

The Pirate Bay in the cloud - ponyous
https://thepiratebay.se/blog/224

======
morsch
The announcement is rather nebulous, as is their way. TorrentFreak has a more
detailed explanation: [http://torrentfreak.com/pirate-bay-moves-to-the-cloud-
become...](http://torrentfreak.com/pirate-bay-moves-to-the-cloud-becomes-raid-
proof-121017/)

It's pretty much what you'd expect, though: The web site is now running on VMs
on two unnamed cloud providers, accessed through a load balancer. All traffic
is still routed through servers they control. The cloud providers apparently
don't know that they're hosting the pirate bay, or pirate cloud as it were. If
a cloud provider goes away, they can move to the VMs to another one. If their
own transit routers go down, no data is lost and it's easy to get back and
running.

~~~
avar
I wonder how vulnerable this approach is to timing attacks similar to the ones
you can use to smoke out onion routed machines.

If you know the physical and network location of their routing boxes and you
keep polling some (e.g. static) resource on their servers you can eliminate
all cloud providers that are further away than the response time as being the
hidden backend.

Let's say you narrow it down to 10 candidates and 5 of them experience some
sort of network issue that gets reflected in the response times of TPB, you've
now narrowed it to 5.

I wonder what they're doing to mitigate these sort of timing attacks meant to
discover their hidden backend.

~~~
mike-cardwell
Or you could just look at the network traffic that the load balancers are
generating to see where the majority of it is going.

I wouldn't bother just taking the load balancers down. I'd go upstream of them
to see where the traffic is going, and then take down those hosts at the same
time as the load balancers.

~~~
vidarh
First you would need to find the load balancer, which means you would first
need to go after their router, then get the cooperation of a second country.
Then you would need the cooperation of two more countries to get at the cloud
providers...

... only for The Pirate Bay to spin up more instances elsewhere and point a
domain or two at it.

~~~
mike-cardwell
I was just pointing out a method that would be considerably more simple to
pull off than a timing attack. I recognise that there are still numerous steps
that would need to be taken to pull it off.

------
charlieirish
For UK Visitors:

The Pirate Cloud

So, first we ditched the trackers.

Then we got rid of the torrents.

Now? Now we've gotten rid of the servers. Slowly and steadily we are getting
rid of our earthly form and ascending into the next stage, the cloud.

The cloud, or Brahman as the hindus call it, is the All, surrounding
everything. It is everywhere; immaterial, yet very real.

If there is data, there is The Pirate Bay.

Our data flows around in thousands of clouds, in deeply encrypted forms, ready
to be used when necessary. Earth bound nodes that transform the data are as
deeply encrypted and reboot into a deadlock if not used for 8 hours.

All attempts to attack The Pirate Bay from now on is an attack on everything
and nothing. The site that you're at will still be here, for as long as we
want it to. Only in a higher form of being. A reality to us. A ghost to those
who wish to harm us.

Adapt or be forever forgotten beneath the veils of maya.

~~~
mike-cardwell
Also, the UK Pirate Party has a "cloud" mirror of TPB:

<https://tpb.pirateparty.org.uk/>

And there is a Tor hidden service for it as well, which can not be taken down
unless Tor it's self is taken down:

<http://jntlesnev5o7zysa.onion/>

And for those who want to use Tor hidden services, but don't have Tor
installed:

<https://jntlesnev5o7zysa.tor2web.org/>

~~~
muoncf
A note to those using Tor, though. Getting your .torrent files and magnet
links over Tor is fine, but please don't route your P2P traffic over Tor.
Bittorrent wasn't designed for anonymity, so you'll be sending all sorts of
data that makes it possible to identify you anyway, but, more importantly, it
makes the Tor network slow as hell.

~~~
yk
To add some detail to your claim: Some clients use UDP and write the IP
address into the body of the message.

[https://blog.torproject.org/blog/bittorrent-over-tor-isnt-
go...](https://blog.torproject.org/blog/bittorrent-over-tor-isnt-good-idea)

~~~
mike-cardwell
Yeah, if you're going to use Bittorrent over Tor, you have to assume that the
Bittorrent client will leak everything it knows about you, and therefore work
to make sure it knows nothing about you.

If you're using a Linux box, you can use iptables to force _all_ TCP traffic
through Tor, dropping everything else. Then make sure the box doesn't know
it's "public" IP address, only it's NAT'ed one. Even if it does a call out to
something like <http://whatismyip.com/> in order to determine it's external IP
address, it wont get the real one because that traffic will have been forced
out through Tor.

See:
[https://trac.torproject.org/projects/tor/wiki/doc/Transparen...](https://trac.torproject.org/projects/tor/wiki/doc/TransparentProxy)

Speed wise, Tor appears to be slow, but that is just latency. For throughput
it's fine. Especially if you're connecting to lots of different hosts over
lots of different Tor circuits, as happens with Bittorrent.

But yes, the Tor Project doesn't want you to be using Bittorrent over Tor.

~~~
IsTom
Every packet passing to Tor is passed through a few hosts, this effectiviely
multiplies the traffic, so with your throughput you'll be hogging everyone
out.

------
unreal37
I think this all goes to underscore the fact that TPB doesn't actually HOST
anything anymore. Not .torrent files, and not trackers. Not sure on what
grounds authorities would have to raid them in 2012. There are no files there
any more, just HTML web pages containing magnet links (which are specially
coded URLs). The entire site can be downloaded in a few hundred MB...

It's like TPB has achieved Nirvana. It no longer has a physical presence...

------
andr
In practice this probably means several replicas of the site dormant in
different cloud providers. The providers won't have a clue until they go live.

In effect, they are replacing their current legal protections with a game of
cat and mouse as they switch between clouds.

~~~
chrissnell
I don't think they will have much of a problem from the cloud providers. To
the provider, this just looks like a steady stream of traffic from one of
their instances to another server somewhere on the Internet: something they
see from so many of their customers. It will attract very little attention so
long as they pay their bills.

The transit and load balancer servers are another story. It will become a game
of cat and mouse with colocation providers, the same game that spam purveyors
played in the days before botnets. They will get raided and have to set up a
new server at some provider elsewhere. Eventually they will run out of decent
providers and have to move somewhere on the fringes of the hosting industry
and performance will suffer.

A better approach, in my opinion, is to take the whole thing into the cloud
and to come up with some sort of P2P protocol that is capable of determining
where the transit server(s) live entirely without the aid of centralized DNS.

------
mbq
Aren't the cloud providers capable of simply hibernating a VM on their machine
to get VM's RAM contents and salvage all the config and keys/passwords/network
topology info they want from this dump?

~~~
elliotanderson
Only if they get to them within 8 hours, per the TorrentFreak article - after
which they shut down and require an encryption key to restart. Add in any
level of geographic distribution and it would take more than 8 hours to find,
subpoena and confiscate rendering that technique useless.

~~~
mbq
I was rather thinking about an over-cautious (or over-curious) cloud provider
that would more or less accidentally make a persistent copy of TPB machine's
RAM. This is obviously quite an unlikely scenario, but still possible.

------
ericcholis
I'm sorry, am I the only one that isn't impressed by this? I'm actually quite
stunned that they are treating this like some new discovery. Pop onto HN any
day and see thousands of people talking about cloud. Hell, some local IT
staffing agency in my area has a billboard about cloud servers.

Cloud is mainstream now, why did it take TPB so long to catch up?

//Sorry if it sounds like trolling

~~~
michaelt
We see lots of stories about people running on EC2 and similar services, but
the big players are all pretty straight-laced; witness the speed with which
Amazon kicked off Wikileaks [1] - within about three days.

I don't know how many cloud hosing providers there are - to judge from the way
people talk here there's only EC2 and maybe Linode. You'd need a lot of
providers if you need a new one every 3 days!

[1] [http://www.readwriteweb.com/cloud/2010/12/amazon-drops-
wikil...](http://www.readwriteweb.com/cloud/2010/12/amazon-drops-
wikileaks.php)

~~~
chii
But then if the traffic between the loadbalancer and the actual server is
vpn'ed, you can just sign up using another credit card with another person,
and the host will be none-the-wiser again. That is, until they get another C&D
letter. The game then repeats.

I think eventually, something has to give tho, but hopefully, it will be a
while before that happens.

------
shadowmint
obscure announcement is obscure.

basically seems like they've got a virtual setup now that lets them
essentially deploy "the pirate bay" on anything that runs virtual machines.

Now if they had distributed user run VMs running this private server VPN they
might have something to talk about, but is basically just a hosting change.
Makes it easier for them to move around as hosting get wise and shuts them off
(as it will inevitably do).

The real question is, are they doing something sneaky like having VMs running
on known clouds using encrypted vpn traffic to hide the fact that those
machines are pirate bay VMs, and relays to feed info in and out. ;) Just
speculating...

~~~
vidarh
The description on torrentfreak says their archictecture is basically:

1\. Border router handling inbound traffic, connecting via encrypted VPN to
their load balancer in a different country.

2\. Load balancer which is a disk-less server with all configuration in RAM
that connects via encrypted VPN to two separate sets of VMs at two separate
cloud providers in two different countries.

3\. Said VMs using encrypted disk images, and set up to automatically shut
down if they are out of contact with the load balancer for more than 8 hours,
at which point a keyphrase would need to be entered to unlock the disk images.

I would assume they probably has more routers and load balancers in other
locations ready in case they need to switch over.

They can keep this shell game up forever as long as the people operating it
are able to get online - adding more layers if necessary.

~~~
synctext
> 1\. Border router handling inbound traffic, connecting via encrypted VPN to
> their load balancer in a different country.

To reduce cost this "border router" is probably also running an in-memory
cache such as memcached or varnish. So they simply re-created what
SuprNova.org did in 2003.

9 years ago this was really novel. SuprNova was the first to introduce a load
balancer for both HTML and .torrent hosting.

~~~
Grepsy
If SuprNova did this 9 years ago it makes me wonder what went wrong there what
couldn't go wrong with the PirateBay today?

~~~
pyre
According the Wikipedia, Suprnova shutdown due to legal threats, but never was
taken to court. Basically, they just caved to the pressure. On the other hand,
ThePirateBay has survived police raids and criminal proceedings.

Aside from that, it doesn't sound like SuprNova's setup was quite as intricate
as this. I think that the post above was suggesting that the "caching border
router + encrypted VPN" setup was what SuprNova used, but that's not
everything that ThePirateBay seems to be using. Also, ThePirateBay only has to
host magnet links, which didn't exist (IIRC) back when SuprNova was active.
SuprNova had to host all of the .torrent files.

~~~
synctext
Indeed, Suprnova shutdown due to legal proceedings. Real jailtime is now
coming to Piratebay founders, they are even on record as begging for reduced
jailtime, after the verdict.

It's simple: the exist node in both Tor and Piratebay has all the legal
exposure. That server/caching router/proxy could become impossible to host
anywhere. Move it to USA? Expect 1 hour of uptime:-) Russia? Expect 10seconds
page load times.

Any experience hosting people out there? Are Sweden and The Netherlands the
only few-questions-asked options on town?

------
daemon13
Step 1 - What if their domain is shut down through registry?

This will cut short most of the users who do not remeber IP by heart.

Step 2 - go after static IP and shut it down through ISP.

This will cut the remaining users who remeber old IP by heart.

If executed simultaneously...

~~~
neotek
It would be matter of hours, maybe minutes, before a new domain and IP were up
and running and thousands of blogs and news sites all over the internet would
report on TBP's new location.

------
belorn
In the end, I think it will fall on the dns system to decide if the site will
survive or not. Currently, most TLD's just redirect any request of censoring
by saying "go where the server is and solve the issue at the source". When
that is no longer an option, the political pressure will increase.

Hopefully, TLD's like .se will stand fast and refuse to use the DNS system for
censoring.

~~~
cpeterso
There's always hosts.txt.

~~~
toyg
It's actually etc/hosts, even on Windows -- no .txt. </pedantic>

~~~
dholowiski
Technically i's c:\windows\system32\drivers\etc\hosts on windows. And it's
hidden by default too.

~~~
toyg
I know, hence the absence of initial slash :)

------
Sami_Lehtinen
I would have preferred fully distributed solution. This one is easy to take
down. Also memory snapshots can be take from servers, so disk encryption
doesn't help. Not best possible solution afaik.

~~~
pyre
Disk encryption helps if the load-balancer is taken down before the back-end
servers. Unless they are all taken down without 8 hours, then the servers
shutdown and require a password to unlock FDE.

------
eloisant
Well, DNS is still a single point of failure. You gotta hope The Internet
Infrastructure Foundation is supporting them.

~~~
sspiff
I live in Belgium, where the Pirate Bay has been banned, and ISPs have to
redirect request for TPB to a government notice page through DNS.

Nobody uses the old domains, but there are many mirrors, and people still use
TPB, maybe even more than before. A lot of people just know the IP by heart,
too.

------
oneandoneis2
It's a nice advance and all, but I still think it was cooler when they were
talking about putting masses of micro-servers into orbit to make their hosting
truly impossible to take down :)

------
daurnimator
sure "thepiratebay" as we can define it is linked to wherever the DNS entry
points to?

That is the single point of failure, even in a move to the cloud.

~~~
mseebach
There are many failure modes for a site like TPB. This move removes many, not
all, of them. One important failure mode that has been removed is the one
where the servers are seized and information on them is used to go after
users.

~~~
pyre
Lessened, but not removed. Cloud-providers could be forced to take memory
snapshots of the servers as they are running rather than just shutting them
down, which negates the "shuts down to password-protected FDE" and "only
operates with everything in memory" aspects. It would be much more difficult
to capture memory on a stand-alone machine, but a VM makes it easy.

If authorities are able to figure out the topology of the network, they could
coordinate this.

------
mansoor-s
I would love technical details. Anyone know if they have published them
anywhere?

------
alz
how do they manage their databases, this would be interesting if the system is
truely distributed

------
sergiotapia
Too bad their search feature is absolutely horrendous. Searching for a simple
term like "The Matrix" doesn't return any results at all.

~~~
BCM43
What do you mean? I get a lot of results.

<http://thepiratebay.se/search/the%20matrix/0/99/0>

------
frozenport
"reboot into a deadlock if not used for 8 hours"

Sounds like a bug to me!

~~~
pyre
Full disk encryption that requires a manual password. Nothing fancy. A reboot
requires human intervention.

------
andrewmunsell
Couldn't TPB do something like Silk Road with Tor and a .onion domain? I'm not
exactly sure how that works, but from the limited knowledge I do have, it
seems like that sort of approach would be slightly more difficult to access
but also more difficult to take down...

------
d0m
amen

------
gleen
amazing

------
benologist
Silly article, silly rhetoric.

