Cyber Goat
Friday, 29 December 2017
Every year, as part of my New Years Resolution, I try a new project. (And I usually don't tell people about my projects. Having said that...) My project for 2017 was "Cyber Goat", and it has been a bleating success!
A few years ago, we had a friend who raised goats. (She made her own yarn from their fur. It's a knitter thing.) That's when I learned about "goat dominance". How do goats show dominance? One goat will walk up to another goat and give a shove. The goat that doesn't move is dominant. As I understand it, goats don't resort to head butting unless neither goat can be shoved.
This year, I wanted to see if it worked online. That's right, I intentionally went around shoving people, organizations, and even nation-states -- just to see if I could make them move. And damn right, they moved! (Baa!)
Ten days latter, Getty Images acknowledged their error and backed down. This is the second time that Getty Images has tried pushing me, and the second time I made them back away.
Legislation typically goes through a couple of cycles of public comment before being proposed as a bill to Congress. ACDC had been through one review cycle, and was entering its second (and likely last) public review.
I took a look at the proposed legislation and realized that nothing good would come from it. I wrote up a response that detailed a huge number of issues -- including how it appeared to violate 6 Constitutional Amendments and would likely lead to cyber war. I ran it by my friend, Joe Klein, and incorporated some of his feedback. Then I pushed the 'send' button, firing off the letter.
The only direct response that I received was a note from the Representative's assistant, informing me that the letter had been received. However, Graves stopped pushing ACDC. As far as I can tell, that's when it died. I certainly wasn't the only person providing anti-ACDC feedback, but I suspect that I was one of the most detailed.
First, I identified signatures for the Tor attackers. This is a lot harder than it sounds because Tor is designed to prevent signature-based tracking. The Tor developers are good, but not that good -- I found about a dozen identifiable attributes. (I'm still not detailing all of them publicly.) These allowed me to identify the attackers and mitigate their DDoS attacks. That kept my service online.
However, keeping the service online is like two goats who won't budge. I wanted the attacker to move. Using online counter-attacks, I learned much more about the attackers. And then I started leaving breadcrumbs... I tweeted an innocent enough message. Innocent, unless you're them -- then you would likely read between the lines and think that you knew how I was stopping the attack. They noticed and did the logical change. Thus, I forced them to make a change (push!) and learned that they were following me on Twitter and my blog.
Then I gave some more details in my follow-up blog entry. To regular readers, it looked like I was calling out a nation-state (Russia). To the attackers, I gave enough details that they had no doubt about my knowledge of their operation. In response to this strong shove, they gave a strong reaction. First, they shutdown over 30 Tor exit nodes that they were using to spy on traffic and attack hidden services. Then they reset the servers. Using different profiling techniques, I easily detected that they were reinstalling the operating systems! This isn't just "shut it down"; this was "shut it down and burn it!"
When they came back up, they tried two things. First, they tried attacking my service again. Except that as far as I can tell, they were only attacking me. This is a goat move -- they wanted to see if I would blog about it again or give any information about how I was detecting their operation. In response to their shove, I said nothing (my goat don't move).
After a few days, they stopped the attack all by themselves. Then they went back to attacking other online sites -- others, but not me. (Dominance!) Moreover, they slowly brought up their Tor nodes exactly as I suggested in my blog entry. (Not all at once, not all at the same time of day.) This actually made it easier to track them.
Meanwhile, the number of people who run Tor hidden services and report being under denial-of-service attacks has been steadily increasing. For my own service, I came up with a great patch. Since deploying this on my own Tor service, I have seen a constant flow of DoS attacks every few minute (for 3 months!), but they have zero impact on me. (Goat dominance!)
Better yet: I've received close to a dozen comments from people who claim to run other Tor hidden services. (They were anonymous email accounts and did not identify their services.) Each thanked me for the patch because it stopped the attacks from continually knocking them offline.
Unfortunately, the people behind these denial-of-service attacks are not going away anytime soon. Since they can't take down services directly, they began moving to the "next best thing": taking down relays that the services use. Even the Tor Project has noticed these attacks, but they don't yet seem to understand the cause or purpose. (The purpose is to take down guards and relays used by specific hidden services.)
There were really three things that I wanted them to do:
Unfortunately, the first responses that I got from the Tor Project were from prima donnas who didn't like my noise. However, even this is slowly changing. I've been in contact with two Tor developers who are friendly and happy to communicate with me. (If everyone from the Tor Project were like these two people, then we would have a very different, positive, and constructive relationship.) Unfortunately, some people in the Tor community still view me as a hypocritical idiot. But really, I'm just a cyber goat.
Right now, I'm still deciding on which project I'll do in 2018. Maybe it will be more programming. Or maybe more social or behavioral research. The cyber goat project was fun, but there's a limit to what you can do with an online shove. Next year, I should aim for some different goals.
A few years ago, we had a friend who raised goats. (She made her own yarn from their fur. It's a knitter thing.) That's when I learned about "goat dominance". How do goats show dominance? One goat will walk up to another goat and give a shove. The goat that doesn't move is dominant. As I understand it, goats don't resort to head butting unless neither goat can be shoved.
This year, I wanted to see if it worked online. That's right, I intentionally went around shoving people, organizations, and even nation-states -- just to see if I could make them move. And damn right, they moved! (Baa!)
Ah, push it - Push it good!
I first got this idea when Getty Images sent me a Cease and Desist letter from France (27-Dec-2016). I was offended that a big company was trying to push me around. So rather than letting them be dominant, I pushed back. I sent them a letter detailing many of the problems with their letter, including their use of French law (which doesn't apply to a US citizen communicating with a US company), expired statute of limitations, attempt to violate SLAPP and anti-retaliation laws, and their demand that I censor the First Amendment rights to free speech for myself and people who leave comments on my blog.Ten days latter, Getty Images acknowledged their error and backed down. This is the second time that Getty Images has tried pushing me, and the second time I made them back away.
When Push Comes to Shove
In May 2017, I decided to go after a congressman. Representative Tom Graves (R-Ga) was pushing legislation called the "Active Cyber Defense Certainty Act" (ACDC). This proposed legislation would have legalized people to attack-back online.Legislation typically goes through a couple of cycles of public comment before being proposed as a bill to Congress. ACDC had been through one review cycle, and was entering its second (and likely last) public review.
I took a look at the proposed legislation and realized that nothing good would come from it. I wrote up a response that detailed a huge number of issues -- including how it appeared to violate 6 Constitutional Amendments and would likely lead to cyber war. I ran it by my friend, Joe Klein, and incorporated some of his feedback. Then I pushed the 'send' button, firing off the letter.
The only direct response that I received was a note from the Representative's assistant, informing me that the letter had been received. However, Graves stopped pushing ACDC. As far as I can tell, that's when it died. I certainly wasn't the only person providing anti-ACDC feedback, but I suspect that I was one of the most detailed.
Push the Right Buttons
And then there's Tor... At the beginning of the year, I created a Tor ".onion" service for the Internet Archive. It didn't take long for the service to come under a variety of distributed denial-of-service (DDoS) attacks. Someone wanted to push me offline! So I pushed back.First, I identified signatures for the Tor attackers. This is a lot harder than it sounds because Tor is designed to prevent signature-based tracking. The Tor developers are good, but not that good -- I found about a dozen identifiable attributes. (I'm still not detailing all of them publicly.) These allowed me to identify the attackers and mitigate their DDoS attacks. That kept my service online.
However, keeping the service online is like two goats who won't budge. I wanted the attacker to move. Using online counter-attacks, I learned much more about the attackers. And then I started leaving breadcrumbs... I tweeted an innocent enough message. Innocent, unless you're them -- then you would likely read between the lines and think that you knew how I was stopping the attack. They noticed and did the logical change. Thus, I forced them to make a change (push!) and learned that they were following me on Twitter and my blog.
Then I gave some more details in my follow-up blog entry. To regular readers, it looked like I was calling out a nation-state (Russia). To the attackers, I gave enough details that they had no doubt about my knowledge of their operation. In response to this strong shove, they gave a strong reaction. First, they shutdown over 30 Tor exit nodes that they were using to spy on traffic and attack hidden services. Then they reset the servers. Using different profiling techniques, I easily detected that they were reinstalling the operating systems! This isn't just "shut it down"; this was "shut it down and burn it!"
When they came back up, they tried two things. First, they tried attacking my service again. Except that as far as I can tell, they were only attacking me. This is a goat move -- they wanted to see if I would blog about it again or give any information about how I was detecting their operation. In response to their shove, I said nothing (my goat don't move).
After a few days, they stopped the attack all by themselves. Then they went back to attacking other online sites -- others, but not me. (Dominance!) Moreover, they slowly brought up their Tor nodes exactly as I suggested in my blog entry. (Not all at once, not all at the same time of day.) This actually made it easier to track them.
Head to Head
I came up with a couple of different counter-attacks for various bad-bots on Tor. Some were designed to slow down attackers, while others were intended to knock the attackers offline. I already mentioned my friend, Joe Klein... he went to the Black Hat Briefings this year. (Blackhat is a huge cybersecurity conference.) He was wandering around the vendor area when he saw a company that claimed to offer "Darknet Big Data" and a "Database of Darknet Intelligence". A short chat convinced him that their collection method matched one of my attackers. He asked them if they recently rewrote their collection code because their bot suddenly became massively slow. ('Slow' to the point that they could not really collect data from any darknet services.) The vendor responded with shock: "Yes." As Joe put it, he just smiled and said, "Yeah, that's us." (For people following my attacker naming convention, this was the 'Dennis' bot.)Meanwhile, the number of people who run Tor hidden services and report being under denial-of-service attacks has been steadily increasing. For my own service, I came up with a great patch. Since deploying this on my own Tor service, I have seen a constant flow of DoS attacks every few minute (for 3 months!), but they have zero impact on me. (Goat dominance!)
Better yet: I've received close to a dozen comments from people who claim to run other Tor hidden services. (They were anonymous email accounts and did not identify their services.) Each thanked me for the patch because it stopped the attacks from continually knocking them offline.
Unfortunately, the people behind these denial-of-service attacks are not going away anytime soon. Since they can't take down services directly, they began moving to the "next best thing": taking down relays that the services use. Even the Tor Project has noticed these attacks, but they don't yet seem to understand the cause or purpose. (The purpose is to take down guards and relays used by specific hidden services.)
Separate the Sheep from the Goats
While battling nation-state attackers over Tor, I decided to also go after the Tor Project. Originally, I just wanted them to add one feature that would make it easier to stop Tor-based DDoS attacks against ".onion" services. However, they reacted like a goat: they didn't budge. In fact, they didn't respond at all. (Did they event notice my shove? Or did they not care?)There were really three things that I wanted them to do:
- I wanted them to respond to security reports. Their existing reporting system just didn't work. My submitted reports using their documented method never received any kind of reply. (I was later told that they never even received the submitted reports!) After leaving a couple of nasty messages for the Tor Project on Twitter, Reddit, and my blog, they submitted a trouble ticket about fixing their reporting process. (Goat!)
- I wanted them to make their bug bounty program public. This project had been announced in 2015, but it was by invitation only. I wanted it public.
Again, I was very critical about the Tor Project on my blog, on Twitter, on Reddit, and in my personal communications with some of their developers. I mentioned that I was sitting on some 0day exploits (true). However, why should I report them for free today when they might make their bug bounty program public tomorrow? After less than 2 months, the Tor Project announced the public bug bounty program. One Tor developer told me that the timing was coincidental, but another developer said that my push was the small nudge they needed to make it public now rather than later. - I wanted them to make some changes to the Tor Browser (a variant to Firefox intended for use on the Tor network). I had a couple of reasons for wanting this, but basically, I wanted more privacy online. Although they have turned some of my suggestions into items for fixing, they have not yet implemented any of them.
Unfortunately, the first responses that I got from the Tor Project were from prima donnas who didn't like my noise. However, even this is slowly changing. I've been in contact with two Tor developers who are friendly and happy to communicate with me. (If everyone from the Tor Project were like these two people, then we would have a very different, positive, and constructive relationship.) Unfortunately, some people in the Tor community still view me as a hypocritical idiot. But really, I'm just a cyber goat.
Play the Goat
This certainly isn't all of the goat-like behavior I did this year. Listing all of them would be a really long blog entry. But very few resulted in no reaction from the target. And all of the reactions were in a positive direction -- positive from my viewpoint.Right now, I'm still deciding on which project I'll do in 2018. Maybe it will be more programming. Or maybe more social or behavioral research. The cyber goat project was fun, but there's a limit to what you can do with an online shove. Next year, I should aim for some different goals.
Read more about Conferences, Forensics, Network, Politics, Programming, Security, Tor, [Other]
| Comments (4)
| Direct Link
As I understand it, that was a patch for one specific type of DoS -- and only against directory authorities. https://trac.torproject.org/projects/tor/ticket/24245
No version of Tor addresses the current DoS attacks against hidden services and relays.