Lets say I control a few assets like a website, news.com, a DNS server, and relegram, a messaging app, and control the ASs that route to them.
Let's say the target posted something to relegram. I grab to logs and gain the IP. Cool, now I have the IP.
I add the IP to a list that instructs my controlled ASs to collect latency stats during handshake protocols (could do it from the end assets but this should be easier/better).
Meanwhile I also look up who owns the blocks the IP is from, likely finding their ISP.
If it a satellite provider I could go grab a a friendly dish in a known location and add that to list as well for the baseline. I could at this point double check my seconds/meter converter by moving said dish but it likely to track with physical constants.
After getting ten thousand hits or so I take the difference between the mean baseline latency and target latency and translate it to distance with my constant. Now I know the target should be within ~x of the satellite. I also have a map with terrain so the torus becomes a circle with a hole in it.
Now I take a plane and hopefully it can fly high enough between the satellite and the circler path as to 'shadow' a statistically significant portion of the area as it goes around.
There's a bunch of flawed assumptions hidden in this. Some examples:
* The distance between the user and the satellite is fixed. With a LEO system, the difference between a satellite being straight overhead at 400km elevation and at 10 degrees elevation over the horizon is a difference of 1000km. Passes at this elevation are minutes long, capping out around 15 minutes.
* The path from the satellite to the groundstation is fixed. Same reasoning above.
* A user in a fixed location's traffic would go through only a single groundstation to the internet. Unless that user is colocated with a groundstation, there's going to be periods of covisibility with different groundstations, so there's going to be wholly separate paths for the traffic to take. This varies even more as you start to look at polar satellites, which SpaceX has outfitted with optical crosslinks. Your traffic could be getting dumped onto the internet at groundsites thousands of kilometers away within the a single pass.
This isn't to say that there's zero chance of latency analysis from an adversary with enough internet presence, but it's many orders of magnitude harder than your simple analysis would suggest.
I was assuming geostationary satellite in example to point out that obscuring the IP could add a layer of security.
In regards to your general point I am making assumptions and it would be harder. But within an order of magnitude. A great place to use some basic machine learning.
In regards to LEO being harder... I agree the the latency analysis will have more moving pieces. But it being better in terms of resulting anonymity would depend on its implementation...
Okay, here is my understanding.
Lets say I control a few assets like a website, news.com, a DNS server, and relegram, a messaging app, and control the ASs that route to them.
Let's say the target posted something to relegram. I grab to logs and gain the IP. Cool, now I have the IP.
I add the IP to a list that instructs my controlled ASs to collect latency stats during handshake protocols (could do it from the end assets but this should be easier/better).
Meanwhile I also look up who owns the blocks the IP is from, likely finding their ISP.
If it a satellite provider I could go grab a a friendly dish in a known location and add that to list as well for the baseline. I could at this point double check my seconds/meter converter by moving said dish but it likely to track with physical constants.
After getting ten thousand hits or so I take the difference between the mean baseline latency and target latency and translate it to distance with my constant. Now I know the target should be within ~x of the satellite. I also have a map with terrain so the torus becomes a circle with a hole in it.
Now I take a plane and hopefully it can fly high enough between the satellite and the circler path as to 'shadow' a statistically significant portion of the area as it goes around.