On 18/02/13 10:05, Andrea Shepard wrote:
On Mon, Feb 18, 2013 at 04:59:09AM -0500, grarpamp wrote:

I thought I would let you know: Our US hoster is regularly contacted by
law enforcement about our exits there. Some agents ask if the traffic
pattern is balanced, ie. if the same amount of traffic enters and leaves
the box.

I always argue that this is a good indicator for Tor traffic, and that
it is bad to mix Tor traffic with other traffic for that exact reason.

Due to encryption and compression it might only be balanced to
within some typical ratio. I'm sure you have a handle on that number.
But that any non 1:1 ratio could make it appear to be serving (or
receiving) continual amounts of data. Which in the eye of agents
could raise question. Another question is whether these US hosts
are just volunteering this data to whoever comes asking, with or
without your instruction, or complying with formal legal orders?

On the plus side, hopefully everyone is coming away with the
fact that it's just an uninteresting, agnostic, relay service and
time is better spent elsewhere.

Interesting; I'm pretty sure we do not use TLS compression.  Nick M., that's
true, yeah?

On the other hand, it could also be unbalanced because of:

 * Using that Tor process as a client
 * Running a hidden service on that Tor process
 * Running a directory mirror




_______________________________________________
tor-relays mailing list
tor-relays@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
I would guess also that being an exit is going to lead to a bit of an imbalance also as on the one side it is dealing with the plaintext unwrapped data on the other side cyphertext wrapped in onion protocol all in fixed sized cells which I would suspect means sometimes adding padding where the data to be sent to a specific nexthop destination is not an exact multiple of the cell payload size.  I'm not sure how much of a difference this would all add up to or if some of those effects might cancel part of it out but it would seem to me that it could have a statistically noticeable effect on the balance and one that would be variable between relays and even with the same relay depending on the balance of exit versus relay traffic which at least with the two exits I am running that seems to be the case.

Of course the easiest way to deal with those problems from the perspective of someone trying to identify potential suspicious activity (And to produce provide probable cause for the same) would be to statistically compare the balance of node x with the set of nodes of the same class that could even be why they keep requesting data, samples for comparison to look for evidence of statistical anomalies.  Also I wonder what level of detail they are really requesting and or receiving such data at, they could have other interests too like performing network analysis on the flows between nodes if they had data on the volume per peer ip address.

I suspect in this case though that whatever their purposes are they are approaching the service provider and seeking their co-operation doesn't sound like they have anything specific let alone a warrant here as it seems to me more often than not when a warrant is issued in the US requesting information on a user from a service provider it usually tends to come with an attached court order forbidding the service provider from disclosing the details to their subscriber.  It would surprise me if they would stop at merely asking about traffic balances  if they had enough to seek a warrant also, would make more sense to at the least put an ethernet tap on it if not attempt to access the plaintext through installing something onto the host or the hypervisor if it's a VPS.

Either way it sounds to me like they are probably fishing in this instance.