[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

Re: [tor-relays] Network scan results for CVE-2016-5696 / RFC5961

To: tor-relays@xxxxxxxxxxxxxxxxxxxx
Subject: Re: [tor-relays] Network scan results for CVE-2016-5696 / RFC5961
From: niftybunny <abuse@xxxxxxxxxxxxxxxxxxxxxxx>
Date: Fri, 9 Dec 2016 07:04:35 +0100
Delivered-to: archiver@xxxxxxxx
Delivery-date: Fri, 09 Dec 2016 01:05:05 -0500
Dkim-signature: v=1; a=rsa-sha256; c=relaxed/relaxed; t=1481263491; l=2841; s=domk; d=to-surf-and-protect.net; h=In-Reply-To:To:References:Date:Subject:Mime-Version: Content-Transfer-Encoding:Content-Type:From; bh=Ad5OX4W2teQAapjHHXjsMN3aLrWdac4MqBfw+y5aoJs=; b=I0QMRx6+C93/NjvFByxNePpruOcLFAwmQMJWILKafF7aMpfE9H3yo1rb5DYntP47lZ aM4yt6FwB123dba+jcNHyI93nDXVHfll5QNEk9cPVOPXaZpakKp62oJ1IMOn3mCB7UDE t25c0D2lmAD+prbOYQx9skpISRA2EuzMNmJiM=
In-reply-to: <8c24f031-f038-5039-1e0f-b55fd2e5186f@riseup.net>
List-archive: <http://lists.torproject.org/pipermail/tor-relays/>
List-help: <mailto:tor-relays-request@lists.torproject.org?subject=help>
List-id: "support and questions about running Tor relays \(exit, non-exit, bridge\)" <tor-relays.lists.torproject.org>
List-post: <mailto:tor-relays@lists.torproject.org>
List-subscribe: <https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays>, <mailto:tor-relays-request@lists.torproject.org?subject=subscribe>
List-unsubscribe: <https://lists.torproject.org/cgi-bin/mailman/options/tor-relays>, <mailto:tor-relays-request@lists.torproject.org?subject=unsubscribe>
References: <20161117014004.2clp7djzm2jjxqvt@riseup.net> <20161117073013.vxb72balbg2x7rwk@riseup.net> <bbe0291b-0ee7-f7bf-fcff-d3f55f21e961@riseup.net> <20161117212247.bnscfyw2mrww6slc@riseup.net> <20161202020046.66pvqb26d6txkytc@riseup.net> <8c24f031-f038-5039-1e0f-b55fd2e5186f@riseup.net>
Reply-to: tor-relays@xxxxxxxxxxxxxxxxxxxx
Sender: "tor-relays" <tor-relays-bounces@xxxxxxxxxxxxxxxxxxxx>

4 server rebooted, thank you very much.

markus



> On 9 Dec 2016, at 06:31, Ivan Markin <twim@xxxxxxxxxx> wrote:
> 
> Hi tor-relays@,
> 
> Getting back with more results on this.
> I've implemented CVE-2016-5696 scanner in Go [1] and scanned the Tor
> network several times [2].
> First results I've got using technique similar to David's (sending 500
> RSTs in one burst), second ones are got via another method (send 111
> RSTs in burst and then 111 RSTs 1 second later*).
> 
> Current statistics:
> 32% of Linux relays are vulnerable. That is 23% of Tor network.
> 
> --
> 
> Now some magic! Those 3 NetBSD relays from before still behave like they
> are vulnerable Linuxes (as they did in David's scanner, and two of mine):
> 
> $ cat grill-tor-2016-12-09 | grep -v Linux | grep vulnerable
> 78.47.45.36:9001,3F5440FF003DFF8A12AA308CFD4087FBC157ABE0,Tor 0.2.8.9 on
> NetBSD,200,1.847787ms,1.834238ms,vulnerable
> 86.62.117.171:63500,508004552343E5374B6570C76E9239AA23310684,Tor
> 0.2.5.10 on NetBSD,200,1.999138ms,1.839057ms,vulnerable
> 139.18.25.35:9001,8806C3E6FA42B07113F3A1553DE70C0A30101201,Tor 0.2.8.9
> on NetBSD,200,3.936046ms,3.777501ms,vulnerable
> 
> Yes, nmap -O reports them to be NetBSD hosts.
> 
> Actually I don't know what's going on here. Thoughts:
> * relays are behind vulnerable Linux middleboxes
> * RFC 5961 got implemented partly in NetBSD and it is actually vulnerable
> * ???
> 
> Okay then. I've brought up NetBSD 7.0.2 VM and scanned it locally. 0
> challenge ACKs. Fine. I've put it under vulnerable Linux DNAT and it was
> 'kinda' vulnerable (some small random amount of ChACKs). Probably I did
> something wrong here.
> I headed out and scanned netbsd.org (self-hosted?) and it's vulnerable also.
> 
> I've lurked through NetBSD's src code and found some bits of RFC5961.
> But I was unable to see anything offensive.
> 
> If someone have some insight on this dark magic, that would be awesome!
> 
> ---
> 
> Thanks for bringing up the diversity issue in light of this CVE, Alex!
> Just to make everyone feel sad today:
> 
> $ cat grill-tor-2016-12-09 | grep -v offline | grep Linux | wc -l
>    6435
> $ cat grill-tor-2016-12-09 | grep -v offline | grep -v Linux | wc -l
>     550
> 
> Sadly, Linuxes are typical ~2σ of the network. ;(
> Please run more different (e.g. BSD) relays!
> 
> [*] I think it should be more accurate.
> [1] https://github.com/nogoegst/grill
> [2] https://gist.github.com/nogoegst/d2de330b794b47158b4cfbed0987b4de
> 
> --
> Happy life without suffering,
> Ivan Markin
> _______________________________________________
> tor-relays mailing list
> tor-relays@xxxxxxxxxxxxxxxxxxxx
> https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays

_______________________________________________
tor-relays mailing list
tor-relays@xxxxxxxxxxxxxxxxxxxx
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays

References:
- Re: [tor-relays] network scan results for CVE-2016-5696 / rfc 5961
  - From: dawuud
- Re: [tor-relays] Network scan results for CVE-2016-5696 / RFC5961
  - From: Ivan Markin

Prev by Author: [tor-relays] I am in with 4 exits
Next by Author: Re: [tor-relays] Tor Relay on ARM server Marvell Armada 370/XP
Previous by thread: Re: [tor-relays] Network scan results for CVE-2016-5696 / RFC5961
Next by thread: Re: [tor-relays] Network scan results for CVE-2016-5696 / RFC5961
Index(es):
- Author
- Thread