Re: [Fwd: High-traffic Colluding Tor Routers in Washington, D.C. Confirmed]
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Hi Karsten, (strange to write that *g*) > do you run a TOR server on a virtual server without connection faults? > A year ago, I tested a tor server on virtual hardware (Virtuozzo) and I > got many TCP connection faults in "/proc/user_beancounters". > > Is a TOR server now ready to run with less then 1024 TCP connections? > Or do you have a virtual server, which does not have low limits for TCP > connections? In this case the offer of 1blu is very nice for TOR. At the moment I count 630 TCP connections using netstat. And I don't know about /proc/user_beancounters, but that file is empty. I don't have any long-term experience with 1blu so far. Maybe they shut down my node as soon as they find out why it produces so much traffic. And maybe they change their contracts as soon as everybody is running Tor servers at them from now on. Let's wait and see. > - - Begin Off-Topic --- > I know, it is a Tor list. But please let me write this: > What do you think about a remailer (Mixmaster or Mixminion), something > like TOR for emails. Emails are more private than surfing in my opinion. > If you did have the power to admin a few tor server, you may run a > remailer too. It may share a server together with TOR. The traffic is > not very high: 5.000 mails per day. It uses at max. 16 TCP connections. > And it can act as a middle-man like TOR. For Mixmaster a working MTA > ("exim4" or something else) is required, for a Mixminion middle-man nothing. > > The size of the remailer networks decreases in the last 6 month down to > 35 nodes for Mixminion and less than 30 nodes for Mixmaster. Hope, we > can stop this trend. Large networks for high anonymity are needed. > > I am ready for help, if somebody needed any docs. (in German too) Personally, I don't know so much about e-mail anonymizers, yet. So, if you have information that I cannot find in a two-minutes Google session, yes, please send it to me. > - -- End Off-Topic -- - --Karsten -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.7 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFGJnGz0M+WPffBEmURAg0+AKDUnONqZSlnhxxb/29QWIevsg1tbgCgza10 9NGVDrMDsAxIVj5oDGswbbE= =9zMm -END PGP SIGNATURE-
Re: [Fwd: High-traffic Colluding Tor Routers in Washington, D.C. Confirmed]
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 > I would like to contribute some more Tor servers running at different > providers across Germany (probably not in the same /16 network). My > current server is a virtual server at 1blu that has a bandwidth of 931 > KB/s which makes it the 71st fastest Tor server in the network. Maybe > other providers are even faster than 1blu. Just as a comparison: the > fastest Tor server at the moment has 4533 KB/s. Hi, do you run a TOR server on a virtual server without connection faults? A year ago, I tested a tor server on virtual hardware (Virtuozzo) and I got many TCP connection faults in "/proc/user_beancounters". Is a TOR server now ready to run with less then 1024 TCP connections? Or do you have a virtual server, which does not have low limits for TCP connections? In this case the offer of 1blu is very nice for TOR. - - - Begin Off-Topic --- I know, it is a Tor list. But please let me write this: What do you think about a remailer (Mixmaster or Mixminion), something like TOR for emails. Emails are more private than surfing in my opinion. If you did have the power to admin a few tor server, you may run a remailer too. It may share a server together with TOR. The traffic is not very high: 5.000 mails per day. It uses at max. 16 TCP connections. And it can act as a middle-man like TOR. For Mixmaster a working MTA ("exim4" or something else) is required, for a Mixminion middle-man nothing. The size of the remailer networks decreases in the last 6 month down to 35 nodes for Mixminion and less than 30 nodes for Mixmaster. Hope, we can stop this trend. Large networks for high anonymity are needed. I am ready for help, if somebody needed any docs. (in German too) - - -- End Off-Topic -- Karsten N. - --- [EMAIL PROTECTED] 0x1C10A42F - - - -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.2.2 (GNU/Linux) iQEVAwUBRiYl2XneknocEKQvAQLHewgAkFpzpcZEExkJ/Eydxog9d6czGX9sPYFY gFVJ32NXO/qNSQR1WQOYMBesjLhd9+DCOEYQ9tkJqBrCCoEQklRcihFMO+ttDHb4 M0Ktqhizi75VJo36IX0060f0GQ4tT184NdferpLicAOuiGGvOkGAqTSgXvEzWPE1 ExLz7vl9BgSqs4P+wddOr1VSK1stxEUE/vwcbTK01o+C0v6peYEG9fplQq4bw48Z lplBH3Fb/7ASmwR9faVfYoi8gXqLDtnRC1kHK+H+/JzWRPGZU9BKAADmiw+0+kql 9i0iv1yoPb7OWLofBHnbjuyxHC7gTdMmUyLAgSaK/67uOtp6sdbQ1Q== =8hj5 -END PGP SIGNATURE-
Re: [Fwd: High-traffic Colluding Tor Routers in Washington, D.C. Confirmed]
> Do you think it's a privacy problem to run 3 to 5 servers? All servers > would be non-exit servers because of the current habit of the German > police to collect all exit servers. Of course, I will set the family entry. Please do run as many servers as you can afford. There is absolutely no privacy issue if you set the MyFamily option. Note that you must remember to set it on all the servers for it to work (so I can't just claim 99% of the Tor-network is my family and therefore you should use my 1% remaining evil servers by setting the option in one config file). There is no issue with you running 100 servers as long as you use MyFamily, that would be very good. It's only when you're running 100 servers on different /16's and pretend that you have no involvement with any of them that I would wonder what you're up to..
Re: [Fwd: High-traffic Colluding Tor Routers in Washington, D.C. Confirmed]
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 > What kind of traffic plan to you have with 1blu, and how much do you > pay for it? They offer "1blu-vServer Unlimited" with unlimited traffic volume for 17 euros per month. I don't know if it's the best offering, so I decided to give them a try. Are there other good offerings for (virtual) Linux servers with unlimited traffic? > FWIW, I don't see any problems in running two middleman servers (shrek, > shrek2), > with proper family setting, of course. OK. Does someone else have scruples about it? -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.7 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFGJfBs0M+WPffBEmURAkV0AJ4md2knpz29e0XkXbXd3nWcyL8G6QCfTVNl s5eGtelrtzBi2Z2UpiNc9m0= =lzMy -END PGP SIGNATURE-
Re: [Fwd: High-traffic Colluding Tor Routers in Washington, D.C. Confirmed]
On Wed, Apr 18, 2007 at 11:45:15AM +0200, Karsten Loesing wrote: > I would like to contribute some more Tor servers running at different > providers across Germany (probably not in the same /16 network). My > current server is a virtual server at 1blu that has a bandwidth of 931 What kind of traffic plan to you have with 1blu, and how much do you pay for it? > KB/s which makes it the 71st fastest Tor server in the network. Maybe > other providers are even faster than 1blu. Just as a comparison: the > fastest Tor server at the moment has 4533 KB/s. > > Do you think it's a privacy problem to run 3 to 5 servers? All servers > would be non-exit servers because of the current habit of the German > police to collect all exit servers. Of course, I will set the family entry. FWIW, I don't see any problems in running two middleman servers (shrek, shrek2), with proper family setting, of course. > Just want to ask in advance. -- Eugen* Leitl http://leitl.org";>leitl http://leitl.org __ ICBM: 48.07100, 11.36820 http://www.ativel.com http://postbiota.org 8B29F6BE: 099D 78BA 2FD3 B014 B08A 7779 75B0 2443 8B29 F6BE
Re: [Fwd: High-traffic Colluding Tor Routers in Washington, D.C. Confirmed]
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Hi, this question is not directly related to the described case. I would like to contribute some more Tor servers running at different providers across Germany (probably not in the same /16 network). My current server is a virtual server at 1blu that has a bandwidth of 931 KB/s which makes it the 71st fastest Tor server in the network. Maybe other providers are even faster than 1blu. Just as a comparison: the fastest Tor server at the moment has 4533 KB/s. Do you think it's a privacy problem to run 3 to 5 servers? All servers would be non-exit servers because of the current habit of the German police to collect all exit servers. Of course, I will set the family entry. Just want to ask in advance. - --Karsten -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.7 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFGJeir0M+WPffBEmURAt8wAKCvxrHh2adEKZwkTkcMuKEzstGTZgCg0Sai 3Q5QfDp6+Nv8JDhffwBUUGs= =ahDa -END PGP SIGNATURE-
Re: [Fwd: High-traffic Colluding Tor Routers in Washington, D.C. Confirmed]
On Fri, Apr 13, 2007 at 12:50:00PM -0400, Roger Dingledine wrote: > > A group of 9 Tor routers also functioning overtly or indirectly as Tor > > exit nodes have been observed colluding on the public Tor network. > > Yeah. This happened in mid 2006. I don't know why some random person > just picked it up now. "[EMAIL PROTECTED]" sent me some follow-up questions, which I'll answer here so we can keep the thread in one place. Maybe this will finally put the topic to rest. :) | How did Steven Murdoch and Richard Clayton tracked down the operator? I believe they made some phone calls to their friends who work in the network operations center at psinet. | How did they determine it was an innocent mistake? They know the person who was running them. It was somebody in the security field who was helping out but was embarrassed to realize that he was actually putting the network at risk by helping out quite so much. :) The fellow felt that private embarrassment was adequate, and asked not to be publically named. I trust them, and they trust him, so from my perspective it is now fine. | Even if the | operator is benevolent, that capability with so few nodes is disturbing. Yep. I agree. The Tor network may seem large, but it still needs to grow a lot larger to resist even medium sized attackers. | How were 9 nodes apparently able to touch 11% of all Tor traffic? If you launch a bunch of Tor servers that together push upwards of 200MBit/s each way sustained, ...that's a lot of bytes. Tor weights path selection by bandwidth -- otherwise Tor performance would be extremely miserable rather than just miserable. (http://wiki.noreply.org/noreply/TheOnionRouter/TorFAQ#WhySlow) There are even several research projects currently looking at how to trade off a bit more privacy for better performance, including one of our GSoC interns. See also item #4 on http://tor.eff.org/volunteer#Research | Have changes to the code since then reduced this vulnerability? Yes. See the previous post: This issue also prompted us to speed up the fix/feature in 0.1.2.1-alpha: "Automatically avoid picking more than one node from the same /16 network when constructing a circuit." http://archives.seul.org/or/talk/Aug-2006/msg00300.html But the issue still exists with respect to people who control different /16 networks, and who can push lots of bytes (or trick us into thinking they can). | Do you think there needs to be activity (perhaps "collusion" between a | group of good guys), similar to what's on Bit Torrent, to identify and | blacklist nodes (discussions about the risks and legality of such | things can be left till later)? Well, the Tor directory authorities list servers, and can mark each server as invalid, badexit, etc. So in effect the authority operators can collude to blacklist nodes that we agree are behaving badly. A majority of authority operators need to claim something before clients will believe it. See http://tor.eff.org/svn/trunk/doc/spec/dir-spec.txt for a few more details. | Is there a transcript of the talk those slides were given with, or at | least a video? Yes, there is actually a video, courtesy the 23C3 folks: http://events.ccc.de/congress/2006/Streams look for talk 1513. For example, http://media.hojann.net/23C3/23C3-1513-en-detecting_temperature_through_clock_skew.m4v Hope that helps, --Roger
Re: [Fwd: High-traffic Colluding Tor Routers in Washington, D.C. Confirmed]
Roger Dingledine wrote on 13.04.2007 23:50: > On Fri, Apr 13, 2007 at 03:24:40PM +0700, Vlad SATtva Miller wrote: >> ...However none of the mentioned below router nicknames or fingerprints >> was found in the current local cache file. >> >> Original Message >> Subject: High-traffic Colluding Tor Routers in Washington, D.C. Confirmed >> Date: Thu, 12 Apr 2007 23:35:52 -0400 >> From: [EMAIL PROTECTED] >> To: [EMAIL PROTECTED] >> >> A group of 9 Tor routers also functioning overtly or indirectly as Tor >> exit nodes have been observed colluding on the public Tor network. > > Yeah. This happened in mid 2006. I don't know why some random person > just picked it up now. Thank you for the detailed feedback, Roger. I've somehow managed to miss the whole thing when it first happened. -- SATtva www.vladmiller.info www.pgpru.com signature.asc Description: OpenPGP digital signature
Re: [Fwd: High-traffic Colluding Tor Routers in Washington, D.C. Confirmed]
On Fri, Apr 13, 2007 at 03:24:40PM +0700, Vlad SATtva Miller wrote: > ...However none of the mentioned below router nicknames or fingerprints > was found in the current local cache file. > > Original Message > Subject: High-traffic Colluding Tor Routers in Washington, D.C. Confirmed > Date: Thu, 12 Apr 2007 23:35:52 -0400 > From: [EMAIL PROTECTED] > To: [EMAIL PROTECTED] > > A group of 9 Tor routers also functioning overtly or indirectly as Tor > exit nodes have been observed colluding on the public Tor network. Yeah. This happened in mid 2006. I don't know why some random person just picked it up now. We (mainly Steven Murdoch and Richard Clayton) tracked down the fellow running them. It turned out to be an innocent mistake. He's still running quite a few, on the same network, but now he sets the MyFamily torrc option on them. This issue also prompted us to speed up the fix/feature in 0.1.2.1-alpha: "Automatically avoid picking more than one node from the same /16 network when constructing a circuit." http://archives.seul.org/or/talk/Aug-2006/msg00300.html > Collusion was definitively established by the following method: For a more interesting (and more conclusive imo) method of deciding they're the same, check out slide 28 in Steven's slides from his CCS paper and 23C3 talk, where he investigated these servers: http://www.cl.cam.ac.uk/~sjm217/talks/ccc06hotornot.pdf --Roger
[Fwd: High-traffic Colluding Tor Routers in Washington, D.C. Confirmed]
...However none of the mentioned below router nicknames or fingerprints was found in the current local cache file. Original Message Subject: High-traffic Colluding Tor Routers in Washington, D.C. Confirmed Date: Thu, 12 Apr 2007 23:35:52 -0400 From: [EMAIL PROTECTED] To: [EMAIL PROTECTED] A group of 9 Tor routers also functioning overtly or indirectly as Tor exit nodes have been observed colluding on the public Tor network. The colluding routers map to two /16 IP subnets administered by Cogent (formerly by PSINet) [1]. Traceroute reveals all routes to these routers pass through Rethem.demarc.cogentco.com (38.112.12.190) at the final hop. Analysis of a local snapshot of the Tor cached-routers file from 2006-05-27 first suggested the presence of colluding routers. The analysis yielded the following information: - 9 Tor routers self-identified as aala, donk3ypunch, TheGreatSantini, mauger, paxprivoso, soprano1, hubbahubbahubba, m00kie, and joiseytor together reported carrying what amounted to 11% of the traffic on the Tor network at the time of the snapshot, while the remaining 89% of Tor traffic was carried by the other 551 (approximated) routers. - All 9 of these routers appear to be located in the Washington, D.C. area. - 5 of these routers are on the same 149.9.0.0/16 IP subnet. - 4 of these routers are on the same 154.35.0.0/16 IP subnet. - All 9 routers reported running Tor 0.1.0.16 on FreeBSD i386 machines. - All 9 routers reported nearly identical uptimes. - 3 of the 5 routers on the 149.9.0.0/16 IP subnet reported providing outproxy service for DNS, HTTP, POP3, IMAP, HTTPS, AIM and IRC traffic on Tor. - The other 2 routers on the 149.9.0.0/16 IP subnet reported rejecting all outproxy traffic. - The 4 routers on the 154.35.0.0/16 IP subnet reported providing outproxy service for the above traffic plus SSH and NNTP. Collusion was definitively established by the following method: 1. The following lines were added to the local torrc: ExitNodes donk3ypunch,mauger,paxprivoso,soprano1,hubbahubbahubba, m00kie,joiseytor StrictExitNodes 1 2. The local Tor client was restarted so the new configuration would take effect 3. Using Tor as an HTTP proxy, the websites of the IP address mirror services whatismyip.com and whatsmyipaddy.com were visited repeatedly over the course of one hour The results: An IP address of 149.9.0.25 was always reported by the IP address mirror services. This is not the IP address of any of the exit nodes forced by the new torrc configuration, but rather the address of aala, one of the 2 other colluding Tor routers which report themselves as rejecting direct Tor HTTP outproxy traffic. Although further testing is needed, it appears that all 8 of the other Tor routers identified may be forwarding their HTTP outproxy traffic to the router known as aala, and that aala may be performing the exit node duties on their behalf. aala may perform exit node duties for all protocols supported by this collusion network--not merely HTTP. This strategy would make aala a single point of transit (and possible data retention or traffic analysis) for up to 11% of the traffic leaving and entering the Tor network through exit nodes. The function in this collusion network of the router identified as TheGreatSantini is still undetermined. Its published exit policy, like aala's, purported to reject all outproxy traffic, yet it hasn't been observed acting as an outproxy as aala has. It may simply serve as an intermediate router. Due to the sheer amount of traffic apparently passing through this collusion network, consolidation and analysis of exit node traffic is only one of several forms of anonymity attacks made more feasible. Hence these 9 routers appear to pose a significant anonymity threat to users of the public Tor network. --- Excerpted router descriptor data [2] of colluding routers taken from snapshot of local Tor cached-routers file on 2006-05-27 1. router aala 149.9.0.25 9001 0 9030 platform Tor 0.1.0.16 on FreeBSD i386 published 2006-05-27 16:39:07 opt fingerprint 3F8A 0FF0 39E0 E047 6EF9 24C2 7519 2A59 E6AE 58FB uptime 2462963 bandwidth 2097152 5242880 695815 reject *:* (Observed throughput for this router: 695.82 KB/s) 2. router donk3ypunch 149.9.25.222 9001 0 9030 platform Tor 0.1.0.16 on FreeBSD i386 published 2006-05-27 16:00:20 opt fingerprint AA40 19D8 5823 518F 0904 3F05 E61E AE5E 52CA 78B4 uptime 2460631 bandwidth 2097152 5242880 700879 accept *:53 accept *:80 accept *:110 accept *:143 accept *:443 accept *:5190 accept *:6660-6669 reject *:* (Observed throughput for this router: 700.88 KB/s) 3. router TheGreatSantini 149.9.92.194 9001 0 9030 platform Tor 0.1.0.16 on FreeBSD i386 publi