The Nihilism Blog
Previous Page

Mulligan Security - 21 / 01 / 2025

How safe am I from my cloud provider?

Since the 2010's VPS have become cheaper and widely available. From your local mom and pop datacenter where you can rent a baremetal Pi equivalent to highly secured Amazon datacenters and on-demand cpu/bandwidth allocation you can now find a broad range of options for your operational and security needs.

If clandestinity is a requirement, there also are cryptocurrency-based options in jurisdictions without LEO cooperation treatises with your own.

But, what if the adversary is already inside?
in this post we are going to do a threat modelling exercise:

  1. Context and assumptions: what are the capabilities of our adversary? what about our own OPSEC requirments?
  2. Threats: what the adversary might want to acomplish (their goal)
  3. Attack Scenarii: a quick list of possible attacks
  4. Mitigation measures: what we can do to make those attack uneconomical, harder

Attack Scenario

The adversary has identified a probable city of residence for the administrator of a hidden service. In order to narrow down their search perimeter they will do the following:
  1. Target 1 group of city block and send someone to the internet backbone for this city block to cut it off from the internet
  2. Check whether the onion service is still up
  3. If it goes down, add it to the suspect pool

How can high availability help?

In the above scenario if the onion service operator had setup a redundant, highly available server then connections would have been seamlessly sent to another server in the redundancy pool, thus preventing the adversary from extracting location information based on their operation. This works best with a server in a different country or region, making a coordinated attack by several adversaries a requirement in order to use this method for deanonymization.

Adversary Attack Flow

Below is a chart depicting an adversary attack flow. As shown, high availability will prevent the adversary from progressing beyond their initial step of uptime-based target acquisition.


As you can see the adversarie's playbook is quite simple:

  1. Identify a list of potential suspects
  2. Cut them off the internet
  3. Check whether this action made the hidden service unreachable
Those actions are easily perpetrated by law enforcement as they only require:
  • DSLAM level access to the internet backbone used by the suspects (impacting a perimeter like a city block)
  • City block level access to the power grid in order to run disruptive actions

Both of those are trival to obtain for LEOs (law enforcement officers).


This Diagram shows where the attack takes place and how a redundant setup prevent such attacks from confirming the physical location of the hidden service.

In conclusion, your hidden service is one downtime away from having its location disclosed to an adversary, so you need to make sure it has High Availability

Nihilism

Until there is Nothing left.



Creative Commons Zero: No Rights Reserved

My Links

RSS Feed
SimpleX Chat

About Mulligan Security

Donate XMR:
86NCojqYmjwim4NGZzaoLS2ozbLkMaQTnd3VVa9MdW1jVpQbseigSfiCqYGrM1c5rmZ173mrp8RmvPsvspG8jGr99yK3PSs


Contact: mulligansecurity@riseup.net
website