• Building a Tor Hidden Service CDN

    Last year I started experimenting with the idea of building a Hidden Service CDN.

    People often complain that Tor is slow, though my domain sharding adjustments to the bentasker.co.uk onion have proven fairly effective in addressing page load times.

    On the clearnet, the aim traditionally, is to try and direct the user to an edge-node close to them. That's obviously not possible for a Tor Hidden service to do (and even if it were, the users circuit might still take packets half-way across the globe). So, the primary aim is instead to spread load and introduce some redundancy.

    One option for spreading load is to have a load balancer run Tor and then spread requests across the back-end. That, however, does nothing for redundancy if the load-balancer (or it's link) fails.

    The main aim was to see what could be achieved in terms of scaling out a high traffic service. Raw data and more detailed analysis of the results can be seen here. Honestly speaking, It's not the most disciplined or structured research I've ever done, but the necessary information should all be there.

    This document is essentially a high-level write up along with some additional observations

  • Building a Tor Hidden Service From Scratch - SELinux

    On a system with SELinux, upon attempting to start Tor, you may see errors similar to the following

        [root@localhost tor]# service tor start
        Raising maximum number of filedescriptors (ulimit -n) to 16384.
        Starting tor: Apr 02 15:53:14.041 [notice] Tor v0.2.5.11 (git-83abe94c0ad5e92b) running on Linux with Libevent 1.4.13-stable, OpenSSL 1.0.1e-fips and Zlib 1.2.3.
        Apr 02 15:53:14.042 [notice] Tor can't help you if you use it wrong! Learn how to be safe at https://www.torproject.org/download/download#warning
        Apr 02 15:53:14.042 [notice] Read configuration file "/etc/tor/tor-rpm-defaults-torrc".
        Apr 02 15:53:14.042 [notice] Read configuration file "/etc/tor/torrc".
        Apr 02 15:53:14.056 [notice] Opening Socks listener on 127.0.0.1:8080
        Apr 02 15:53:14.057 [warn] Could not bind to 127.0.0.1:8080: Permission denied
        Apr 02 15:53:14.058 [notice] Opening DNS listener on 127.0.0.1:54
        Apr 02 15:53:14.060 [warn] Could not bind to 127.0.0.1:54: Permission denied
        Apr 02 15:53:14.060 [notice] Opening Transparent pf/netfilter listener on 127.0.0.1:9040
        Apr 02 15:53:14.062 [warn] Could not bind to 127.0.0.1:9040: Permission denied
        Apr 02 15:53:14.062 [warn] Failed to parse/validate config: Failed to bind one of the listener ports.
        Apr 02 15:53:14.062 [err] Reading config failed--see warnings above.
        /usr/bin/torctl start: tor could not be started
    

    Which is almost certainly the result of a selinux policy

  • Building a Tor Hidden Service From Scratch - Part 1 - Design and Setup

    Despite some fairly negative media attention, not every Tor Hidden Service is (or needs to be) a hotbed of immorality. Some exist in order to allow those in restrictive countries to access things we might take for granted (like Christian materials).

    Whilst I can't condone immoral activities, Tor is a tool, and any tool can be used or misused

    This is part one in a detailed walk through of the considerations and design steps that may need to be made when setting up a new Tor Hidden Service.

    The steps provided are intended to take security/privacy seriously, but won't defend against a wealthy state-backed attacker.

    How much of it you'll need to implement will obviously depend on your own circumstances, and in some cases there may be additional steps you need to take

  • Building a Tor Hidden Service From Scratch - Part 2 - HTTP and HTTPS

    Despite some fairly negative media attention, not every Tor Hidden Service is (or needs to be) a hotbed of immorality. Some exist in order to allow those in restrictive countries to access things we might take for granted (like Christian materials).

    Whilst I can't condone immoral activities, Tor is a tool, and any tool can be used or misused

    This is part Two in a detailed walk through of the considerations and design steps that may need to be made when setting up a new Tor Hidden Service.

    The steps provided are intended to take security/privacy seriously, but won't defend against a wealthy state-backed attacker.

    In Part One we looked at the system design decisions that should be made, and configured a vanilla install ready for hosting hidden services.

  • Building a Tor Hidden Service From Scratch - Part 3 - General User Anonymity and Security

    This is Part 3 of my Hidden Service From Scratch documentation. In Part One we designed and built our system, in Part Two we configured HTTP Hidden Service hosting.

    In this documentation, we'll be looking more generally at user account and identity protection, as well as examining why you may need to maintain a certain level of paranoia even if your hidden service doesn't fall outside the law in your home country.

  • Building a Tor Hidden Service From Scratch - Part 4 - Conclusion

    You may not be finished

    Although we've examined designing and implementing Tor Hidden Service in quite some depth, some users will likely find that there are still additional considerations that they need to make.

    For example, whilst we discussed the risks of traffic leakage, we did very little to avoid it - one solution, assuming you have out-of-band access to the host system, is to add iptables rules to ensure that all TCP and DNS traffic is redirected to the ports operated by the Tor Daemon.

    You'd still then need to look at filtering out other protocols (including UDP on all other ports) in case someone discovers a means to have your host system send arbitrary traffic.

    Similarly, we haven't discussed the impact of your Guard being compromised, those with serious concerns may need to look at running their own guards to help reduce the effectiveness of common Hidden Service de-anonymisation attacks

    It's also important to remember that this documentation may not cover threats which have not been discovered yet, security is a continuous exercise.