[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

[tor-commits] [tor/release-0.4.5] exit: Deny re-entry into the network



commit 632688c797bb3968946343cafaaf51c882c59aed
Author: Roger Dingledine <arma@xxxxxxxxxxxxxx>
Date:   Wed Jan 27 23:48:57 2021 -0500

    exit: Deny re-entry into the network
    
    Exit relays now reject exit attempts to known relay addresses + ORPort and
    also to authorities on the ORPort and DirPort.
    
    Closes #2667
    
    Signed-off-by: David Goulet <dgoulet@xxxxxxxxxxxxxx>
---
 changes/ticket2667            |  4 ++++
 src/core/or/connection_edge.c | 24 ++++++++++++++++++++++++
 2 files changed, 28 insertions(+)

diff --git a/changes/ticket2667 b/changes/ticket2667
new file mode 100644
index 0000000000..cc42286ef9
--- /dev/null
+++ b/changes/ticket2667
@@ -0,0 +1,4 @@
+  o Major feature (exit):
+    - Re-entry into the network is now denied at the Exit level to all relays'
+      ORPort and authorities' ORPort+DirPort. This is to help mitigate a series
+      of attacks. See ticket for more information. Closes ticket 2667.
diff --git a/src/core/or/connection_edge.c b/src/core/or/connection_edge.c
index 859ad1c6fc..55e7841cc3 100644
--- a/src/core/or/connection_edge.c
+++ b/src/core/or/connection_edge.c
@@ -4263,6 +4263,30 @@ connection_exit_connect(edge_connection_t *edge_conn)
     return;
   }
 
+  /* Next, check for attempts to connect back into the Tor network. We don't
+   * want to allow these for the same reason we don't want to allow
+   * infinite-length circuits (see "A Practical Congestion Attack on Tor Using
+   * Long Paths", Usenix Security 2009). See also ticket 2667.
+   *
+   * The TORPROTOCOL reason is used instead of EXITPOLICY so client do NOT
+   * attempt to retry connecting onto another circuit that will also fail
+   * bringing considerable more load on the network if so.
+   *
+   * Since the address+port set here is a bloomfilter, in very rare cases, the
+   * check will create a false positive meaning that the destination could
+   * actually be legit and thus being denied exit. However, sending back a
+   * reason that makes the client retry results in much worst consequences in
+   * case of an attack so this is a small price to pay. */
+  if (!connection_edge_is_rendezvous_stream(edge_conn) &&
+      nodelist_reentry_probably_contains(&conn->addr, conn->port)) {
+    log_info(LD_EXIT, "%s tried to connect back to a known relay address. "
+                      "Closing.", connection_describe(conn));
+    connection_edge_end(edge_conn, END_STREAM_REASON_TORPROTOCOL);
+    circuit_detach_stream(circuit_get_by_edge_conn(edge_conn), edge_conn);
+    connection_free(conn);
+    return;
+  }
+
 #ifdef HAVE_SYS_UN_H
   if (conn->socket_family != AF_UNIX) {
 #else



_______________________________________________
tor-commits mailing list
tor-commits@xxxxxxxxxxxxxxxxxxxx
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-commits