Silk Road forums
Discussion => Security => Topic started by: kmfkewm on September 04, 2013, 11:28 am
-
A huge botnet is attacking Tor, nobody is sure exactly what it is doing but some think it could be trying to trace hidden services by tracing to entry guards and knocking them out until the HS's select attacker guards.
-
I had my suspicions. Don't have to be a genius to look at the debug and which circuits are failing. There's a couple of relays I'm flagging.
Anyone know how to configure tor to reject 'suspect' nodes from the circuit builds?
-
Yep, tor-talk has some interesting discussion about the problem. Some traffic from exit nodes attacking relays.
It's a hard problem for Tor to solve. They can't implement IP-based filtering or logging for obvious philosophical reasons. I think "hope it goes away" is the current answer. I don't like that answer.
Building circuits to hidden services seems heavily impacted. Not sure if that's because of number of hops necessary, or because of load on HSDir/etc infrastructure. Or if some nodes are just refusing to return hidden service descriptors.
-
Yep, tor-talk has some interesting discussion about the problem. Some traffic from exit nodes attacking relays.
It's a hard problem for Tor to solve. They can't implement IP-based filtering or logging for obvious philosophical reasons. I think "hope it goes away" is the current answer. I don't like that answer.
Building circuits to hidden services seems heavily impacted. Not sure if that's because of number of hops necessary, or because of load on HSDir/etc infrastructure. Or if some nodes are just refusing to return hidden service descriptors.
Any link to the discussion?
-
Well was planning on going on ''vacation'' anyway. Still... had to pull listings early. Took ages just to get on. Had to get out while I still could :(
Not to sound negative or nothing but this is last post for a while till I get back. Presuming there will be a hidden service to come back to.
Adios!
-
Sometimes I think about how barbaric this age's moral positions may appear in several hundred years, and wish I had been born quite a bit later. Then I wonder if our race will make it several hundred years, and it occurs to me that this may actually be the pinnacle of all human civilization ever to exist in the universe.
And I still think it's a shitty time to be alive...
Oh, and BTW: subbed.
-
Yes maybe large traffic clogging or other correlation attack. consider who would have motive to do this. think not hackers ;)
testing of new massive government data center that open over in US very recent?
also think attacks on FH maybe smoke screen for other attack that happened then too. remember some people say jscript change very early in attack. foods for minds :o
-
whats to keep someone from starting a bajillion clients on their machine and sending junk requests through it to overload the system??
-
Seems to be DDOS/Hijacking.
I tried to get onto the SR about one hour ago, and I got a yellowish page with on top of it some banner, but it did not load 100%
SR is down for me for the last 4 hours.
Can we put up some list with fishy Entrynodes here, the SR audience tends to go to the forums.
Peace
-
Comment on arstechnica:
otakucodeSmack-Fu Master, in training
Thu Aug 29, 2013 11:31 am Reader Fav
I've been running Windows 7 on a VM for awhile, and I noticed VirtualBox indicating that it was using a lot of network activity... when it was just sitting there at the desktop. I did a netstat and it was immediately clear that somehow my little VM had become a Tor node! I shut it down, booted the VM off of a Kaspersky rescue/recovery disc, did a scan with it, and it turned up some malware. I have no idea how that VM got infected. I do not surf the web on that VM. It is used almost exclusively for running an MP3 tagging application and the Directory Opus file manager for managing files on my local network (the only thing I really can't leave behind in favor of Linux' options... nothing touches Directory Opus for file management).
http://arstechnica.com/security/2013/08/tor-usage-doubles-in-under-a-week-and-no-one-knows-why/?comments=1&start=0
-
I had my suspicions. Don't have to be a genius to look at the debug and which circuits are failing. There's a couple of relays I'm flagging.
Anyone know how to configure tor to reject 'suspect' nodes from the circuit builds?
I know that exit nodes can be flagged as a "bad exit" by (I am assuming) the directory servers; not sure about entry guards or anything in between. I don't think there's a way to set the default tor client to reject certain nodes over others, although I do remember some kind of command line option that may allow one to reject nodes that fall under user-defined performance parameters.
We need to be careful about modifying tor as that could be one of the attacker's goals. Most tor "tricks" users come up with end up separating them from the crowd and may compromise their anonymity.
Here's the link to the latest tor-talk archives btw: https://lists.torproject.org/pipermail/tor-talk/2013-September/thread.html (CLEARNET)
EDIT: ...and the tor project just released their latest newsletter addressing the issue: https://blog.torproject.org/blog/ (CLEARNET)
-
huh thats odd i can use tor for clearnet fine but not sr.....maybe dpr is just a cheap ass who doesnt want to put his millions into a some decent servers.
-
Maybe it's not a huge botnet? Maybe the NSA Utah data center just went online? >:(
A huge botnet is attacking Tor, nobody is sure exactly what it is doing but some think it could be trying to trace hidden services by tracing to entry guards and knocking them out until the HS's select attacker guards.
-
huh thats odd i can use tor for clearnet fine but not sr.....maybe dpr is just a cheap ass who doesnt want to put his millions into a some decent servers.
Hidden services are being impacted the most by whatever this is. SR is one of the hardest hit because of all the users hammering the network at the same time. I'm sure less popular hidden services are easier to connect to.
-
huh thats odd i can use tor for clearnet fine but not sr.....maybe dpr is just a cheap ass who doesnt want to put his millions into a some decent servers.
Hidden services are being impacted the most by whatever this is. SR is one of the hardest hit because of all the users hammering the network at the same time. I'm sure less popular hidden services are easier to connect to.
Can't be the case dude...SR is a tiny site in the massive Tor system, there are more popular sites than this.
-
which onion sites are bigger? I think SR is the most populair.
-
Comment on arstechnica:
otakucodeSmack-Fu Master, in training
Thu Aug 29, 2013 11:31 am Reader Fav
I've been running Windows 7 on a VM for awhile, and I noticed VirtualBox indicating that it was using a lot of network activity... when it was just sitting there at the desktop. I did a netstat and it was immediately clear that somehow my little VM had become a Tor node! I shut it down, booted the VM off of a Kaspersky rescue/recovery disc, did a scan with it, and it turned up some malware. I have no idea how that VM got infected. I do not surf the web on that VM. It is used almost exclusively for running an MP3 tagging application and the Directory Opus file manager for managing files on my local network (the only thing I really can't leave behind in favor of Linux' options... nothing touches Directory Opus for file management).
http://arstechnica.com/security/2013/08/tor-usage-doubles-in-under-a-week-and-no-one-knows-why/?comments=1&start=0
That's some scary shit right there if it's true and as stated.
-
which onion sites are bigger? I think SR is the most populair.
which onion sites are bigger?
TITS4BITS
(j/k its a joke site I mentioned on a thread that I really should create since the name looks like two big tits with the 4 squeezed in the cleavage.. I can stare at that name all day lol )
-
I had difficulties logging on at first (to the forums), but everything is back to speed for me. Has been for about 15 minutes. I tried SR a few times, but I don't want to spam requests to a system that may have too much going on. It sucks not to have the technical knowledge to fully understand what is or may be happening.
Voracious
-
It sucks not to have the technical knowledge to fully understand what is or may be happening.
Plenty of people with lots and lots of technical knowledge, including some of Tor's core developers, don't appear to understand exactly what may be happening right now.
My best guess at the moment: lots of compromised/infected PC's (a botnet) seem to be connecting to each other, or to their own Command&Control servers, using Tor hidden services. They may be doing this for a number of reasons. It could be malicious (either as a Denial of Service attack against the Tor network, or to try to move clients to compromised entry guards). It could also be a result of some really stupid decisions on whoever wrote the Tor connections into the botnet code.
The net result is that getting to Tor hidden services is especially slow and difficult. It takes a long time to get a circuit built so you can get to a hidden service. You could get lucky and get there on the first try, you could spend half an hour hitting reload and waiting.
-
There is finally a small downtick in the number of directly connecting clients in the experimental estimation method:
https://metrics.torproject.org/users.html#userstats
Does that mean anything yet? I don't know.
-
They may be doing this for a number of reasons. It could be malicious (either as a Denial of Service attack against the Tor network, or to try to move clients to compromised entry guards).
THIS! I fear that this may be some kind of attempt to de-anonymize as many users as possible at once. Route as many users as possible through just a few select exit nodes. I have seen ALOT of these two relays today: Arachnide94, and GoldenDragon.
-
They may be doing this for a number of reasons. It could be malicious (either as a Denial of Service attack against the Tor network, or to try to move clients to compromised entry guards).
THIS! I fear that this may be some kind of attempt to de-anonymize as many users as possible at once. Route as many users as possible through just a few select exit nodes. I have seen ALOT of Arachnide94, and GoldenDragon nodes today.
I have seen a number of people mentioning that two particular nodes keep connecting or failing in some sort of pattern. However they appear to be a different pair of relays for different users. Does this mean anything? We have no idea!
-
I really wish I had a clue about what everyone is saying.
-
THIS! I fear that this may be some kind of attempt to de-anonymize as many users as possible at once. Route as many users as possible through just a few select exit nodes. I have seen ALOT of these two relays today: Arachnide94, and GoldenDragon.
I'm not saying that it's definitely *not* some deanonymization attack, but I think it's relatively unlikely. Most likely explanation is stupidity (botnet developer writing shitty code). Second most likely explanation is that it's a DoS attack, but long-term, that's a waste of a perfectly good botnet the owner can monetize.
If it's Command&Control traffic for a botnet, then that botnet is having as shitty of an experience as I am.
And if's a deanonymization attack, it's EXTREMELY unlikely to be first-world law enforcement. Gee, Mister Judge, can I launch a world-wide DoS attack to catch dudes buying weed on SR? I don't think that will fly *this year*. Maybe in a couple years at this rate. And if NSA needs to do something this retarded to deanonymize Tor users, then they should be fired for fucking incompetence, given all the tools at their disposal. It'd have to be a criminal organization (and I can't see how they monetize it, so I rule that out) or a small nation (a Syria, etc) wanting to deanonymize a subset of users and not giving a shit about the impact.
-
t this may be some kind of attempt to de-anonymize as many users as possible at once. Route as many users as possible through just a few select exit nodes. I have seen ALOT of these two relays today: Arachnide94, and GoldenDragon.
Arachnide and GoldenDragon are most likely your entry guards. You can search for them on torstatus.blutmagie.de
They botnet are just Tor clients, not relays. The amount of relays didn't increase significantly since the botnet started to screw around.
-
Looks that downtick was an error is now gone.
-
Looks that downtick was an error is now gone.
No it's still there, you just can't see it when using the default dates :
https://metrics.torproject.org/users.html?graph=userstats-relay-country&start=2013-07-07&end=2013-09-05&country=all#userstats-relay-country
-
subbed
-
maybe Anonymous is about to smash some sites...
or maybe the Syrian regime is fucking some shit up..
via the US' help...
:( idk.
/thumbs