1

Just speculating here. So just like timing and data sizes are used to correlate from end to end on a Tor network to deanonymize a user, can the same method be used on a single device to monitor and correlate incoming with outgoing traffic. This ensures that the device being monitored is not being use by as remote or as a relay (such as Tor) and if the data or timing is correlated then the server can deny login, a transaction, a service, etc.

I've tried looking up this notion but can't seem to find if it exists in practice or in another form. So I decided to ask openly. Thanks.

forest
  • 64,616
  • 20
  • 206
  • 257
Kenna Garcia
  • 11
  • 2

1 Answers1

1

So just like timing and data sizes are used to correlate from end to end on a Tor network to deanonymize a user, can the same method be used on a single device to monitor and correlate incoming with outgoing traffic.

Yes, it is possible to guess that the device is used as a relay if you can watch all its communication patterns. And the less traffic sources the device gets/sends traffic to, the higher would be the probability that your guess is correct.

and if the data or timing is correlated then the server can deny login, a transaction, a service, etc.

Unless the "server" here is the only Internet gateway to this device, it is not in position to see all traffic coming to/from the device. Thus it will not be able to tell whether the device is used as a proxy.

forest
  • 64,616
  • 20
  • 206
  • 257
George Y.
  • 3,504
  • 2
  • 10
  • 15
  • Okay, but one could build an application on and with the user's consent be able to monitor their traffic for short windows such as 2FA or would it have to be the only internet gateway to acquire such information. – Kenna Garcia Nov 14 '17 at 01:59
  • 1
    Yes, one can build such an application which is installed on a computer. However if it only runs for a very short time frame, it might not collect enough traffic information to make the correct decision. – George Y. Nov 14 '17 at 02:11