[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

Re: [tor-relays] 90% of exits vulnerable to TCP off-path attack

To: tor-relays@xxxxxxxxxxxxxxxxxxxx
Subject: Re: [tor-relays] 90% of exits vulnerable to TCP off-path attack
From: Roger Dingledine <arma@xxxxxxx>
Date: Fri, 12 Aug 2016 12:10:49 -0400
Delivered-to: archiver@xxxxxxxx
Delivery-date: Fri, 12 Aug 2016 17:01:01 -0400
In-reply-to: <CAKCAbMgg+ewwdT45JdWU1brOoH+rbxcwJEpnHicGTRAyBu179g@mail.gmail.com>
List-archive: <http://lists.torproject.org/pipermail/tor-relays/>
List-help: <mailto:tor-relays-request@lists.torproject.org?subject=help>
List-id: "support and questions about running Tor relays \(exit, non-exit, bridge\)" <tor-relays.lists.torproject.org>
List-post: <mailto:tor-relays@lists.torproject.org>
List-subscribe: <https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays>, <mailto:tor-relays-request@lists.torproject.org?subject=subscribe>
List-unsubscribe: <https://lists.torproject.org/cgi-bin/mailman/options/tor-relays>, <mailto:tor-relays-request@lists.torproject.org?subject=unsubscribe>
References: <6.2.5.6.2.20160812112453.047ff388@example.org> <CAKCAbMgg+ewwdT45JdWU1brOoH+rbxcwJEpnHicGTRAyBu179g@mail.gmail.com>
Reply-to: tor-relays@xxxxxxxxxxxxxxxxxxxx
Sender: "tor-relays" <tor-relays-bounces@xxxxxxxxxxxxxxxxxxxx>
User-agent: Mutt/1.5.20 (2009-12-10)

On Fri, Aug 12, 2016 at 12:01:03PM -0400, Zack Weinberg wrote:
> Tor's use of TLS _should_ mean that the worst an attacker can do here
> is denial-of-service.  The Register article suggests that they might
> also be able to force the use of specific exit relays (by disrupting
> connections that don't go through those relays) but weaponizing that
> against specific users (rather than everyone trying to use an exit the
> attacker doesn't like) strikes me as nontrivial.

Agreed. I attended the talk at Usenix Security this week, and the
presenter seemed to think that if a TCP connection between two relays
gets cut, then the first relay will redirect all those circuits to some
other relay. If that were true, then you could do the "keep cutting the
connection until your target circuit goes the way you want it to" attack.

But Tor clients are the ones that choose their paths, and when a circuit
fails, they throw it out and choose a new path, without memory of what
links inside the Tor network did or didn't work in the past. So clients
will effectively fail closed, meaning they will keep trying a circuit of
their choice and you will keep trying to find it and tear it down, but
you won't be able to "direct" their path in the way the authors thought.

That said, this kind of TCP level attack is indeed neat, and people
should keep thinking about ways to apply it, or something like it, to Tor.

For an earlier paper in the same area, see also
http://freehaven.net/anonbib/#tcp-tor-pets12

> Right now I think one should not panic and should wait for the kernel
> people to do a proper fix.

Yes, this makes sense.

Another option is to encourage people to remember that operating system
diversity is important. :)
https://torbsd.github.io/

--Roger

_______________________________________________
tor-relays mailing list
tor-relays@xxxxxxxxxxxxxxxxxxxx
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays

Follow-Ups:
- Re: [tor-relays] 90% of exits vulnerable to TCP off-path attack
  - From: dawuud

References:
- [tor-relays] 90% of exits vulnerable to TCP off-path attack
  - From: starlight . 2016q3
- Re: [tor-relays] 90% of exits vulnerable to TCP off-path attack
  - From: Zack Weinberg

Prev by Author: Re: [tor-relays] #torstrike
Next by Author: Re: [tor-relays] HALP!
Previous by thread: Re: [tor-relays] 90% of exits vulnerable to TCP off-path attack
Next by thread: Re: [tor-relays] 90% of exits vulnerable to TCP off-path attack
Index(es):
- Author
- Thread