
Tor 0day: Finding IP Addresses - dyslexit
https://www.hackerfactor.com/blog/index.php?/archives/896-Tor-0day-Finding-IP-Addresses.html
======
hyproxia
This article is obviously written by someone that doesn't know what they're
talking about.

>0day

This is not a "0day".

>As it turns out, this is an open secret among the internet service community:
You are not anonymous on Tor.

Careful there with the big assertions.

>The last hop is the exit node. It can see all of your decrypted network
traffic.

I thought we were talking about onion services here, why the subtle context
switch? Does the author even know that onion services don't use exit nodes at
all?

>(Don't assume that HTTPS is keeping you safe.)

Why?

>One claimed to see over 70% of all internet traffic worldwide. Another
claimed over 50%

The key word here is "claimed".

>If you're a low volume hidden service, like a test box only used by yourself,
then you're safe enough. But if you're a big drug market, counterfeiter, child
porn operator, or involved in any other kind of potentially illegal
distribution, then you may end up having a bad day.

I like how the author assumes that these are the only two uses of Tor.

>you simply need a list of known onion services

Good luck getting that with v3 addresses (unless the author of the service has
poor OPSEC).

Not to mention that Tor has provided many fixes for the DDoS issues, but the
author obviously didn't mention them.

~~~
DINKDINK
>>(Don't assume that HTTPS is keeping you safe.)

>Why?

because https depends on certificate authorities and CAs depend on coercible
companies which depend on governments from not molesting them.

The existence of QUANTUM INSERT and FOXACID attacks show CA-based
authentication is weak (either due to their keys being compromised or
coerced). DigitNotar also got pwned.

Strong authentication is one of the unrivaled advantages to onion addresses in
tor.

The CIA also advocates to not solely rely on TLS for transport encryption:
[https://news.ycombinator.com/item?id=24426818](https://news.ycombinator.com/item?id=24426818)

~~~
inshadows
That's all true. But surely that's not specific to Tor, is it?

------
kodablah
> The last hop is the exit node. It can see all of your decrypted network
> traffic.

Didn't see it clarified in the article, but IIRC for onion services like OP's
the traffic doesn't go out of traditional internet exit nodes and traffic is
end-to-end encrypted. Not only can the last relay before the onion service not
see all of your decrypted network traffic, I don't believe they can tell they
are even the last relay.

Traffic analysis has been a known issue as long as Tor has existed. What I'd
like to see are solutions. Can Tor be used with some kind of fixed-rate noise
type of protocol (I toyed w/ a rudimentary fixed-rate traffic algo once[0])?
Or is it too broken and do we need another P2P (fixed-transfer-rate) protocol?
i2p, tribbler, etc haven't gained mass adoption.

0 -
[https://github.com/cretz/deaf9/blob/master/mask/context_read...](https://github.com/cretz/deaf9/blob/master/mask/context_read_write_closer.go)

~~~
abstractbarista
This is a very good point. There is a huge difference between a Tor client
chatting with a Tor hidden service, and a Tor client chatting with a clearnet
service.

Furthermore, it's not as simple as 'see all of your decrypted network
traffic'. Perhaps the Tor client is talking with the clearnet server over TLS
1.3. This presents much more difficulty for the malicious exit node.

------
lilboiluvr69
Interesting article, but I don't see why it's titled '0-day' when he
references a research paper from 2012.

"Although these are old, they are classified as zero-day attacks because there
is no solution."

They are?

~~~
ltbarcly3
So back a long time ago, we counted days from the time an exploit was 'known'.
Now people seem to use it for the time since a patch has been released? I
don't know, but every time I ask I get downvoted.

~~~
judge2020
A 0-day generally means either one person, a single organization, or a small
group of people, know about the exploit in question. As soon as an exploit is
widely known or published, it's not a 0-day since anyone can find it, even if
the exploit is for abandoned software that'll never receive a security fix.

~~~
ltbarcly3
Yep, that's what I said I think (by 'known' I meant publicly). Once it's
widely known, it's a 0 day for 24 hours, then it's not anymore. That's what we
used to mean by 0-day anyway. Other people will tell you that it's a 0-day
until there is a patch against it. I think different people use this this
phrase so divergently that using it isn't a useful way to communicate anymore.

~~~
neltnerb
What is it called after there is a patch against it? Does it just stay at like
a 27-day if it takes 27 days to patch?

I feel like in common parlance calling something a 0-day would imply that it
is something the manufacturer didn't expect and has no solution for which is a
big problem. I guess whatever communicates information best. I kind of feel
like we just use 0-day to mean big problems, everything else is just a bug
that has some age, and then fixed stuff doesn't get remembered. Right?

That seems fairly useful, at least in communicating to the general tech media.

~~~
aj3
If you know about the bug, but manufacturer does not provide any patches, you
can still mitigate it, put in place detection measures or just stop using that
software. You can't (necessarily) do those if you don't even know about the
bug yet as it hasn't been published. That's why 0day is a useful term.

------
sneak
I spoke to Adam Levine on the same topic in the summer of 2013, right after
Snowden told us (for the nth time; credit also of course to Mark Klein et al)
about the large-scale passive monitoring of network traffic.

This is a known issue, which, like GMail being accessible to the US government
without a warrant, one that a lot of people simply need to block out to go on
with their daily lives. It's difficult to emotionally integrate the fact that
you can't travel anywhere while holding a cellphone without the military
knowing exactly where you are, and exactly where you've been, for the entire
time you've had a cellphone.

I encourage you to watch the interview, where I describe this precise attack:

[https://youtu.be/9k4GP3Evh9c?t=2018](https://youtu.be/9k4GP3Evh9c?t=2018)

------
auganov
According to this [0] there are only about 1.5k exit nodes and over 6k relays
total. It's a pretty small network. I'm not an expert on tor internals but it
sounds to me like a sufficiently dedicated player could easily control a big
chunk of this. Don't even need crazy money.

I understand that they have mechanisms preventing obviously fake new servers
from flooding the network. But still at these numbers it doesn't seem that
tough to play the long game.

[0]
[https://metrics.torproject.org/networksize.html](https://metrics.torproject.org/networksize.html)

~~~
worldofmatthew
Are you planning to add any relays?

------
Santosh83
Is strong anonymity even theoretically possible on IP based networks?

~~~
jandrese
If your adversary has a god level view of the network then it's really hard to
achieve strong anonymity. The article mentioned large network operators that
can monitor a significant fraction of all traffic in the country. If you were
the Chinese Government you would have an even better view into the network.
Especially if you send a large file somewhere which makes it easy to correlate
the TCP session.

For real anonymity you need something that scrambles and delays your traffic
to make it harder to track. Something that breaks big transfers up into a
bunch of small transfers, sends them via different routes, and generally makes
your experience miserably slow.

~~~
londons_explore
You need a system which sends constant numbers of bytes/second along every
network link.

It would actually be pretty easy to implement for tor (either for the whole
network, or individual nodes or routes), but as far as I can see nobody wants
to work on it.

~~~
ta8908695
It sounds like your almost describing the Nym mixnet

[https://nymtech.net/#protocol](https://nymtech.net/#protocol)

[https://youtu.be/_2DQ_iYZi5U?t=1580](https://youtu.be/_2DQ_iYZi5U?t=1580)

The tradeoff is you necessarily need to smooth traffic bursts out to meet the
fixed rate and that introduces high latency. Unfortunately most user traffic
is bursty and not continuous.

------
smegcicle
theory: silkroad dpr, as sloppy as his opsec was, was parallel construction

~~~
soulofmischief
DPR advertised for / discussed Silk Road using public accounts with email
associations and usernames which led to his public persona. It was just bad
opsec.

~~~
0xy
That's the public explanation. It doesn't preclude parallel construction nor
does it mean that's how they caught him.

~~~
soulofmischief
Why would you need to create parallel construction when the process of finding
out Ulbricht's identity was painstakingly simple after basic utilizing basic
OSINT?

He posted stupid things in very public and monitored places and it only took a
little research in the right places to put the pieces together. The economics
of the parallel construction theory are simply untenable. Anyone can search
for keywords on Shroomery and other forums. It's grunt work and loads easier
than actual hacking.

~~~
0xy
If it's "painstakingly simple", why did it take 2.5 years for them to find
him?

~~~
soulofmischief
OSINT is a simple process, it just takes time. In hindsight the red flags were
obvious but you don't just immediately know where to look when investigating
or what to look for.

Your argument doesn't hold water because if parallel construction is so much
easier then why did it take them 2.5 years?

~~~
0xy
I don't think it was easy to find him at all. Parallel construction is also
not easy, they have to figure out how to unmask the server through whatever
0day they choose, then they have to issue NSL or, more likely, get diplomatic
assistance to clone the server's hard drives.

Do you know how long it takes to get another country to cooperate with an
investigation, even if you're buddy-buddy with the country?

~~~
soulofmischief
All I can say is that the information surrounding the investigation, the case,
the court proceedings, all of the evidence, is largely publicly available and
instead of making guesses as to the legitimacy of the ostensible reasons for
Ulbricht's capture, you can do what I've done and read up on all of it.
There's nothing I can say or do to convince you if your attitude is such, and
only direct knowledge of the case will satisfy you.

------
optimalsolver
The fundamental flaw in TOR (and, by extension, all other anonymity clients)
is that its traffic patterns make you stand out from everybody else.

Just using it makes you automatically interesting to state actors.

~~~
t0astbread
Tor relays are publicly known so you don't need traffic pattern analysis to
know if someone is using Tor. Or were you referring to something else?

~~~
mr__y
You could be using a vpn or a proxy making it harder to be matched only based
on IP address you connect to. Traffic pattern analysis would still work.

------
a5withtrrs
Who are the providers referred to in this as 'God'? Is that providers like
akamai/cloudflare/L3 that have big pipes/route lots of traffic?

Edit: I'm assuming Tier 1 network providers for AT&T/CenturyLink (aka L3) etc
as per this list
[https://en.wikipedia.org/wiki/Tier_1_network](https://en.wikipedia.org/wiki/Tier_1_network)

~~~
GuB-42
It looks like they are specialized monitoring companies. They aggregate
traffic data from many ISPs and give them back a global picture. It is to
mitigate DDOS attacks at the network level.

------
t0astbread
Just thinking: From a client's standpoint could the "large download" traffic
correlation be avoided if the client split the large download into multiple
HTTP requests (assuming the server supports that) that are about as large as a
regular webpage request with random delays in between so that it looks like
normal web noise? Of course, it'd take wayyy longer to download but wouldn't
this make the traffic indistinguishable from page requests?

------
ingen0s
Excellent read, if you are going to be using Tor and want to stay off the
grid, ie. journalism, keeping sources hidden - you need a laptop (netbook that
has no personal info, pre-loaded with your own bridge node as first hop) and a
wifi stick - only connect from remote wifi sites and don't create any patterns
in visiting your physical locations nor sit in front of security cameras.
Swapping the wifi stick between each use will make you virtually invisible.

~~~
greenbush
Why swap wifi sticks? Why not just change the MAC address via the OS between
each use?

------
DINKDINK
I don't think anyone in the net-privacy realm would be surprised by anything
written in this blog. A better title would have been: "On overview of Traffic
Analysis intelligence leaks on Tor".

All tor does is provide onion addressing and strong authentication with
increased the observation costs for passive observers. Anything beyond that is
a user's myopic extension of crypto-is-a-panacea. Cryptography can provide
protections for observability, it cannot provide protection against
identifiability. Mixnets like remailers or modern traffic mixing like Nym
attempt to address identifiability.

>I read off the address: "152 dot" and they repeated back "152 dot". "19 dot"
"19 dot" and then they told me the rest of the network address. (I was
stunned.) Tor is supposed to be anonymous.

It's hard to tell the author's genuine understanding of Tor is versus what is
hyperbolic. How surprising is the quoted feat? IPv4 is roughly 2^32 in size.
There's roughly 2.4 million tor users [1], so an observer would need ~22.2
bits to _exactly_ identify them.

The author gives at-least (assuming uniformly random IP address distribution,
which isn't the case) ~16 bits of entropy (log(255)/log(2)*2). Which leaves
their counter party a 1/32 eg 2^(22.2-16) chance of guessing their IP. Unless
your ip space is chock full of tor users, it's not surprising an exit node was
able to autocomplete the rest of your ip address. PS If we know the country of
their IP, we need at least ~15.3 bits and at most ~19.7 bits

The trick is akin to living on a street with a unique name and a retailer auto
completing your address and customer details because you've ordered from them
before and you gave them your street name.

If I was a Global Passive Adversary, I would be probing and rerouting traffic
to see how systems responded: [https://www.ndss-symposium.org/wp-
content/uploads/2017/09/ND...](https://www.ndss-symposium.org/wp-
content/uploads/2017/09/NDSS2015_Mind_Your_Blocks_Stealthiness_Malicious_BGP_Attacks.pdf)

[https://www.muckrock.com/foi/united-states-of-
america-10/req...](https://www.muckrock.com/foi/united-states-of-
america-10/request-for-information-on-bgp-hijacking-attacks-in-2013-federal-
bureau-of-investigation-77293/)

[1] [https://metrics.torproject.org/userstats-relay-
table.html](https://metrics.torproject.org/userstats-relay-table.html)

------
adam0c
how is this 0-day... old news of whats been public for a long time sounds more
like a n00b on tor

------
stealthbot
[https://fingerprintjs.com/demo](https://fingerprintjs.com/demo) shows that
Tor can still be fingerprinted and uniquely identified across IP addresses.
Your Javascript (navigator) user-agent and timezone are some of the dead
giveaways as they leak the true values.

~~~
aj3
TOR brosser != TOR

~~~
stealthbot
yes the network is different than the browser, but the point is that IP based
anonymity is already obsolete

------
hridoyjoy94
use whois. Good online tool to find ip addresses

------
peacemakr_io
This is not news.

------
aaron695
> I read off the address: "152 dot" and they repeated back "152 dot". "19 dot"
> "19 dot" and then they told me the rest of the network address.

This line seems like the big deal. Doesn't matter if it's from 2012 or not a 0
day or about previous posts from this author, how is this possible in 2020 by
anyone, but even a corporation?

Is it this line? - "They just didn't know that this specific address was
mine."

Tor should have shutdown Onions if this line is true as it seems to read.

------
ui9ohNe9
So, what I understand is that hidden services can easily be deanonymized.
People using tor only as a proxy are safe, provided they do not download big
files (who want to do that anyway, given how slow it is?).

As a Tor user, I'm quite glad to read that, actually. Tor hidden services are
the reason why Tor has this ugly and well-deserved reputation of being a tool
for everything illegal and morally unacceptable. As someone who just want
strong privacy, I see hidden services as problematic neighbors and I would be
glad to see them go.

~~~
zdkl
Well sample size of 1 and all that but I can attest to at least my legit use
case. I'm hosting some friends-and-family small services from home and front
them with a couple Hidden Services. That gives me some measure of mutual
privacy from my users as well as strict access control via auth being baked in
the transport protocol.

The alternative would have been providing a dynamic DNS type URL, mucking
around with LetsEncrypt and the DNS provider periodically and then
implementing all access control in the servers. I'm lazy, Tor works for this
use case and I'm lucky my users understand the 3 steps to configure their Tor
browser so I'm sold on the usefulness of this mechanism!

~~~
ui9ohNe9
Oh yes, indeed, I'm not implying that all hidden services are objectionable,
but that those who are are many and a major reputation problem - to the point
where we would be better off without hidden services.

I love how you used it for relatives group privacy, though, that sounds cool.

------
Mizza
This has been well known for a long time. It's even vaguely referenced in the
Snowden leaks.

I wish Tor never became an activist project. There are a lot of groups with
nice sounding names like 'Human Rights Watch' \- that seem less nice once you
find out who funds them and some of the things they support - that started
offering loads of money starting around 2010 to groups which produced this
kind of technology.

Tor took the money and transformed from an academic project into an activist
one in both terms of both staff and marketing, and I think a lot of people are
now using technology they have been told will keep them safe but is actually
only a few steps away from bunkum.

~~~
tjbiddle
Do you have a better alternative to Tor? All of my understanding and reading
has lead to it being a great solution for anonymous web browsing.

~~~
Mizza
I mean, I still like Tor. It depends entirely about what your threat models
and goals are.

I2P never gets any attention compared to Tor, but it keeps chugging along. In
many ways, it's a lot better. Their most recent release was on 2020-08-24.

[https://geti2p.net/en/](https://geti2p.net/en/)

~~~
pmontra
I can't assess the merits of i2p but in the comment section of the post I
found this

> i2p is substantially worse.

> It is worse BECAUSE every user is also a relay. I can sit at watch the
> connection, allowing me to map out each user's address. If your server is up
> long enough, you should see everyone eventually.

~~~
Mizza
Really, it's just a different thing. It is an entirely P2P network, so yes,
that's what you get. But, anybody can run a Tor node too, as the article
points out. (Practically speaking, I2P better for torrents.)

