Re: [tor-relays] Lots of tor relays send out sequential IP IDs; please fix that!

[Tor Relay <Tor@xxxxxxxxxxxxxxxxxxxxxxxxxxx>]

Could you please translate your instructions into XP that I might check 
and, if necessary, fix my relay?  (OnionTorte)

Thanks,

P


Jann Horn wrote:
> Well, the subject line pretty much says it all: Lots of Tor relays send out
> globally sequential IP IDs, which, as far as I know, allows a remote party to
> measure how fast the relay is sending out IP packets with high precision,
> possibly making statistical attacks possible that could e.g. pinpoint the entry
> guard a user or hidden service uses.
>
> This is how you can test whether a given relay has this issue:
>
> $ sudo hping3 -r --syn -p 443 176.199.74.186 --count 10
> HPING 176.199.74.186 (eth0 176.199.74.186): S set, 40 headers + 0 data bytes
> len=46 ip=176.199.74.186 ttl=116 DF id=3025 sport=443 flags=SA seq=0 win=8192 rtt=33.5 ms
> len=46 ip=176.199.74.186 ttl=116 DF id=+38 sport=443 flags=SA seq=1 win=8192 rtt=32.7 ms
> len=46 ip=176.199.74.186 ttl=116 DF id=+42 sport=443 flags=SA seq=2 win=8192 rtt=32.5 ms
> len=46 ip=176.199.74.186 ttl=116 DF id=+34 sport=443 flags=SA seq=3 win=8192 rtt=32.3 ms
> len=46 ip=176.199.74.186 ttl=116 DF id=+36 sport=443 flags=SA seq=4 win=8192 rtt=33.2 ms
> len=46 ip=176.199.74.186 ttl=116 DF id=+36 sport=443 flags=SA seq=5 win=8192 rtt=36.4 ms
> len=46 ip=176.199.74.186 ttl=116 DF id=+35 sport=443 flags=SA seq=6 win=8192 rtt=33.9 ms
> len=46 ip=176.199.74.186 ttl=116 DF id=+56 sport=443 flags=SA seq=7 win=8192 rtt=31.7 ms
> len=46 ip=176.199.74.186 ttl=116 DF id=+46 sport=443 flags=SA seq=8 win=8192 rtt=33.4 ms
> len=46 ip=176.199.74.186 ttl=116 DF id=+34 sport=443 flags=SA seq=9 win=8192 rtt=33.7 ms
>
> In the last example, you can see that the "id" field has increased by 30-50 every second.
> That's an issue: It should be one of:
>
>  - always 0
>  - totally random
>
> It can also be that it increments by one every time; that probably means that the relay
> uses per-IP counters or so, and as far as I know, that should be fine.
>
>
> After a bit of testing, I think that this issue is present on a lot of Tor relay nodes. Here
> are the first few in the alphabet that look suspicious (didn't want to scan the whole Tor
> network):
<snip>

> Please, everyone, check whether your Tor relay node behaves this way, and if so,
> either change the behavior or take it offline until you can fix the issue.
>
> Tor is not designed to be secure if an attacker can measure traffic at both
> ends of a circuit (for a proof of concept for that, see
> <http://seclists.org/fulldisclosure/2014/Mar/414>), and if your relay has this
> issue, you're already allowing anyone to measure at your relay.
>
>
> ------------------------------------------------------------------------
>
> _______________________________________________
> tor-relays mailing list
> tor-relays@xxxxxxxxxxxxxxxxxxxx
> https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays


--
Dirt kicked to the curb goes into the gutter.
Professionals kicked to the curb go into retail.
_______________________________________________
tor-relays mailing list
tor-relays@xxxxxxxxxxxxxxxxxxxx
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays