[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

Re: [tor-talk] reverse enumeration attacks on bridges (re: 100-foot overview on Tor)

On Wed, May 20, 2015 at 10:42:27AM +0800, Virgil Griffith wrote:
> Tom: If a hostile relay receives a connection from a ip-address A that
> is not listed in the Tor consensus, as far as I understand the hostile
> relay stills has two possibilities about ip-address A:
> (1) A is the client
> (2) A is a bridge
> I do not understand how the "reverse renumeration" attack you mention
> (p136 of your 100-ft-summary) is able to distinguish between these two
> cases.

If the hostile relay has no Guard flag, it shouldn't receive direct
connections from clients.  If it does have the Guard flag, it could port
scan the previous hop to see if it has an open (OR) port.  (Active
probing-resistant bridges would leave some uncertainty, though.)

Some more details about this attack are in Section III.D of:

tor-talk mailing list - tor-talk@xxxxxxxxxxxxxxxxxxxx
To unsubscribe or change other settings go to