Presentation given in 2010 about Tor, attack vectors, and advanced usage.

2. Overview
 Anonymity systems
 Review of how Tor works
 Tor Project Inc.
 Helper tools and accessories
 Advanced Tor control
 Attack Vectors

3. Anonymity Systems
 JAP
 I2P
 Freenet
 Xerobank
 Botnets

4. Freenet
 Storage network p2p based
 Shares files on your system to other nodes
 Plausabile Deniability

5. I2P
 Opposing design of Tor
 UDP based
 Darknet design
 Java, Python, and C API’s
 Mixed routing based on packets
 Splits tunneling between upstream and
downstream
 “Garlic Routing” – mix streams together to
prevent traffic analysis
 Variable latency design

6. Tor
 Tor(not TOR) – previously stood for The
Onion Router
 Provides a method of anonymity by
passing data between proxies

7. Tor Network

8. Terminology
 Cell – your message
 Circuit – tunnel made up of relays
 Entry Node: first hop into the Tor network
 Exit Node: last hop before destination
 Relay Node: middle hop
 Bridge Node: nodes not listed in the Tor
directory to evade filtering

9. Who’s Using Tor?
 Whistleblowers
 Wikileaks – runs hidden service
 Militaries
 field ops
 command and control using hidden
services
 Chinese journalists and dissidents

10. Tor Project
 501(c)(3) NFP
 Freely available
 Full spec and full documentation

11. Project Finances
https://www.torproject.org/about/financials.html

12. Current Project Sponsors
 Federal Grant:
 International Program to Support Democracy Human
Rights and Labor
 $632,189
 International Broadcasting Bureau
 Voice of America, Radio Free Europe/Radio
Liberty, Radio and TV Martí, Radio Free Asia, Radio
Sawa/Alhurra TV
 $270,000
 Stichting.Net
 Association of NFP’s in the Netherlands
 $38,279
 Google: $29,083
 ITT: $27,000
 Other: $9,997
https://www.torproject.org/about/sponsors.html.en

13. Past Funders
 DARPA and Naval Research Labratory
2001-2006
 EFF – 2004-2005

14. Tor Performance

15. Number of Relays

16. Number of Users

17. Tor Tools
 Torbutton
 Tor Browser Bundle
 Vidalia
 TorCheck
 Arm
 Tor-ramdisk
 Anthony G. Basile from Buffalo

19. Tor Control Port
 Telnet to the control port authenticate "“
 Create custom circuits (long or short) extendcircuit 0 a,b,c,…
extendcircuit 0 a,b
 Show live circuit information setevents circ
 Change configuration on the fly setconf confitem
 Map a site to an exit node Mapaddress google.com=a.b
 Reload a configuration Getconf confitem

20. Attacks

21. Tor Passive Attack Vectors
 Traffic
profiling – entry and exit analysis
 Cleartext exit node transmission
 Fingerprinting -
OS, browser, configuration, activity
 Timing correlation
 Network partitioning
 End to end Size correlation

22. Tor Active Attack Vectors
 Compromised keys
 Malicious web servers
 Malicious Exit/Relay nodes
 DoS non-controlled nodes
 Timestamping and tagging
 Injecting or replacing unencrypted info
 Malicious Tor client

23. Tor Client Side Attacks
 DNS rebinding
 Disbanding attack – javascript, java, flash
 History disclosure
 Timezone information (partitioning)

24. Social Engineering Attacks
 Getting more traffic
 “Use my relay. I have huge tubes!”
 “Nick’s relay sucks”
 “I’ve added a feature to my node.”
 Replacement
 687474703a2f2f7777772e726f63686573746572323
630302e636f6d2f6861782f
 Partitioning
 “Don’t use servers from this country”
 “These servers are amazing!”

25. More Info
 www.torproject.org
 Metrics.torproject.org
 Blog.torproject.org
 Check.torproject.org
 @torproject