Silk Road forums

Discussion => Security => Topic started by: kmfkewm on August 10, 2012, 06:53 am

Title: a (possibly) better way to configure hidden services
Post by: kmfkewm on August 10, 2012, 06:53 am
Two instances of Tor.

Tor one is hidden service, Tor two is normal client. Tor one Torrc uses Tor one as socks proxy. Now circuits look like this:

Hidden Service <-> T2 entry <-> T2 middle <-> T2 exit <-> T1 entry <-> T1 middle <-> T1 final <-> Clients final <-> etc

now when client adds some nodes to Tor and forces the hidden service to open an arbitrary number of circuits, they will trace to T1 entry in a matter of seconds very easily. If they do active DOS attacks against the set of nodes that make up the possible selections for T1 entry they may be able to own T1 entry. Of course the feds can simply subpoena one of the nodes that is T1 entry and get the information for the node behind it, which if you use a normal hidden service configuration will be the hidden server itself. But now they merely obtain T2 exit, and furthermore they can not continue to do the force the hidden service to open a billion circuits to traceback attack because T2 is a normal Tor client circuit. Configure T1 and T2 Torrc appropriately to make sure there is not node reuse (or family reuse?) between the instances of Tor.

Latency is doubled, but it should probably prevent the feds from being able to trace hidden services. Right now they either can, or the only thing stopping them is their own stupidity. Will add donation link to my signature sometime ;).
Title: Re: a (possibly) better way to configure hidden services
Post by: LouisCyphre on August 10, 2012, 10:48 am
Two instances of Tor.

Tor one is hidden service, Tor two is normal client. Tor one Torrc uses Tor one as socks proxy. Now circuits look like this:

Hidden Service <-> T2 entry <-> T2 middle <-> T2 exit <-> T1 entry <-> T1 middle <-> T1 final <-> Clients final <-> etc

now when client adds some nodes to Tor and forces the hidden service to open an arbitrary number of circuits, they will trace to T1 entry in a matter of seconds very easily. If they do active DOS attacks against the set of nodes that make up the possible selections for T1 entry they may be able to own T1 entry. Of course the feds can simply subpoena one of the nodes that is T1 entry and get the information for the node behind it, which if you use a normal hidden service configuration will be the hidden server itself. But now they merely obtain T2 exit, and furthermore they can not continue to do the force the hidden service to open a billion circuits to traceback attack because T2 is a normal Tor client circuit. Configure T1 and T2 Torrc appropriately to make sure there is not node reuse (or family reuse?) between the instances of Tor.

Latency is doubled, but it should probably prevent the feds from being able to trace hidden services. Right now they either can, or the only thing stopping them is their own stupidity. Will add donation link to my signature sometime ;).

That's a very interesting idea and probably needs to be tested.  Perhaps if you set a test site up and draft Shannon to try and find it.  ;)
Title: Re: a (possibly) better way to configure hidden services
Post by: owenk on August 10, 2012, 02:41 pm
I've been meditating lately on how to make tor hidden services more hidden.  As it stands now it seems relatively easy to de-anonymize a server through traffic analysis, modulating patterns on both endpoints, etc.  For any serious long-term cloaking I think you would need a long daisy-chain of servers from different datacenters in various parts of the world, and a regular scheduling of rolling to the next IP, leaving the old ones forever.   I'll keep saying it.. we can run faster scared than they can angry.  I think the next step in the evolution of anonymity is a cloud-based network of anonymous, donated VPSs that anybody can set up (think a VirtualBox appliance spread around via torrent) and each one runs a small fragment of the overall operation with massive redundancy across the board.  Latency goes up, not to mention all the other technical challenges, but this seems like a wise medium-term goal.
Title: Re: a (possibly) better way to configure hidden services
Post by: sourman on August 10, 2012, 03:30 pm
Great post!

IMHO, LE can probably trace any hidden service if they make a single, coordinated effort. Making it harder will only delay the inevitable if enough resources are dedicated to the process. It has to nearly impossible (and not just difficult) or there has to be another layer of protection beyond the hidden service.

My guess is that SR is always changing servers, all of which are remotely managed through tor, public wifi, etc and only for a short period of time. As long as they can quickly deploy the SR clone in 1-2 steps and make all subsequent configuration changes offline before uploading them, they won't have to be exposed to the server for long.

I don't know how feasible it is to seamlessly rotate servers hosting a hidden service; If it's possible and doesn't introduce too much downtime, then they are either doing this already or should look into it.
Title: Re: a (possibly) better way to configure hidden services
Post by: Shannon on August 10, 2012, 03:47 pm
k i think arma needs to hire your ass for the good of mankind

actually i can't imagine your resume going over well

name: *bangs on keyboard*
cv: admined drug boards
references: bunch of nyms
etc :P

That's a very interesting idea and probably needs to be tested.  Perhaps if you set a test site up and draft Shannon to try and find it.  ;)

with https://shadow.cs.umn.edu/design/ a live site isn't even needed, k can make his own simulated tor network (all running the daemon with his proposed modification) and try to haxx the gibsons

I don't know how feasible it is to seamlessly rotate servers hosting a hidden service; If it's possible and doesn't introduce too much downtime, then they are either doing this already or should look into it.

it's easy work
Title: Re: a (possibly) better way to configure hidden services
Post by: sourman on August 10, 2012, 04:34 pm
Quote
name: *bangs on keyboard*
cv: admined drug boards
references: bunch of nyms

That first line made me LOL.
Title: Re: a (possibly) better way to configure hidden services
Post by: kmfkewm on August 10, 2012, 07:26 pm
Two instances of Tor.

Tor one is hidden service, Tor two is normal client. Tor one Torrc uses Tor one as socks proxy. Now circuits look like this:

Hidden Service <-> T2 entry <-> T2 middle <-> T2 exit <-> T1 entry <-> T1 middle <-> T1 final <-> Clients final <-> etc

now when client adds some nodes to Tor and forces the hidden service to open an arbitrary number of circuits, they will trace to T1 entry in a matter of seconds very easily. If they do active DOS attacks against the set of nodes that make up the possible selections for T1 entry they may be able to own T1 entry. Of course the feds can simply subpoena one of the nodes that is T1 entry and get the information for the node behind it, which if you use a normal hidden service configuration will be the hidden server itself. But now they merely obtain T2 exit, and furthermore they can not continue to do the force the hidden service to open a billion circuits to traceback attack because T2 is a normal Tor client circuit. Configure T1 and T2 Torrc appropriately to make sure there is not node reuse (or family reuse?) between the instances of Tor.

Latency is doubled, but it should probably prevent the feds from being able to trace hidden services. Right now they either can, or the only thing stopping them is their own stupidity. Will add donation link to my signature sometime ;).

That's a very interesting idea and probably needs to be tested.  Perhaps if you set a test site up and draft Shannon to try and find it.  ;)

I have tested it and it works fine, although there is higher latency. I have not done an in depth analysis of the anonymity properties, but the only problem I can imagine would be if T1 and T2 re-use nodes between them. Even that wouldn't be horrible for a hidden service, considering the entry guard can already trivially determine if it is an entry guard for any given hidden service. You might not even need to protect from node reuse for hidden services, although if you were a normal client it would be important to do so because you would definitely not want to reuse the same node for entry and exit in that case. I would bet five hundred bucks that configuring a hidden service to use two instances of Tor in this way would extremely increase the anonymity provided. As it stands today, tracing hidden services is trivial. You can trace to each of a hidden services entry guards in under a minute, and then it is just a matter of either forcing it to change to new entry guards until it picks one of yours, or if you are a stronger attacker simply sending a court order to one of the entry guards or its infrastructure. A hidden service with an entry guard in USA could realistically be deanonymized in a couple of hours if the feds had a fucking clue.


Quote
IMHO, LE can probably trace any hidden service if they make a single, coordinated effort. Making it harder will only delay the inevitable if enough resources are dedicated to the process. It has to nearly impossible (and not just difficult) or there has to be another layer of protection beyond the hidden service.

If LE actually had a clue they wouldn't even need to spend much effort to trace hidden services. If I had the powers of even a low ranking federal agent I could certainly deanonymize any 'out of the box' configured hidden service. It is simple.

Quote
My guess is that SR is always changing servers, all of which are remotely managed through tor, public wifi, etc and only for a short period of time. As long as they can quickly deploy the SR clone in 1-2 steps and make all subsequent configuration changes offline before uploading them, they won't have to be exposed to the server for long.

Hopefully they actually know what they are doing if they always change servers, it would be a waste of time to change the location of the server without rotating all of its entry guards. But the time frame they will have to switch the server to a new location is very small, hidden services can be traced very quickly by moderately powerful attackers (and FBI has legal powers that put it well within this range, even if their technical people are dumb shits)

Quote
I don't know how feasible it is to seamlessly rotate servers hosting a hidden service; If it's possible and doesn't introduce too much downtime, then they are either doing this already or should look into it.

It can be done with no downtime at all very easily.

Quote
k i think arma needs to hire your ass for the good of mankind

actually i can't imagine your resume going over well

name: *bangs on keyboard*
cv: admined drug boards
references: bunch of nyms
etc :P

I doubt that they want anything to do with anyone who has such a resume :P.

Title: Re: a (possibly) better way to configure hidden services
Post by: kmfkewm on August 10, 2012, 07:27 pm
Quote
I think the next step in the evolution of anonymity is a cloud-based network of anonymous, donated VPSs that anybody can set up (think a VirtualBox appliance spread around via torrent) and each one runs a small fragment of the overall operation with massive redundancy across the board.  Latency goes up, not to mention all the other technical challenges, but this seems like a wise medium-term goal.

that sounds somewhat like freenet
Title: Re: a (possibly) better way to configure hidden services
Post by: pine on August 10, 2012, 07:53 pm
What are your thoughts on the Jondonym network kmfkewn?
Title: Re: a (possibly) better way to configure hidden services
Post by: sourman on August 10, 2012, 08:33 pm
Quote
Hopefully they actually know what they are doing if they always change servers, it would be a waste of time to change the location of the server without rotating all of its entry guards. But the time frame they will have to switch the server to a new location is very small, hidden services can be traced very quickly by moderately powerful attackers (and FBI has legal powers that put it well within this range, even if their technical people are dumb shits)

Assuming larger onion sites such as this one are independently hosted, wouldn't switching to a new server on an entirely different netblock completely change the entry guards? Or is this something linked to the onion domain's public key? In that case, I'm guessing they'd have to generate a new URL every time the server is moved in order to distance the new server from the old.

In any case, you can always move the server, rotate the entry guards manually (if that's even possible), AND have the hidden service run through an additional tor client set to avoid node reuse. Also, is there some kind of parameter in the torrc that allows you to increase the amount of nodes in a circuit past 3-4?
Title: Re: a (possibly) better way to configure hidden services
Post by: kmfkewm on August 10, 2012, 09:01 pm
Jondonym is a fine VPN and you will not likely find much better, they cooperate immediately with court orders but prior to a court order requesting logs to a specific site or from a specific user they do not log anything. Also the court orders need to be carried out against individual nodes, which are in different jurisdictions. Of course such a small network is much easier for a passive attacker to pwn though.

You can make Tor circuits up to 8 nodes there are network limits that prevent you from extending past that though, although there is little point in using additional nodes. The goal of the scheme I show in the OP is not to add additional nodes but rather to gain the anonymity benefits of Tor running as a non hidden service client for Tor hidden services.

Actually come to think of it, I believe Tor automatically rotates entry guards if it detects that your IP address has changed, so as long as they are not using strict entry guards in their Torrc Tor would take care of the details of changing entry guards when the the servers location changes for them.
Title: Re: a (possibly) better way to configure hidden services
Post by: sourman on August 10, 2012, 09:49 pm
Gotcha. You don't need too many nodes per circuit, more important are the other benefits to running the hidden service through a client, such as preventing that build-lots-of-circuits-to-find-entry-guards attack you mentioned. Not sure about hidden services, but the client always rotates entry guards if you aren't using a bridge. I know that's obvious -- I just hope the hidden service does the same after a while.
Title: Re: a (possibly) better way to configure hidden services
Post by: derpsec on August 11, 2012, 01:42 am
JonDonym at least notifies everybody that the police are doing a trace on the mixmaster network. According to their site they've only ever done it twice, and both times were for some CP posting scum.

Quote
Everybody keeps saying that hidden services can be easily deanonymized, yet I've never seen anyone actually do it with a modern version of Tor. Yes, I know there was a paper from SIX years ago that did it, but supposedly those holes have been plugged. I'm thinking of setting up an HS and offering a BTC reward to the first person who can tell me the IP address. I just need to do it in a way that keeps me anonymous, and I haven't figured that part out yet.

They will prob easily get it from your insecure application or web server before having to brute force down some guard nodes and find where you are. You would need significant resources to do that, but any idiot running Havij can SQL dump and get root login.

I don't think it matters if the Tor hidden service is really that hidden. Everybody using it should be encrypting anyways, so who cares if it's seized. Remember there are still open carding and pir8 forums on clearnet that have been operating for years running on immunity hosting that don't give a shit about hiding. Worst case scenario is the cops impersonate you but if you're using GPG to sign messages and tell everybody you have a new server and not to use the old one, their scam runs dry.

If you really want to keep your Tor hidden service hidden, then you become a small time hosting service and host your own Tor server, paid for by bitcoins that you claim some customer owns. When the police come in with a warrant, you are the guy they ask to retrieve the box that has that service, so you immediately know it's compromised and can even secretly dead man switch it to shred drive or something as you bring it over to them :). I've always assumed that's what SR is doing, he's prob one of the bitcoin hosting guys in the wiki and buried on one of the racks is this site. Would be a good excuse to be cashing a lot of bitcoins too, since you run a bitcoin hosting service.
Title: Re: a (possibly) better way to configure hidden services
Post by: steelseth on August 11, 2012, 01:53 am
JonDonym at least notifies everybody that the police are doing a trace on the mixmaster network. According to their site they've only ever done it twice, and both times were for some CP posting scum.

Quote
Everybody keeps saying that hidden services can be easily deanonymized, yet I've never seen anyone actually do it with a modern version of Tor. Yes, I know there was a paper from SIX years ago that did it, but supposedly those holes have been plugged. I'm thinking of setting up an HS and offering a BTC reward to the first person who can tell me the IP address. I just need to do it in a way that keeps me anonymous, and I haven't figured that part out yet.

They will prob easily get it from your insecure application or web server before having to brute force down some guard nodes and find where you are. You would need significant resources to do that, but any idiot running Havij can SQL dump and get root login.

I don't think it matters if the Tor hidden service is really that hidden. Everybody using it should be encrypting anyways, so who cares if it's seized. Remember there are still open carding and pir8 forums on clearnet that have been operating for years running on immunity hosting that don't give a shit about hiding. Worst case scenario is the cops impersonate you but if you're using GPG to sign messages and tell everybody you have a new server and not to use the old one, their scam runs dry.

If you really want to keep your Tor hidden service hidden, then you become a small time hosting service and host your own Tor server, paid for by bitcoins that you claim some customer owns. When the police come in with a warrant, you are the guy they ask to retrieve the box that has that service, so you immediately know it's compromised and can even secretly dead man switch it to shred drive or something as you bring it over to them :). I've always assumed that's what SR is doing, he's prob one of the bitcoin hosting guys in the wiki and buried on one of the racks is this site. Would be a good excuse to be cashing a lot of bitcoins too, since you run a bitcoin hosting service.
Havij is a useless piece of shit used only by script kiddies and it no matter how fucked up the scripting of a website is you could NOT get root, NEVER EVER NEVER.
SQL dump to get root..... LOL
Oscar is this you again ? Give up and go home.
Title: Re: a (possibly) better way to configure hidden services
Post by: derpsec on August 11, 2012, 02:10 am
JonDonym at least notifies everybody that the police are doing a trace on the mixmaster network. According to their site they've only ever done it twice, and both times were for some CP posting scum.

Quote
Everybody keeps saying that hidden services can be easily deanonymized, yet I've never seen anyone actually do it with a modern version of Tor. Yes, I know there was a paper from SIX years ago that did it, but supposedly those holes have been plugged. I'm thinking of setting up an HS and offering a BTC reward to the first person who can tell me the IP address. I just need to do it in a way that keeps me anonymous, and I haven't figured that part out yet.

They will prob easily get it from your insecure application or web server before having to brute force down some guard nodes and find where you are. You would need significant resources to do that, but any idiot running Havij can SQL dump and get root login.

I don't think it matters if the Tor hidden service is really that hidden. Everybody using it should be encrypting anyways, so who cares if it's seized. Remember there are still open carding and pir8 forums on clearnet that have been operating for years running on immunity hosting that don't give a shit about hiding. Worst case scenario is the cops impersonate you but if you're using GPG to sign messages and tell everybody you have a new server and not to use the old one, their scam runs dry.

If you really want to keep your Tor hidden service hidden, then you become a small time hosting service and host your own Tor server, paid for by bitcoins that you claim some customer owns. When the police come in with a warrant, you are the guy they ask to retrieve the box that has that service, so you immediately know it's compromised and can even secretly dead man switch it to shred drive or something as you bring it over to them :). I've always assumed that's what SR is doing, he's prob one of the bitcoin hosting guys in the wiki and buried on one of the racks is this site. Would be a good excuse to be cashing a lot of bitcoins too, since you run a bitcoin hosting service.
Havij is a useless piece of shit used only by script kiddies and it no matter how fucked up the scripting of a website is you could NOT get root, NEVER EVER NEVER.
SQL dump to get root..... LOL
Oscar is this you again ? Give up and go home.

Never get root now matter how fucked up the site is coded? You probably think chroot boosts security too. google how to get root on a server from running injections on phpMyAdmin. Look up how people can access your shitty CMS and find stuff still in /tmp they can run to root the entire box. I purposely used Havij as an example that any idiot can do it. I'm betting this guy isn't going to be running a box full of IDS and static thttpd pages, more likely a shit CMS install where you can get Python or Drupal to run a symlink exploit in +w mode and recursive write everything chmod 777. Yes this has actually happened.
Title: Re: a (possibly) better way to configure hidden services
Post by: steelseth on August 11, 2012, 02:20 am
LOL
I send you a PM. I even created a username as pass for you to install whatever the fuck you want on it.
If you get root you can keep it.
Title: Re: a (possibly) better way to configure hidden services
Post by: sourman on August 11, 2012, 03:13 am
No one has publicly demonstrated their ability to do so, but it's certainly feasible when the attacker has essentially all the resources in the world. Obviously side channel attacks are the way to go in these cases, so it may simply be a matter of time until they either discover a major vulnerability, get damning evidence from a CI, or get tired of trying and just attack the tor network itself. Or there may not be enough pressure to go after SR itself, and LE will concentrate on busting the low hanging fruit, i.e. vendors and users who fuck up. Even if they took down this site, others will pop up in its place as long as bitcoins can be freely traded. Perhaps financial regulation will be their weapon of choice.
Title: Re: a (possibly) better way to configure hidden services
Post by: kmfkewm on August 11, 2012, 04:47 am
Everybody keeps saying that hidden services can be easily deanonymized, yet I've never seen anyone actually do it with a modern version of Tor. Yes, I know there was a paper from SIX years ago that did it, but supposedly those holes have been plugged. I'm thinking of setting up an HS and offering a BTC reward to the first person who can tell me the IP address. I just need to do it in a way that keeps me anonymous, and I haven't figured that part out yet.

They 'plugged' the hole by introducing entry guards, now instead of being able to trace the hidden service in 60 seconds you can trace three nodes that are directly connected to it in 60 seconds. That solves the issue if the attacker is able to add two nodes to the Tor network, but doesn't do shit to protect from attackers who can simultaneously DDOS selected entry guards until they own one of the targets, or even easier simply send a court order to one of the identified entry guards or its infrastructure. If the guard is in USA they don't even need a warrant to do a trap and trace on it and then they can identify the hidden service from that. At the very best a normally configured hidden service is as anonymous as its least secure entry guard is from being hacked, at worst it is as anonymous as someone tracing to its entry guards in a minute and then using a trap and trace on one of them.
Title: Re: a (possibly) better way to configure hidden services
Post by: kmfkewm on August 11, 2012, 04:53 am
They will prob easily get it from your insecure application or web server before having to brute force down some guard nodes and find where you are. You would need significant resources to do that, but any idiot running Havij can SQL dump and get root login.

Right, some hidden services have been identified through insecure applications, but I have yet to find one documented case of a HS being deanonymized through an attack on the Tor network, in the last 2 years. If I did my experiment, I definitely wouldn't run PHP or MySQL. Just a static HTML page. I'd have to look into which web server is the most secure. Probably a light weight one with few features (that can be exploited).

I guess nobody who has the skills to trace hidden services wants to do it. I have been thinking of implementing the trace to entry guards attack, it would take me all of an hour to make a program that would be able to identify any normally configured hidden services entry guards in a few minutes at the most. Getting around entry guards would be more of a challenge for me, since I can not just order their ISP to monitor traffic to and from them. I would give it a shot with a sustained CPU DOS against its entry guards and hope that it selects one of my entry guards while I can maintain the DOS, but that is less sure. One thing though is that I lack any real motivation to do this, I don't particularly want to attack any hidden service and I support Tor. If I knew that I would get $10,000+ for deanonymizing a hidden service, and I didn't have any ideological objection to doing do, I would be a lot more motivated to actually go to the trouble (and spend the money required...at least a few servers particularly if I wanted to try a sustained DOS against several entry guards) to do it.
Title: Re: a (possibly) better way to configure hidden services
Post by: awakened350 on August 11, 2012, 06:48 am
They will prob easily get it from your insecure application or web server before having to brute force down some guard nodes and find where you are. You would need significant resources to do that, but any idiot running Havij can SQL dump and get root login.

Right, some hidden services have been identified through insecure applications, but I have yet to find one documented case of a HS being deanonymized through an attack on the Tor network, in the last 2 years. If I did my experiment, I definitely wouldn't run PHP or MySQL. Just a static HTML page. I'd have to look into which web server is the most secure. Probably a light weight one with few features (that can be exploited).

I guess nobody who has the skills to trace hidden services wants to do it. I have been thinking of implementing the trace to entry guards attack, it would take me all of an hour to make a program that would be able to identify any normally configured hidden services entry guards in a few minutes at the most. Getting around entry guards would be more of a challenge for me, since I can not just order their ISP to monitor traffic to and from them. I would give it a shot with a sustained CPU DOS against its entry guards and hope that it selects one of my entry guards while I can maintain the DOS, but that is less sure. One thing though is that I lack any real motivation to do this, I don't particularly want to attack any hidden service and I support Tor. If I knew that I would get $10,000+ for deanonymizing a hidden service, and I didn't have any ideological objection to doing do, I would be a lot more motivated to actually go to the trouble (and spend the money required...at least a few servers particularly if I wanted to try a sustained DOS against several entry guards) to do it.

I absolutely love lurking the security threads and reading up on all of this stuff but most of it goes right over my head. I'm fairly tech savvy but don't have much network experience. Any tips on where to start reading to gain an understanding of how all this works and at least understand what everyone is talking about :)
Title: Re: a (possibly) better way to configure hidden services
Post by: kmfkewm on August 11, 2012, 07:41 am
They will prob easily get it from your insecure application or web server before having to brute force down some guard nodes and find where you are. You would need significant resources to do that, but any idiot running Havij can SQL dump and get root login.

Right, some hidden services have been identified through insecure applications, but I have yet to find one documented case of a HS being deanonymized through an attack on the Tor network, in the last 2 years. If I did my experiment, I definitely wouldn't run PHP or MySQL. Just a static HTML page. I'd have to look into which web server is the most secure. Probably a light weight one with few features (that can be exploited).

I guess nobody who has the skills to trace hidden services wants to do it. I have been thinking of implementing the trace to entry guards attack, it would take me all of an hour to make a program that would be able to identify any normally configured hidden services entry guards in a few minutes at the most. Getting around entry guards would be more of a challenge for me, since I can not just order their ISP to monitor traffic to and from them. I would give it a shot with a sustained CPU DOS against its entry guards and hope that it selects one of my entry guards while I can maintain the DOS, but that is less sure. One thing though is that I lack any real motivation to do this, I don't particularly want to attack any hidden service and I support Tor. If I knew that I would get $10,000+ for deanonymizing a hidden service, and I didn't have any ideological objection to doing do, I would be a lot more motivated to actually go to the trouble (and spend the money required...at least a few servers particularly if I wanted to try a sustained DOS against several entry guards) to do it.

I absolutely love lurking the security threads and reading up on all of this stuff but most of it goes right over my head. I'm fairly tech savvy but don't have much network experience. Any tips on where to start reading to gain an understanding of how all this works and at least understand what everyone is talking about :)

The attack against hidden services is pretty straightforward. Hidden services open new circuits (three nodes, entry -> middle -> final) for every client connection request. The entry guard is from a small selection of nodes (generally three), but the middle and final node are selected from the entire pool of Tor nodes. An attacker who wants to trace a hidden service can add a relay node to the network and then (even from the same relay node...) use a specially modified client that sends tons of new connection requests to the hidden service and sends it a specially modulated stream of packets (watermarked, via deliberately created inter-packet timing characteristics). After doing this it immediately tears down the circuit, rinses and repeats. Now it only needs to wait until it detects this watermarked stream passing through it as a relay, and then it can observe the node it forwards this data onto. Since it sent the stream, it knows that it is a relay on the path to the hidden service, it can also select to use another node under its control as a rendezvous node so it can identify the hidden services final node and know if it is it, and by viewing where the watermarked traffic came from it can determine if it is the middle or entry guard for the hidden service. If it is the middle node it identifies the hidden services entry guard (one of the three anyway), if it is the entry guard it identifies the hidden service.

After identifying the servers three entry guards (which takes all of a couple of seconds to minutes), there are a few things the attacker can do. Powerful attackers (passive / external) like the feds (assuming they are not complete fucking retards, which is asking for a pretty big assumption on your part, but humor me) would probably do one of two things: if any of the entry guards are located in the USA they can do warrantless trap and traces of the entry guard to determine the IP addresses of the servers it communicates with and when, and then they could do an end point timing correlation attack to deanonymize the hidden service. If all of the entry guards are outside of the USA they could use a mutual legal assistance treaty to accomplish the same thing, although they may be delayed by some period of time ranging from hours to maybe even months, depending on the location of the entry guards. However there is a tremendous chance that any given hidden service has at least one entry guard in either the USA or Germany, and normally entry guards rotate every month to two months so even if they are out of luck this month next month they will probably be in luck.

Less powerful attackers (active / internal), like me, would be forced to try and get the hidden service to use one of our entry guards (since we can not do passive/external surveillance on the entry guards as easily as the feds can). The number one way to accomplish this is likely via a CPU exhaustion DOS. If the hidden services three entry guards can not manage its circuits, it will select new ones that can. If an attacker can do a sustained CPU exhaustion attack against all selected entry guards until one of its entry guards is selected, it can deanonymize the hidden service with an end to end timing attack after its entry guard is utilized. One way around this attack would be to select to use strict guard nodes in Torrc, then if the hidden services entry guards are DOSed the hidden service becomes unreachable, but at least it can not be forced into selecting new entry guards until it is deanonymized.

The solution in OP works like this. There are two instances of Tor running on the hidden service server. One (HST) manages the hidden services circuits, the other (CT) is a normal instance of Tor running as a regular non-hidden service client. In the Torrc of HST, it is configured to use CT as a socks proxy. This results in a circuit that looks like this

Hidden Server <-> CT entry <-> CT middle <-> CT Exit <-> HST Entry <-> HST middle <-> HST Final <-> Clients Final

Now the malicious client can still force the hidden service to open an arbitrary number of HST circuits, and can do the previously mentioned attack to trace up to HST entry. However, if the weak active attack does sustained DOS against all selected HST entry nodes until they own one of them, they are only in a position to identify CT exit instead of the hidden server. Likewise, if the feds use a trap and trace or MLAT to passively spy on HST Entry, they are only in a position to identify CT exit, not the hidden server. Normal Tor clients that do not serve hidden services will not open a new circuit per request, rather they rotate circuits approximately once every ten minutes. Thus, the force the hidden service to open a billion new circuits to send watermarked traffic down them attack becomes infeasible to carry out, and the hidden service remains as anonymous as a regular Tor client. This is probably adequate to protect from non-retarded-fed level attackers (if such a mythical beast actually exists).
Title: Re: a (possibly) better way to configure hidden services
Post by: kmfkewm on August 11, 2012, 07:53 am
This would also be very beneficial for clients, because if the feds can not locate the hidden service to put it under surveillance, they can not complete an end to end timing correlation attack against clients, even if they watch the clients sending and receiving traffic.

some potential things to consider:

1. The latency of the hidden service will be roughly doubled as the circuit from the hidden service is doubled

2. There may be some anonymity problems with reusing nodes between the two instances of Tor, although I suspect this is less serious a concern for hidden services

3. There may be a fingerprint left in client entry return traffic as the response time after sending traffic will be uncharacteristically high, although cover traffic going down the same circuit should muddy this, and it really beats having a hidden service that can be traced in a day and then watched passively to complete 50% of an end to end timing correlation attack.
Title: Re: a (possibly) better way to configure hidden services
Post by: kmfkewm on August 11, 2012, 09:33 am
I believe it took a matter of seconds in some cases, but it was definitely in the range of minutes and not hours.
Title: Re: a (possibly) better way to configure hidden services
Post by: pine on August 11, 2012, 01:22 pm
k i think arma needs to hire your ass for the good of mankind

actually i can't imagine your resume going over well

name: *bangs on keyboard*
cv: admined drug boards
references: bunch of nyms
etc :P

In a pragmatic world it should be a perfectly reasonable CV to submit, I mean the operational/technical abilities of a professional criminal/hacker + the correct kind of intuition/paranoia you develop with experience is pretty much the exact recipe required for the best intelligence operatives/spooks. Black market and intelligence agency cooperation are not exactly the stuff of science fiction when you read around.

Problem is that you're also supposed to be blindly patriotic, lol nope. I can see people here supporting the state when they further higher ideals of the West, because agorists are not skin deep libertarians. There is a sense in which it'd be accurate to say agorists don't support the state because they are more patriotic than the people within it. I cannot envisage allegiance to a specific nation state and somebody like kmfkewn singing "Oh say can you see" to be honest. Just no. There are limits you know :D

More generally on the subject of motivation I think you can give a person oodles of cash and stuff but eventually all but the most base of people climb Maslow's Pyramid and yearn for a higher purpose. It's an instinctive and powerful urge that's frequently underestimated or misunderstood by many people e.g. "mid-life crisis" , people don't like feeling like machine cogs. Adam Smith wrote a good deal on that subject, it's a pity few people actually read him. I think it's strongly related to the urge to explore (sadly limited to our little blue orb for now) and even paternalistic 'protectionist' instincts, I think that's why so many 40/50 somethings suddenly develop an overwhelming interest in abstract concepts like climate change, local politics, or an obsessive desire to obtain elaborate methods of transport. If that kind of mental energy can be harnessed correctly then it's immensely powerful, but it also has a dark side because it can be self destructive "burn all the bridges" / some dude almost living in his garden shed compulsively creating squirrel manikins out of spit and horsehair or something equally insane that winds up in the Guinness book of records or obtains an Ig prize.
Title: Re: a (possibly) better way to configure hidden services
Post by: pine on August 11, 2012, 01:26 pm
Quote
I think that's why so many 40/50 somethings suddenly develop an overwhelming interest in abstract concepts like climate change, local politics, or an obsessive desire to obtain elaborate methods of transport. If that kind of mental energy can be harnessed correctly then it's immensely powerful, but it also has a dark side because it can be self destructive "burn all the bridges" / some dude almost living in his garden shed compulsively creating squirrel manikins out of spit and horsehair or something equally insane that winds up in the Guinness book of records or obtains an Ig prize.

Just had the unsettling thought that I could eventually wind up in the land of Topix doing missionary work to convert the natives to public key cryptography.
Probably would get eaten by the cannibals or something.
Title: Re: a (possibly) better way to configure hidden services
Post by: sourman on August 11, 2012, 02:18 pm
Quote
After identifying the servers three entry guards (which takes all of a couple of seconds to minutes), there are a few things the attacker can do. Powerful attackers (passive / external) like the feds (assuming they are not complete fucking retards, which is asking for a pretty big assumption on your part, but humor me) would probably do one of two things: if any of the entry guards are located in the USA they can do warrantless trap and traces of the entry guard to determine the IP addresses of the servers it communicates with and when, and then they could do an end point timing correlation attack to deanonymize the hidden service. If all of the entry guards are outside of the USA they could use a mutual legal assistance treaty to accomplish the same thing, although they may be delayed by some period of time ranging from hours to maybe even months, depending on the location of the entry guards. However there is a tremendous chance that any given hidden service has at least one entry guard in either the USA or Germany, and normally entry guards rotate every month to two months so even if they are out of luck this month next month they will probably be in luck.

Perhaps SR uses some custom script (or an admin that never sleeps) to cherry pick entry guards and close circuits with a pattern of suspicious nodes/timing. Not sure what criteria they'd use to find the bad ones reliably, though sticking to old nodes in territories that don't cooperate with the US/EU would be a good start, even if node-picking is limited to entry guards. Even discarding circuits/entry guards at random is bound to make the hidden service harder to trace, even though it would no longer be stable.

You could also buy a network of your own relays in hacker haven countries, or pay off someone who already operates a bunch of them. That doesn't solve the inherent vulnerability allowing the tracing in the first place, but it will make it much harder for LE to take any kind of action should they ever find the server, especially if it's being moved around frequently. I'm sure someone out there can write a function to dynamically relocate the server based on triggers that would indicate an attempt to compromise tor, although the gov't could use this to DoS the hidden service.

Quote
In a pragmatic world it should be a perfectly reasonable CV to submit, I mean the operational/technical abilities of a professional criminal/hacker + the correct kind of intuition/paranoia you develop with experience is pretty much the exact recipe required for the best intelligence operatives/spooks. Black market and intelligence agency cooperation are not exactly the stuff of science fiction when you read around.

True, but in a perfect world, there would be no need for a black market or the kind of intelligence agencies we have today.

Quote
More generally on the subject of motivation I think you can give a person oodles of cash and stuff but eventually all but the most base of people climb Maslow's Pyramid and yearn for a higher purpose

I don't think finding a hidden service would be that difficult.. lol j/k. But yeah, that's human nature. Very few people are still doing at 80 what they set out to do at 25, or even 45. Priorities change when you realize what is most important to you.
Title: Re: a (possibly) better way to configure hidden services
Post by: igotquestions on December 09, 2012, 09:42 pm
greetings

does the hidden service need to be created under Tor One's if so theres a target and virtual port ?!
does the term hidden service refer to tunnelling Tor Two's traffic thru Tor One by specifying Tor One's listening address in Tor Two's Proxy setting?


help needed thanks