Hacking Tor, the anonymity onion routing network
On October 4th one of our readers sent in a very worrying analysis of what appeared to be "traffic modification" (in his words) on the part of the Tor network.
The Tor ("The Onion Router") network is an anonymizing peer-to-peer network of routers on the Internet which uses various techniques to bounce traffic around the Internet in such a way that traffic analysis becomes difficult if not impossible to perform. Tor is a perfect example of a dual-use technology: it can be used to avoid government-imposed Internet censorship or to protect the identity of a corporate whistleblower but at the same time it is sadly ideal for various nefarious uses.
The key tenet of Tor is that it should protect anonymity and the reader's analysis pointed not only to traffic modification on the part of a so-called "exit router" (the last hop in a Tor circuit before your packets reach the real destination) but also an attempt at tracking the true origin of the traffic (in a Tor network a hop only knows that the traffic comes from a previous hop but no futher back).
Both William Salusky and myself looked into the data and it seemed to implicate packetstormsecurity.org, an exit router in Denmark and, more curiously, a DNS tunnel to transmit data out (via obviously fake hosts under the t.packetstormsecurity.org domain). This last item was interesting because it replicated data which was apparently being submitted to the host via an HTTP cookie so it seemed that the idea was to have the cookie travel to the unwitting Tor user and be sent back via DNS tunnel to an external host to confirm the real identity of the host. As both of us were busy we looked a little deeper but ultimately we recommended that the reader report this to the Tor authors.
Well, the moral of the story is that our reader, who sadly asked not to be named in the original e-mail, was dead right and a paper entitled "Practical Onion Hacking" by Andrew Christensen was released today on packetstormsecurity.org.
Our combined analysis had it almost entirely correct except that the DNS tunnel was not quite in Dan Kaminsky's "let's carry RealAudio over DNS" style but a simpler trackable DNS request and we had guessed at but not entirely understood the Shockwave flash trick. All in all a pretty impressive paper, warmly recommended.
Finally a closing remark quoting from the actual paper for those who think Tor is "game over":
0 comment(s)
The Tor ("The Onion Router") network is an anonymizing peer-to-peer network of routers on the Internet which uses various techniques to bounce traffic around the Internet in such a way that traffic analysis becomes difficult if not impossible to perform. Tor is a perfect example of a dual-use technology: it can be used to avoid government-imposed Internet censorship or to protect the identity of a corporate whistleblower but at the same time it is sadly ideal for various nefarious uses.
The key tenet of Tor is that it should protect anonymity and the reader's analysis pointed not only to traffic modification on the part of a so-called "exit router" (the last hop in a Tor circuit before your packets reach the real destination) but also an attempt at tracking the true origin of the traffic (in a Tor network a hop only knows that the traffic comes from a previous hop but no futher back).
Both William Salusky and myself looked into the data and it seemed to implicate packetstormsecurity.org, an exit router in Denmark and, more curiously, a DNS tunnel to transmit data out (via obviously fake hosts under the t.packetstormsecurity.org domain). This last item was interesting because it replicated data which was apparently being submitted to the host via an HTTP cookie so it seemed that the idea was to have the cookie travel to the unwitting Tor user and be sent back via DNS tunnel to an external host to confirm the real identity of the host. As both of us were busy we looked a little deeper but ultimately we recommended that the reader report this to the Tor authors.
Well, the moral of the story is that our reader, who sadly asked not to be named in the original e-mail, was dead right and a paper entitled "Practical Onion Hacking" by Andrew Christensen was released today on packetstormsecurity.org.
Our combined analysis had it almost entirely correct except that the DNS tunnel was not quite in Dan Kaminsky's "let's carry RealAudio over DNS" style but a simpler trackable DNS request and we had guessed at but not entirely understood the Shockwave flash trick. All in all a pretty impressive paper, warmly recommended.
Finally a closing remark quoting from the actual paper for those who think Tor is "game over":
"Clearly Tor's designers have done a pretty good job: I couldn't find any weakness in Tor itself that violate the tenets set out at http://tor.eff.org/ (basically that end-to-end traffic analysis is always possible, but the traffic analysis should [be] difficult to everything but a global Echelon). So instead, I attacked the data which Tor carries the most of: web traffic."
NetSol Worldnic DNS server issues
As several of our readers have pointed out to us, it is Network Solutions' turn to have DNS problems. A number of their servers seem to be having intermittent issues.
Keywords:
0 comment(s)
Bellsouth.(net|com) troubles
Update: As of about 16:00 UTC, the Bellsouth DNS server issue appears to have cleared.
We've received several reports telling us that Bellsouth.(net|com)'s services are down. This seems to be not only affecting their DNS servers, but it also is affecting their Managed Services, email, hosted email, and who knows what else.
It does not appear to be affecting their managed internet services.
Thanks to the many readers who wrote in and let us know.
We've received several reports telling us that Bellsouth.(net|com)'s services are down. This seems to be not only affecting their DNS servers, but it also is affecting their Managed Services, email, hosted email, and who knows what else.
It does not appear to be affecting their managed internet services.
Thanks to the many readers who wrote in and let us know.
Keywords:
0 comment(s)
×
![modal content]()
Diary Archives
Comments
Anonymous
Dec 3rd 2022
10 months ago
Anonymous
Dec 3rd 2022
10 months ago
<a hreaf="https://technolytical.com/">the social network</a> is described as follows because they respect your privacy and keep your data secure. The social networks are not interested in collecting data about you. They don't care about what you're doing, or what you like. They don't want to know who you talk to, or where you go.
<a hreaf="https://technolytical.com/">the social network</a> is not interested in collecting data about you. They don't care about what you're doing, or what you like. They don't want to know who you talk to, or where you go. The social networks only collect the minimum amount of information required for the service that they provide. Your personal information is kept private, and is never shared with other companies without your permission
Anonymous
Dec 26th 2022
9 months ago
Anonymous
Dec 26th 2022
9 months ago
<a hreaf="https://defineprogramming.com/the-public-bathroom-near-me-find-nearest-public-toilet/"> nearest public toilet to me</a>
<a hreaf="https://defineprogramming.com/the-public-bathroom-near-me-find-nearest-public-toilet/"> public bathroom near me</a>
Anonymous
Dec 26th 2022
9 months ago
<a hreaf="https://defineprogramming.com/the-public-bathroom-near-me-find-nearest-public-toilet/"> nearest public toilet to me</a>
<a hreaf="https://defineprogramming.com/the-public-bathroom-near-me-find-nearest-public-toilet/"> public bathroom near me</a>
Anonymous
Dec 26th 2022
9 months ago
Anonymous
Dec 26th 2022
9 months ago
https://defineprogramming.com/
Dec 26th 2022
9 months ago
distribute malware. Even if the URL listed on the ad shows a legitimate website, subsequent ad traffic can easily lead to a fake page. Different types of malware are distributed in this manner. I've seen IcedID (Bokbot), Gozi/ISFB, and various information stealers distributed through fake software websites that were provided through Google ad traffic. I submitted malicious files from this example to VirusTotal and found a low rate of detection, with some files not showing as malware at all. Additionally, domains associated with this infection frequently change. That might make it hard to detect.
https://clickercounter.org/
https://defineprogramming.com/
Dec 26th 2022
9 months ago
rthrth
Jan 2nd 2023
9 months ago