[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

Re: another DirPort DoS attacker



     On Wed, 8 Oct 2008 23:34:00 -0400 Roger Dingledine <arma@xxxxxxx> wrote:
>On Tue, Sep 02, 2008 at 08:20:47AM -0500, Scott Bennett wrote:
>>      A short time ago, I found that 212.205.53.212 had several hundred open
>> TCP connections to my tor server's DirPort, and very little relay traffic
>> seemed to be getting past all of that.  I've now taken steps to prevent such
>> connections from that IP address.  (That IP address has the hame
>> sahrsmtp03.cosmote.gr.)  Other tor server operators may (or may not) wish to
>> follow suit.
>
>Hi Scott,
>
>I think I finally tracked down why these are happening.
>
>They are being generated by obsolete Tors, running 0.2.0.8-alpha or
>0.2.0.9-alpha. Those Tor versions are hoping to find v3 identity key
>certificates from the old v3 authorities, from back before we changed
>their keys due to the Debian RNG bug:
>http://archives.seul.org/or/announce/May-2008/msg00000.html
>
>Tor periodically asks itself if it has all the v3 identity certs it
>wants, and if it's missing any then it launches requests for them. The
>bug introduced in 0.2.0.8-alpha (2007-10-12)
>http://archives.seul.org/or/cvs/Oct-2007/msg00117.html
>and fixed in 0.2.0.10-alpha (2007-11-10)
>http://archives.seul.org/or/cvs/Nov-2007/msg00065.html
>was that if there were currently fetches in progress for every cert
>that's missing, it would make a request for "/keys/fp" rather than making
>no request.
>
>That bug isn't a big deal when the certs you want are all available. You
>get them eventually, and then you don't need them anymore so you stop
>the connection flood. But if no caches have the certs either, you just
>keep asking for them, and whenever a request is outstanding, you go into
>a tight loop of connection flooding while you wait.

     Well, that's not the most obscure bug I've ever heard of, but also
not an obvious one.
>
>The fix? Well, we can't go make those people upgrade. We don't even know
>who they are. The fix I'm working on now is to generate new certs for
>the two obsolete keys (only moria1 and tor26 were v3 authorities back in
>version 0.2.0.9-alpha), so these old clients will finally get what they
>want and shut up. (They still won't work, because the networkstatus
>consensus they get won't be signed by any of the keys they demand
>signatures from, but at least they'll cry quietly to themselves rather
>than harming the rest of the network.)

     Roger, this is wonderful news.  Thank you very much for taking the
time to track it down.  That's definitely a kind of traffic load that the
tor network does *not* need.  Because no other systems have harassed mine
in that fashion since the date of the message you cite above, I'm guessing
that the vast majority of tor users have updated beyond that version, but
it's also apparent that some have not.
>
>I'll let you know how it goes,

     Okay.  Whenever you announce that the faked certs are in place, I'll
disable the pf rule and DirPolicy reject statement that are blocking that
site at present.  Thanks again.


                                  Scott Bennett, Comm. ASMELG, CFIAG
**********************************************************************
* Internet:       bennett at cs.niu.edu                              *
*--------------------------------------------------------------------*
* "A well regulated and disciplined militia, is at all times a good  *
* objection to the introduction of that bane of all free governments *
* -- a standing army."                                               *
*    -- Gov. John Hancock, New York Journal, 28 January 1790         *
**********************************************************************