> > btw i'm surprised you wrote https://github.com/nogoegst/rough/blob/master/tcp.go > > instead of using https://github.com/google/gopacket > > You shouldn't; rough is just a convenient wrapper on top of TCP-ish > stuff from gopacket (it makes TCP hacks simpler). ah right. cool. > > Maybe you could also implement my Tor guard discovery > > attack that uses this vulnerability? > > Why not. I just don't know what the attack is. Can you point me to it? On second thought I guess we better stick to writing scanners because if we start writing exploits then eventually some script kitty will come along and try to attack the Tor network with it; and even though my attack might not work it involves doing various things that utilize resources on the Tor network; so it would be bad for the health of the Tor network. > > I've been asked to write a proof of concept but I don't feel motivated to do so. > > Also, there are some doubts about weather this guard discovery attack would be > > feasible on the real Tor network... though we could probably make it work in a test network. > > > > Now that such a small percentage of the Tor network is vulnerable it's probably safe/responsible > > for me to post my theoretic Tor guard discovery attack, right? > > Hmm, I *don't* think that 1/4 of the network is actually small > percentage... [I think we should somehow encourage vulnerable relays to > update their kernels to lower affected percentage below ~10-15%.] > Also, you saying "guard discovery attack based on pure off-path TCP > attack" make this *slightly* obvious. So if someone actually got it, > it's likely that they're already exploiting it. It's traffic profile would be obviously identifiable for passive network observers. A nation state actor would have much better/faster results using other well known publicly documented Tor guard discovery attacks. Pretty sure they like to be sneaky when they deanonymize Tor circuits. I would however be very interested to hear back from tor-relay operators if any of them have found Challenge ACK counter values higher than a million... which would indicate some kind of funny business. Cheers, David
Attachment:
signature.asc
Description: PGP signature
_______________________________________________ tor-relays mailing list tor-relays@xxxxxxxxxxxxxxxxxxxx https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays