Previous Page

Mulligan Security - 24 / 12 / 19

High Availability and anonymity

The concept of high availability is omnipresent in centralized services. One expects their ISP to provide internet access, their email provider to give them 100% uptime whenever they want to send an email and so on.

High-availability, the ability to provide high-uptime infrastructure, also has far-reaching implications for OPSEC practitioners.

When an adversary wants to collect information such as physical location behind a hidden service, depending on their power they will use downtime as an indicator in order to progressively narrow the pool of potential service location until they can act decisively against the remaining suspects.

Thus being able to plausibly deny being the operator of, or a downstream service supplier to a hidden service is a significant boon to personal protection.

Threat model

In order to understand how high availability, or lack thereof, impacts our security posture me must first define the skills and abilities of our adversary. For this tutorial the adversary has the following attributes:

• Ability to monitor the hidden service status and know rapidly if it goes offline
• Ability to directly tamper with either the power grid or the internet infrastructure with high granularity (DSLAM level, which could be a small town or a group of city blocks)
• Ability to monitor the effects of tampering or incidents impacting the power grid or the internet infrastructure

A concrete example of such an adversary would be law enforcement and government agencies.

Attack Scenario

The adversary has identified a probable city of residence for the administrator of a hidden service. In order to narrow down their search perimeter they will do the following:

1. Target 1 group of city block and send someone to the internet backbone for this city block to cut it off from the internet
2. Check whether the onion service is still up
3. If it goes down, add it to the suspect pool

How can high availability help?

In the above scenario if the onion service operator had setup a redundant, highly available server then connections would have been seamlessly sent to another server in the redundancy pool, this preventing the adversary from extracting location information based on their operation. This works best with a server in a different country or region, making a coordinated attack by several adversaries a requirement in order to use this method for deanonymization.