/041058.html

Admin of another hidden service told people he saw the same thing.
One day before his server was seized by authorities he found
frequently jumping connection speed from 500 Kbit/s to 15 Mbit/s.
It isn't clear when the attack was started, but one week before
the server's seizure he didn't see anything suspicious.

A total lifetime of his server was about 3 months. Admin thinks
it could be remote traffic shaping attack (DoS) which helped
authorities to discover IP address of his hidden service.

In normal operation mode the server speed was about 1 Mbit/s
without any jumps. During attack he saw these speed jumps on the
client side, but cannot sure the same was seen on the server side.
To get more information he wants to enable advanced network
logging for his other hidden services which can be attacked.

His hidden service was running inside VM, Tor client was running
on real hardware and iptables rules were blocking all non-Tor
connections from VM. Most likely it isn't a problem on the
application side (HTTP server).


More information about the Messaging mailing list