Re: [tor-talk] about tor entry node
esolve esolve: > what I meant is: > > Let me say that an attacker controls some nodes. At a certain time, one of > the controlled nodes is used as entry node by a tor client, if the > attacker doesn't know that the node is used as entry node, then the > attacker can't identify the client. Even if it examines the IP addresses of > the lists of relays, the suspicious IP may belong to a client or a bridge. I might be misinterpreting what you say. I don't know what a client does, that a relay does not do, because I don't know the protocol well enough. (How does a relay extend the circuit?) For example clients and bridges can be told apart, because sometimes bridges do things different than clients. (This is going to be resolved where ever possible). > so why tor designer let the attacker know when a controlled node is used as > entry node? > You probably have to wait for an answer... ___ tor-talk mailing list tor-talk@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
Re: [tor-talk] Bandwidth in TOR
On 08.12.2012 05:43, Maimun Rizal wrote: > Hi All, > I confused about bandwidth in TOR, there are Bandwidth Max, Burst, and > Observed. > Where I can get information about them? > When will we use three of them? Maximum bandwidth is the average bandwidth limit for both incoming and outgoing traffic of a relay. "Burst" should be set to near the line limit (and to more than "max"), specifying a maximum for short-term bandwidth spikes if necessary/useful to the relay. >From the directory spec (third hit when you search for "tor bandwidth max observed burst": "bandwidth" bandwidth-avg bandwidth-burst bandwidth-observed NL Estimated bandwidth for this router, in bytes per second. The "average" bandwidth is the volume per second that the OR is willing to sustain over long periods; the "burst" bandwidth is the volume that the OR is willing to sustain in very short intervals. The "observed" value is an estimate of the capacity this relay can handle. The relay remembers the max bandwidth sustained output over any ten second period in the past day, and another sustained input. The "observed" value is the lesser of these two numbers. -- Moritz Bartl https://www.torservers.net/ ___ tor-talk mailing list tor-talk@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
Re: [tor-talk] Bandwidth in TOR
Maimun Rizal: > Hi All, > I confused about bandwidth in TOR, there are Bandwidth Max, Burst, and > Observed. > Where I can get information about them? > When will we use three of them? > > Thank > Regards, > MR A quote form the manual[1]: "BandwidthRate N bytes|KB|MB|GB A token bucket limits the average incoming bandwidth usage on this node to the specified number of bytes per second, and the average outgoing bandwidth usage to that same value. If you want to run a relay in the public network, this needs to be at the very least 30 KB (that is, 30720 bytes). (Default: 5 MB)" "BandwidthBurst N bytes|KB|MB|GB Limit the maximum token bucket size (also known as the burst) to the given number of bytes in each direction. (Default: 10 MB)" "MaxAdvertisedBandwidth N bytes|KB|MB|GB If set, we will not advertise more than this amount of bandwidth for our BandwidthRate. Server operators who want to reduce the number of clients who ask to build circuits through them (since this is proportional to advertised bandwidth rate) can thus reduce the CPU demands on their server without impacting network performance." Relays observe peak bandwidth and store it in their state file. A relay can advertise bandwidth it doesn't even have, therefor some authorities measure the bandwidth of relays (bandwidth scanner) I hope I could help you. For further questions or more detailed insight about this topic, you'll most likely have to wait for other replies, since I'm unable to help you out, most likely. [1] https://www.torproject.org/docs/tor-manual.html.en Regards, Sebastian (bastik_tor) ___ tor-talk mailing list tor-talk@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
Re: [tor-talk] Securing a hidden service
On Fri, Dec 07, 2012 at 09:50:32PM +, Aaron Brouard wrote: > I'm trying to make my hidden service more secure. It runs on a server > running Ubuntu 12.04.1 LTS server version. I have set up full disk If you can't place the service on physically distinct machines, private (RFC1918) address space with ACL lockdown in the switches (or at least, dedicated VLANs) you can at least compartmentalize the application into virtual server guests (heavyweight via KVM or lightweight via LHC https://help.ubuntu.com/community/LXC or Linux VServer) and firewall it on the host. > encryption and a basic firewall but I want to do more. If an attacker > managed to compromise nginx or apache (whichever I decide to use), is there > a way I can prevent the web server from sending any data outside of the Tor > network? An apparmor profile or something? ___ tor-talk mailing list tor-talk@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
Re: [tor-talk] tor-talk Digest, Vol 23, Issue 25
from traffic correlation, which > > has not been defeated yet. As far as I know this would be very hard to > > accomplish, if at all.. (I'm not experienced enough with this topic.) > > > > Entry Guards are one attempt to minimize the risk of being exposed to > > traffic correlation. If the client picks three guards that are honest > > (good guards), an attacker won't be able to correlate traffic, while it > > would be more likely to pick a bad entry point if entry guards wouldn't > > have been invented/introduced. (While there still is the case that a > > client can pick bad guards) > > > > To avoid building circuits over nodes that are controlled by the same > > operator, operators can set a "Family" for their nodes, so the Tor > > client would not pick them for the same circuit (also everything in the > > same /16 IP block). Obviously the relay operators have to be honest as > > this is an optional torrc setting and if your are a bad guy I guess you > > wouldn't set it. (The other way around is not true; if it is not set > > although it would be correct doesn't mean the relay operator is a bad > guy) > > ___ > > tor-talk mailing list > > tor-talk@lists.torproject.org > > https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk > > > > > -- > > Message: 2 > Date: Sat, 8 Dec 2012 04:32:36 + > From: Julian Yon > To: tor-talk@lists.torproject.org > Subject: Re: [tor-talk] about tor entry node > Message-ID: <20121208043236.6b7f57c1@numenor> > Content-Type: text/plain; charset="us-ascii" > > On Fri, 07 Dec 2012 23:23:17 +0100 > "Sebastian G. " wrote: > > > Low latency networks such as Tor suffer from traffic correlation, > > which has not been defeated yet. As far as I know this would be very > > hard to accomplish, if at all.. (I'm not experienced enough with this > > topic.) > > There is a relatively simple strategy for mitigating correlation > attacks: decoy traffic. The problem is, the lower the latency, the more > decoy traffic you need to effectively cover the trail. And to avoid the > decoys being readily identified, a proportion of them must propagate > through the network by at least two hops. This is plausible for high > latency networks such as remailers but completely impractical for Tor, > unless available bandwidth ever significantly exceeds demand. > > > Julian > > -- > 3072D/F3A66B3A Julian Yon (2012 General Use) > -- next part -- > A non-text attachment was scrubbed... > Name: signature.asc > Type: application/pgp-signature > Size: 230 bytes > Desc: not available > URL: < > http://lists.torproject.org/pipermail/tor-talk/attachments/20121208/b0f9abc3/attachment-0001.pgp > > > > -- > > Message: 3 > Date: Sat, 08 Dec 2012 05:43:26 +0100 > From: Maimun Rizal > To: tor-talk@lists.torproject.org > Subject: [tor-talk] Bandwidth in TOR > Message-ID: <50c2c56e.8050...@gmail.com> > Content-Type: text/plain; charset=ISO-8859-1; format=flowed > > Hi All, > I confused about bandwidth in TOR, there are Bandwidth Max, Burst, and > Observed. > Where I can get information about them? > When will we use three of them? > > Thank > Regards, > MR > > > -- > > Message: 4 > Date: Sat, 08 Dec 2012 10:32:54 +0100 > From: "Sebastian G. " > To: tor-talk@lists.torproject.org > Subject: Re: [tor-talk] about tor entry node > Message-ID: <50c30946.1060...@googlemail.com> > Content-Type: text/plain; charset=GB2312 > > esolve esolve: > > what I meant is: > > > > Let me say that an attacker controls some nodes. At a certain time, one > of > > the controlled nodes is used as entry node by a tor client, if the > > attacker doesn't know that the node is used as entry node, then the > > attacker can't identify the client. Even if it examines the IP addresses > of > > the lists of relays, the suspicious IP may belong to a client or a > bridge. > > I might be misinterpreting what you say. > > I don't know what a client does, that a relay does not do, because I > don't know the protocol well enough. (How does a relay extend the circuit?) > > For example clients and bridges can be told apart, because sometimes > bridges do things different than clients. (This is going to be resolved > where ever possible). > > > so why tor designer let the attacker know when a controlled node is used > as > > entry
[tor-talk] Interested in a Tor Browser update script for Debian, Ubuntu and derivatives?
Downloading and gpg verifying Tor Browser each time there is an update gets really tiresome and I think many people either never gpg verified or don't do it sometimes. What if we had a Debian package which contains a Tor Browser updater? I could eventually provide something like this: sudo apt-get install torbrowser-updater torbrowser -update No manual download and verification would be required. I wrote a script to do it. It can do everything automatically. It renames the old TB folder (after success), downloads, fetches the gpg keys from the keyservers, gpg verifies and extracts it. Start menu entries and icons are ready. Also an update checker is basically done. Anyone interested? Just details have to be sorted out. And a Debian package has to be created. Anyone willing to help? Open questions: Do we download the Tor Browser archive in the clear or through Tor have an option for that? Download the Tor Browser signing keys dynamically from the keyservers (more prone to errors when keyserver is down) or ship the public keys? If the signing keys change the package needs to be updated so or so, because there is no package with the signing keys. [3] Alternatives [1] [2] None? [1] Debian package with Tor Browser Tickets #5236 "Make a deb of the Torbrowser and add to repository" [1[ and #3994 "Get TorBrowser in Debian" would only solve the Linux issue and are totally unrealistic. [2] Disto policy is a blocker. Tor Browser is too much of a hack. Too much writing into the home (profile) folder. Distro policy wants to prevent code duplication and does forbid to write (the profile) into the home folder. The policy or packer advice is for such cases is "put the functionality upstream". Exactly this won't work either. According to distro policy it would be best if the Tor Browser specific changes to Firefox could be activated with a command line option. Ideally it could look like this... The iceweasel package would look like: - depends on iceweasel-bin - depends on iceweasel-starter, i.e. normal iceweasel (Firefox) starter, start menu entry and iceweasel icon A Tor Browser Debian package would look like: - depends on iceweasel-bin - depends on torbrowser-starter, i.e. Tor Browser starter, start menu entry and Tor Browser icon This won't happen. Mozilla is generally disinterested takes ages to merge patches. Getting Tor Browser into Linux distros (with Debian-like policy) won't work. [2] Thandy... In which year we will get it? References: [1] https://trac.torproject.org/projects/tor/ticket/5236 [2] https://trac.torproject.org/projects/tor/ticket/3994 [3] https://trac.torproject.org/projects/tor/ticket/5606 ___ tor-talk mailing list tor-talk@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
[tor-talk] Botnets through Tor
Hello fellas, As a follow-up to the discussion we started on Twitter, I wanted to start this thread here as well to get the discussion going. The main point of the discussion were: - What can be done to stop botnets abusing Tor for concealing its infrastructure? - What kind of impact would a large adoption by malware writers of Tor and Hidden Services have on the Tor network and its usability? Is it a serious threat to the project? - Is there something the security community and botnet researchers can do to help out? Regards, C. (You can find some contextual info here http://www.reddit.com/r/netsec/comments/14etfq/skynet_a_torpowered_botnet_straight_from_reddit/ ) ___ tor-talk mailing list tor-talk@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
Re: [tor-talk] Interested in a Tor Browser update script for Debian, Ubuntu and derivatives?
adrelanos wrote (08 Dec 2012 13:02:54 GMT) : > What if we had a Debian package which contains a Tor > Browser updater? While working on the Tails incremental updates feature [1], I discovered (thanks to Robert Ransom) that, in some threat models one often considers when using Tor, upgrades are much harder to do safely than I initially thought. I strongly suggest reading the TUF project's documentation [2] to learn how much. [1] https://tails.boum.org/todo/incremental_upgrades/ [2] https://www.updateframework.com/ Cheers! ___ tor-talk mailing list tor-talk@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
Re: [tor-talk] Interested in a Tor Browser update script for Debian, Ubuntu and derivatives?
intrigeri: > adrelanos wrote (08 Dec 2012 13:02:54 GMT) : >> What if we had a Debian package which contains a Tor >> Browser updater? > > While working on the Tails incremental updates feature [1], > I discovered (thanks to Robert Ransom) that, in some threat models one > often considers when using Tor, upgrades are much harder to do safely > than I initially thought. I strongly suggest reading the TUF project's > documentation [2] to learn how much. > > [1] https://tails.boum.org/todo/incremental_upgrades/ > [2] https://www.updateframework.com/ Thanks, I read it. Quoted and a bit modified: "I believe it is at least as secure as the way users are currently able to manually check if a new TBB version is available, to download and to verify it." The script would be no less secure. It just automates the steps which users are currently supposed to do manually. Cheers, adrelanos ___ tor-talk mailing list tor-talk@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
Re: [tor-talk] Botnets through Tor
I think some of the hysteria over this is overdone. > - What can be done to stop botnets abusing Tor for concealing its > infrastructure? For unpublished nodes, nothing that I'm aware of. Hidden services are called that for a reason, and it's necessarily a dual-use technology. You can't weaken it for botnet C&C servers without weakening it for legitimate, vulnerable users. > - What kind of impact would a large adoption by malware writers of Tor > and Hidden Services have on the Tor network and its usability? Is it a > serious threat to the project? If they're using unpublished, non-public Tor infrastructure (which seems to be indicated), nothing. They're just using the software and the protocol, but restricting their paths to nodes they control. If this became wildly popular and all botnets start using public infrastructure for C&C, I would speculate the amounts of traffic Tor sees might be change somewhat (more routing to hidden services, less traffic exiting to the open net). I wouldn't expect to see more abuse complaints or a big performance impact, because: 1) C&C traffic is typically very small -- IRC & occasional plaintext updates pulled through http. 2) Since it would be getting routed to hidden services, nobody really sees it as "bad" traffic. It's not like the bots are actually launching attacks through Tor: this would be a pretty poor strategy, since: A:] it doesn't take advantage of the compromised host's full bandwidth, and B:] the bot herder doesn't really care if Granny in Lithuania gets her door kicked down because her IP was a part of a DDoS -- he only needs anonymity for HIMSELF (not all of his bots -- just his C&C infrastructure) That said, someone who has done more study on tor-internal traffic could probably give a better answer on "how things could change" if C&C starts all getting routed through Tor. > - Is there something the security community and botnet researchers can > do to help out? Other than putting a lot of effort into trying to identify hidden services hosts (which is dangerous for a number of reasons), I imagine not much -- although if this becomes a huge trend and the security community scrutinizes Tor, some new attacks against Tor might be found (and patched). As a "problem," this falls more to the A/V folks, since this whole scheme revolves around spreading through client-side, user-enabled exploitation via trojaned files, and their entire raison d'etre is to prevent that. -S ___ tor-talk mailing list tor-talk@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
[tor-talk] Aggregate-type settings in torrc
Hi, Are settings like ReachableAddresses guaranteed to aggregate in torrc? E.g., is ReachableAddresses 1.2.3.4:56 ReachableAddresses 7.8.9.1:78 equivalent to ReachableAddresses 1.2.3.4:56, 7.8.9.1:78 It is the case in my tests, but would like to be sure. Also, does obfs2 transport always use TCP? Or can it use e.g. UDP? And last question, is there a reason that a line like ClientTransportPlugin obfs2 exec /usr/bin/obfsproxy --managed causes Tor to always run an obfsproxy daemon, even if there are no obfs2 bridges defined in torrc? Thanks, Maxim -- Maxim Kammerer Liberté Linux: http://dee.su/liberte ___ tor-talk mailing list tor-talk@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
Re: [tor-talk] Botnets through Tor
On Sat, Dec 08, 2012 at 05:50:53PM +0100, clau...@shadowserver.org wrote 0.8K bytes in 23 lines about: : - What can be done to stop botnets abusing Tor for concealing its : infrastructure? First off, remember hidden services are just an addressing and routing scheme. They don't actually provide any service at the host. As we've seen with the Dutch National Police and the Anonymous attacks on hidden services, they focused on the software behind the hidden service address. From reading your post, it seems this botnet is just using hidden services for command and control. Since you can't find the c&c host, you have to attack the c&c itself or the application running at the hidden service (likely some IRC software of some kind). : - What kind of impact would a large adoption by malware writers of Tor : and Hidden Services have on the Tor network and its usability? Is it a : serious threat to the project? The constant churn of hidden service circuits would slow down hidden services for all. One of the iterations of "torchat" created a unique hidden service "identity" per contact. This meant a single user with 50 contacts had 51 hidden services on their machine. : - Is there something the security community and botnet researchers can : do to help out? Help figure out the scope of the problem. It's entirely plausible that this one botnet is an experiment to see if hidden services are reliable and performant enough to handle a c&c service. One is not a trend, it's a unicorn (even a brony unicorn). I'd be interested if gnunet or i2p have seem similar usage by botnets. Sure, it gets lots of press when someone mentions "Tor", but at the same time, I can't imagine the entire botnet herder community jumping into one solution to rule them all. Overall, I think you'll see more of these types of c&c servers hosted in decentralized tools and networks. As botnets are taken down and squeezed out of the naked IPv4/IPv6 address space, the output is plausibly decentralized or p2p networks. I said this as much to Interpol in September, see https://svn.torproject.org/svn/projects/presentations/2012-09-04-Interpol-Keynote.pdf or the source with comments at https://svn.torproject.org/svn/projects/presentations/2012-09-04-Interpol-Keynote.odp. -- Andrew http://tpo.is/contact pgp 0x6B4D6475 ___ tor-talk mailing list tor-talk@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
Re: [tor-talk] Botnets through Tor
On Sun, Dec 9, 2012 at 5:47 AM, wrote: > I'd be interested if gnunet or i2p have seem similar usage by > botnets. I was going to write that for I2P it is highly unlikely due to autonomous daemon configuration complexity, a dependency on Java, and unreliability wrt. network configuration changes, but here is a botnet advertisement that mentions I2P support: http://uscyberlabs.com/blog/2012/09/24/dark-heart-botnet-tor-c2-bullet-proof-server-collector/ -- Maxim Kammerer Liberté Linux: http://dee.su/liberte ___ tor-talk mailing list tor-talk@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
