Is “KAX17” performing de-anonymization Attacks against Tor Users? (nusenu)

There is a new report by nusenu: Is “KAX17” performing de-anonymization Attacks against Tor Users? | by nusenu | Nov, 2021 | Medium

What do you think? Is that a problem for Tor?

2 Likes

@gus @nickm @HackerNCoder @donuts

Any input?

See GeKo’s email.

1 Like

“We don’t have any evidence that these relays were doing any attack”

“the attacker is still on the network/the attack is ongoing. But that’s not the case as far as we know.”

That doesn’t sound reassuring.

"making sure not to actually use the proposed self-defense as-is. It’s not mentioned in the blog post but at the repository linked to:

“”"
NOTE: This PoC is NOT fit for general use and not meant to be used by end-users!
“”"

What is a PoC and if it’s not to be used as supplied then what modifications are required?

Armadillo via Tor Project Forum:

“We don’t have any evidence that these relays were doing any attack”

“the attacker is still on the network/the attack is ongoing. But that’s not the case as far as we know.”

That doesn’t sound reassuring.

Not sure what you mean. I just tried to make sure you look at the
correct graphs to get the correct impression of the status quo. That’s all.

And, yes, we actually do not have any evidence yet of any attack being done.

"making sure not to actually use the proposed self-defense as-is. It’s not mentioned in the blog post but at the repository linked to:

“”"
NOTE: This PoC is NOT fit for general use and not meant to be used by end-users!
“”"

What is a PoC and if it’s not to be used as supplied then what modifications are required?

That’s a good question to ask nusenu. I don’t know why they made that
PoC, pointed to it, and then wrote that this is not meant to be used by
end-users.

1 Like

I’m not sure that Nusenu’s probability calculation is correct. He didn’t explain his math, but I think he’s calculating nodes potentially controlled by attackers vs. total nodes in each jump, which only shows the probability for one jump. So the real risk is 16% * 35% * 5% end-to-end, which is 0.28% probability, or alternatively 16% * 5% assuming guard + exit for an upper-bounds of 0.8% chance. That’s still high, however, not nearly as alarming as any of the numbers he suggests.

1 Like

Hi all, my first times posting here. I have been reading the reports about KAX17 Is “KAX17” performing de-anonymization Attacks against Tor Users? | by nusenu | Nov, 2021 | Medium
Which I know there is thred for but not saying if adding VPN at start before Tor would make attacks pointless since any IP grabbed at any point wont be real? Nusenu says 2020> seems to be the worst for Tor and nobody can ever fully remove it. Would it be good to ask possible host company to record metadata over 24hrs and compair against KAX17 traffic to find source? It is very worrying, every one says its FBI or CIA but their said with laugh emoji like a joke? So do the FBI possibly do this or is that a joke since FBI and Tor dont have good background? I hope something can be found and nobody gets hurt for these big attacs, its been going on for years with no attacker ID or motive, it must be expensive to run 500+ node so to the attacker its investing for bigger reward, what can reward be to be worth it?? Thanks

Sorry for wrong category

I also read here [tor-relays] Recent rejection of relays - #15 by GeKo that 600 were removed but nusenu shows they quickly rejoined, they respond to removal by making new identity

It would seem that the large volume of servers suggest a possibly advanced adversary such as a intelligence agency. I hope the Tor Project Team are considering this possibility and thinking of improvements they can make in 2022 to reduce the risk of a large adversary de-anonymizing traffic.

Its very concerning. I hope to god nothing bad actually happens and its just a test.

Can anybody who’s studied it predict the possibility of danger and the amount of danger? Hopefully Tor devs are still trying to remove them, since they all almost automatically rejoin under a new identity after being removed would it be possible for the network devs to implement some script which automatically removes large bulk entries and then automatically watch over metrics for when it rejoins, just in an endless cycle. That way they have limited access for limited time so I guess that would reduce ability to harm?