On Mon, Feb 15, 2010 at 12:30:22AM -0600, Scott Bennett wrote: > On Mon, 15 Feb 2010 00:16:28 -0500 Flamsmark <flamsm...@gmail.com> > wrote: > >On 14 February 2010 03:15, Scott Bennett <benn...@cs.niu.edu> wrote: > > > >> > >> >But one big problem is that you have no guarantee whatsoever that I'm > >> >telling you the truth about my measurements. See for example Kevin > >> >Bauer et al's "Low Resource Routing Attacks Against Tor." > >> > >> Yes, I've understood that from the outset, but I haven't seen any > >> evidence that such abuse is actually happening. > > > > > >Tor isn't just designed to be resilient to attacks that are actually being > >employed. It is designed to be resistant to theoretical attacks too - as > >well it should be. Indeed: complaining that we're protecting against > >attacks, but nobody is using them is like saying `I bought this expensive > >umbrella, but then I didn't even get wet.': > > > That wasn't my point at all. What I was complaining about was the > introduction of a new, *actual* problem as the cure for a disease we had > no sign of suffering from. Of course, a clear avenue of attack should be > blocked, but let's pick a way of doing it that embodies the "first, do no > harm" concept. The method that the developers have employed in this case > simply adds to the misallocation problems that were already bogging tor > down.
This is a good point, but it's hard to gauge both the urgency and the significance of a threat you discover. In the case of one that had been shown to work on the live Tor network and that was easy to do, it seemed clear that some remediation was needed quickly. Note that the Bauer et al. simulation was a year after Lasse Overlier and I demonstrated this attack on the live Tor network (not simulated) using just a single corrupt Tor node that lied about its bandwidth to find hidden services, as we described in "Locating Hidden Services" in 2006. Of course we structured things so that we would only attack ourselves without affecting others. See the paper for details. This prompted a couple of changes. One was the capping of allowed claimed bandwidth, another was entry guards (which Bauer et al. showed could also be used to create attacks without the caps). Your comments on and suggestions for (and even complaints about ;>) how to measure the network and how to use that information in routing are a welcome part of the picture, but this remains a complicated balancing act that we continue to refine as best we can, including in that the considerations that you have raised. aloha, Paul *********************************************************************** To unsubscribe, send an e-mail to majord...@torproject.org with unsubscribe or-talk in the body. http://archives.seul.org/or/talk/