[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

[tor-relays] TCP SACK PANIC type kernel vulnerabilities: logging some packets

To: <tor-relays@xxxxxxxxxxxxxxxxxxxx>
Subject: [tor-relays] TCP SACK PANIC type kernel vulnerabilities: logging some packets
From: tor@xxxxxxx
Date: Mon, 24 Jun 2019 08:13:55 -0400
Delivered-to: archiver@xxxxxxxx
Delivery-date: Mon, 24 Jun 2019 09:30:05 -0400
Dkim-signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=t-3.net; s=default; t=1561379419; bh=KPZgjvC7eT1dv1MGwdDevzN9oD5LUHN75emuMNCbvqY=; h=From:To:Subject:Date; b=PWYzcCvhCTf6hW77VY4GmZRyClqCN1u1tnDR3lP0ctk56qRl9FO1Q1poyAgoEpc/8 WcPELRXdXmYK1XCZNJRa4DgRlvkoqoYPPYfHyvcrzL5NoUt27EYdVeXi9e6yONyqPc HYbgJbrQHc4+dwRAvZSi0KhTvdmhl3ky87a4hMyE=
List-archive: <http://lists.torproject.org/pipermail/tor-relays/>
List-help: <mailto:tor-relays-request@lists.torproject.org?subject=help>
List-id: "support and questions about running Tor relays \(exit, non-exit, bridge\)" <tor-relays.lists.torproject.org>
List-post: <mailto:tor-relays@lists.torproject.org>
List-subscribe: <https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays>, <mailto:tor-relays-request@lists.torproject.org?subject=subscribe>
List-unsubscribe: <https://lists.torproject.org/cgi-bin/mailman/options/tor-relays>, <mailto:tor-relays-request@lists.torproject.org?subject=unsubscribe>
Reply-to: tor-relays@xxxxxxxxxxxxxxxxxxxx
Sender: "tor-relays" <tor-relays-bounces@xxxxxxxxxxxxxxxxxxxx>

As of last week there wasn't a new kernel out for our relay's distro,so I implemented an IPTables-based mitigation in our relay as such:

-A INPUT -p tcp --tcp-flags SYN SYN -m tcpmss --mss 1:500 -j LOG--log-prefix "TCP_SACK_PANIC: "

-A INPUT -p tcp --tcp-flags SYN SYN -m tcpmss --mss 1:500 -j DROP

Over the weekend we logged hits to this rule. I checked a few of thesource hosts, and they were not relays at least as they are listed inhttps://check.torproject.org/cgi-bin/TorBulkExitList.py?ip=1.1.1.1 .

I'll pull the rule out once the kernel is patched, but yeah. Thingsthat make you go hmm.




_______________________________________________
tor-relays mailing list
tor-relays@xxxxxxxxxxxxxxxxxxxx
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays

Follow-Ups:
- Re: [tor-relays] TCP SACK PANIC type kernel vulnerabilities: logging some packets
  - From: Toralf Förster

Prev by Author: [tor-relays] obfs4 relay lost stable flag
Next by Author: Re: [tor-relays] Become a Fallback Directory Mirror
Previous by thread: Re: [tor-relays] Tor memory leak (0.3.5.7)?
Next by thread: Re: [tor-relays] TCP SACK PANIC type kernel vulnerabilities: logging some packets
Index(es):
- Author
- Thread