[tor-dev] Tor Bridges and Snowflakes detection attack

Hi,

Seems an attacker has found a way to enumerate ~300000 snowflakes and many bridges. I couldn't find any discussion about this in the archive.

Thanks,

Anyone knows how he did it? Seems kind of wierd he says he is against oppressive regiments but doesn’t give any useful information about what the issue is.

···

Hi, GitHub - scriptzteam/Tor-Bridges-Collector: Collecting Tor Bridges. Seems an attacker has found a way to enumerate ~300000 snowflakes and many bridges. I couldn’t find any discussion about this in the archive. Thanks, _______________________________________________ tor-dev mailing list tor-dev@lists.torproject.org tor-dev Info Page

Anyone knows how he did it? Seems kind of wierd he says he is against oppressive regiments but doesn't give any useful information about what the issue is.

The Snowflake proxies might have been detected using the method described in this publication. The link was postet to anti-censorship-team@lists.tpo on Saturday.

URL: https://www.mdpi.com/2076-3417/13/1/622/pdf

Title: F-ACCUMUL: A Protocol Fingerprint and Accumulative Payload Length Sample-Based Tor-Snowflake Traffic-Identifying Framework

Authors: Junqiang Chen, Guang Cheng, and Hantao Mei

Abstract: Tor is widely used to protect users’ privacy, which is the most popular anonymous tool. Tor introduces multiple pluggable transports (PT) to help users avoid censorship. A number of traffic analysis methods have been devoted to de-anonymize these PT. Snowflake is the latest PT based on the WebRTC protocol and DTLS encryption protocol for peer-to-peer communication, differing from other PT, which defeat these traffic analysis methods. In this paper, we propose a Snowflake traffic identification framework, which can identify whether the user is accessing Tor and which hidden service he is visiting. Rule matching and DTLS handshake fingerprint features are utilized to classify Snowflake traffic. The linear interpolation of the accumulative payload length of the first n messages in the DTLS data transmission phase as additional features are extracted to identify the hidden service. The experimental results show that our identification framework F-ACCUMUL can effectively identify Tor-Snowflake traffic and Tor-Snowflake hidden
service traffic

DOI: Applied Sciences | Free Full-Text | F-ACCUMUL: A Protocol Fingerprint and Accumulative Payload Length Sample-Based Tor-Snowflake Traffic-Identifying Framework

Cheers,
Christian

···

On Mon, Jan 09, 2023 at 01:31:52PM +0000, EfraimVagner via tor-dev wrote:

On Thu, Jan 05, 2023 at 07:31:31AM -0500, tor@nullvoid.me wrote:

GitHub - scriptzteam/Tor-Bridges-Collector: Collecting Tor Bridges.

Seems an attacker has found a way to enumerate ~300000 snowflakes and many
bridges. I couldn't find any discussion about this in the archive.

--
Christian Pietsch | volunteering for Digitalcourage e.V.
Website: https://digitalcourage.de/
Mastodon – like Twitter but better: https://digitalcourage.social
BigBrotherAwards Germany: https://bigbrotherawards.de/

Anyone knows how he did it? Seems kind of wierd he says he is against oppressive regiments but doesn't give any useful information about what the issue is.

The Snowflake proxies might have been detected using the method described in this publication. The link was postet to anti-censorship-team@lists.tpo on Saturday.

URL: https://www.mdpi.com/2076-3417/13/1/622/pdf

Title: F-ACCUMUL: A Protocol Fingerprint and Accumulative Payload Length Sample-Based Tor-Snowflake Traffic-Identifying Framework

Authors: Junqiang Chen, Guang Cheng, and Hantao Mei

Abstract: Tor is widely used to protect users’ privacy, which is the most popular anonymous tool. Tor introduces multiple pluggable transports (PT) to help users avoid censorship. A number of traffic analysis methods have been devoted to de-anonymize these PT. Snowflake is the latest PT based on the WebRTC protocol and DTLS encryption protocol for peer-to-peer communication, differing from other PT, which defeat these traffic analysis methods. In this paper, we propose a Snowflake traffic identification framework, which can identify whether the user is accessing Tor and which hidden service he is visiting. Rule matching and DTLS handshake fingerprint features are utilized to classify Snowflake traffic. The linear interpolation of the accumulative payload length of the first n messages in the DTLS data transmission phase as additional features are extracted to identify the hidden service. The experimental results show that our identification framework F-ACCUMUL can effectively identify Tor-Snowflake traffic and Tor-Snowflake hidden
service traffic

It is extremely unlikely that whoever posted those snowflake IPs publicly did so as a passive traffic observer. There are easier ways to discover snowflake IP addresses, and I don't get the sense that the owner of that Github repository has an AS-level vantage point that they're using to DPI real snowflake traffic.

GitHub - scriptzteam/Tor-Bridges-Collector: Collecting Tor Bridges.

Seems an attacker has found a way to enumerate ~300000 snowflakes and many
bridges. I couldn't find any discussion about this in the archive.

This was brought to some of our attention a while ago. Whoever it is, they have a massive misunderstanding of responsible disclosure and research ethics, and also a misunderstanding of how snowflake fits in the censorship circumvention space. My guess is they are doing nothing more complicated than running a snowflake client and logging the IPs of proxies that they get assigned to. Anyone can do this, it's not a bug, it's just part of how Snowflake works: you can see the IPs that your own machine is connecting to. We have mitigations to prevent full IP address enumeration in the pipeline, but one of Snowflake's strengths is that these IPs are behind NATs, and there is daily churn in the addresses available. Over time, any one client will be able to generate a large list of IPs, but the goal is to create enough of a moving target that enumeration is not worthwhile or complete.

The owners of this repository never reached out to us: we learned about it indirectly. They are only doing harm by publishing this information. They are not telling us anything new nor helping improve the resilience of Snowflake to these kind of enumeration attacks in any way. I'm not sure how they expected this to help at all.

···

On 1/9/23 09:11, Christian Pietsch wrote:

On Mon, Jan 09, 2023 at 01:31:52PM +0000, EfraimVagner via tor-dev wrote:
On Thu, Jan 05, 2023 at 07:31:31AM -0500, tor@nullvoid.me wrote:

_______________________________________________
tor-dev mailing list
tor-dev@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-dev

2 Likes

Any ideas how so many bridges have been discovered? While snowflakes are more trivial just by harvesting it from a client. My understanding is bridges should not be possible to easily enumerate, any network level attacker (Iran, ISP, Company) can just blocklist these nodes due to this github repo.

···

_______________________________________________
tor-dev mailing list
tor-dev@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-dev