

Revealing Hidden Services by their Clock Skew (2006) - mcherm
http://www.lightbluetouchpaper.org/2006/09/04/hot-or-not-revealing-hidden-services-by-their-clock-skew/

======
zaroth
Inducing system load on a Tor hidden service, to generate heat from the CPU,
to increase temperature of the quartz crystal driving the system clock, to
cause system clock skew, which is remotely detectable via the TCP sequence
number generated by rand(), or more directly by TCP timestamps (RFC 1323).

This lets you try to check if a given hidden service is running on a known
machine, or if two hidden services are running on the same machine.

Could you skip everything in the middle, since request latency is correlated
with system load? You have to load the server in either case, so both are
active attacks. I think the problem is that latency is so variable due to Tor
itself, it's actually faster to measure server load through clock skew than
through request latency.

How would you find a candidate public server to run this attack against? "Many
hidden servers are also publicly advertised Tor nodes, in order to mask hidden
server traffic with other Tor traffic, so this scenario is plausible." But I
think you would run your public Tor relay on a different machine behind the
same firewall, since you want the absolute minimum amount of processes running
on the machine actually hosting the hidden service.

Not that I know anything about running Tor hidden services.

