[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

Re: [tor-talk] Linux kernel transproxy packet leak (w/ repro case + workaround)

To: tor-talk@xxxxxxxxxxxxxxxxxxxx
Subject: Re: [tor-talk] Linux kernel transproxy packet leak (w/ repro case + workaround)
From: Rusty Bird <rustybird@xxxxxxxxxxxxxxx>
Date: Tue, 01 Apr 2014 14:04:53 +0000
Delivered-to: archiver@xxxxxxxx
Delivery-date: Tue, 01 Apr 2014 10:11:32 -0400
Dkim-signature: v=1; a=rsa-sha256; c=relaxed/simple; d=openmailbox.org; h=content-type:content-type:in-reply-to:references:subject :subject:mime-version:from:from:date:date:message-id:received; s=openmailbox; t=1396361107; bh=hbB8wxWXjfTjshkfybj29mmFnTI60E9 B/S94m3lb4PU=; b=QAXr96AsrKl6wBiSDsXTmhporbdihz3nBlDoZJZakgM0wYg vNJSmTo+dUTVLyiKru9zCGekJw5Kdr4Xysl6EoYXtk63aqCGL8HwlWJ4MecgvApi RVqwbrVPFDtsQJTlTjEa+h08WHsAiz0nAW4w2PWafFARU6OZ41aJrRutwki8=
In-reply-to: <20140328194312.GD31390@xxxxxxxxxxxxxx>
List-archive: <http://lists.torproject.org/pipermail/tor-talk/>
List-help: <mailto:tor-talk-request@lists.torproject.org?subject=help>
List-id: "all discussion about theory, design, and development of Onion Routing" <tor-talk.lists.torproject.org>
List-post: <mailto:tor-talk@lists.torproject.org>
List-subscribe: <https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk>, <mailto:tor-talk-request@lists.torproject.org?subject=subscribe>
List-unsubscribe: <https://lists.torproject.org/cgi-bin/mailman/options/tor-talk>, <mailto:tor-talk-request@lists.torproject.org?subject=unsubscribe>
References: <20140328194312.GD31390@xxxxxxxxxxxxxx>
Reply-to: tor-talk@xxxxxxxxxxxxxxxxxxxx
Sender: "tor-talk" <tor-talk-bounces@xxxxxxxxxxxxxxxxxxxx>

Mike Perry:
> I've discovered that the Linux kernel appears to have a leak in how it
> applies transproxy rules to the TCP CLOSE_WAIT shutdown condition under
> certain circumstances.

Quite the bombshell!

I've reproduced those packets on kernel 3.13 using your iptables rules.
Strangely enough my own personal transproxy setup does not exhibit this
issue, but it's not yet in a releasable state.

Anyway, if someone wants to experiment on this bug without actually
sending out clearnet packets, current versions of corridor* have an
optional logging facility:

[1540.249244] corridor: reject IN=eth0 OUT=eth1 MACSRC=... MACDST=...
MACPROTO=0800 SRC=10.0.0.2 DST=74.125.28.104 LEN=52 TOS=0x00 PREC=0x00
TTL=63 ID=59190 DF PROTO=TCP SPT=33200 DPT=80 WINDOW=229 RES=0x00 ACK
FIN URGP=0
[1591.827163] corridor: reject IN=eth0 OUT=eth1 MACSRC=... MACDST=...
MACPROTO=0800 SRC=10.0.0.2 DST=74.125.28.104 LEN=52 TOS=0x00 PREC=0x00
TTL=63 ID=59198 DF PROTO=TCP SPT=33200 DPT=80 WINDOW=229 RES=0x00 ACK
FIN URGP=0

Rusty

* https://github.com/rustybird/corridor

Attachment: signature.asc
Description: OpenPGP digital signature

-- 
tor-talk mailing list - tor-talk@xxxxxxxxxxxxxxxxxxxx
To unsubscribe or change other settings go to
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk

Follow-Ups:
- Re: [tor-talk] Linux kernel transproxy packet leak (w/ repro case + workaround)
  - From: Rusty Bird

Prev by Author: Re: [tor-talk] fresh TBB is damaged and can't be opened on Mac OS X
Next by Author: Re: [tor-talk] Linux kernel transproxy packet leak (w/ repro case + workaround)
Previous by thread: Re: [tor-talk] Pirate Linux 2.0 alpha
Next by thread: Re: [tor-talk] Linux kernel transproxy packet leak (w/ repro case + workaround)
Index(es):
- Author
- Thread