[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

Re: another DirPort DoS attacker



On Tue, Sep 02, 2008 at 08:20:47AM -0500, Scott Bennett wrote:
>      A short time ago, I found that 212.205.53.212 had several hundred open
> TCP connections to my tor server's DirPort, and very little relay traffic
> seemed to be getting past all of that.  I've now taken steps to prevent such
> connections from that IP address.  (That IP address has the hame
> sahrsmtp03.cosmote.gr.)  Other tor server operators may (or may not) wish to
> follow suit.

Hi Scott,

I think I finally tracked down why these are happening.

They are being generated by obsolete Tors, running 0.2.0.8-alpha or
0.2.0.9-alpha. Those Tor versions are hoping to find v3 identity key
certificates from the old v3 authorities, from back before we changed
their keys due to the Debian RNG bug:
http://archives.seul.org/or/announce/May-2008/msg00000.html

Tor periodically asks itself if it has all the v3 identity certs it
wants, and if it's missing any then it launches requests for them. The
bug introduced in 0.2.0.8-alpha (2007-10-12)
http://archives.seul.org/or/cvs/Oct-2007/msg00117.html
and fixed in 0.2.0.10-alpha (2007-11-10)
http://archives.seul.org/or/cvs/Nov-2007/msg00065.html
was that if there were currently fetches in progress for every cert
that's missing, it would make a request for "/keys/fp" rather than making
no request.

That bug isn't a big deal when the certs you want are all available. You
get them eventually, and then you don't need them anymore so you stop
the connection flood. But if no caches have the certs either, you just
keep asking for them, and whenever a request is outstanding, you go into
a tight loop of connection flooding while you wait.

The fix? Well, we can't go make those people upgrade. We don't even know
who they are. The fix I'm working on now is to generate new certs for
the two obsolete keys (only moria1 and tor26 were v3 authorities back in
version 0.2.0.9-alpha), so these old clients will finally get what they
want and shut up. (They still won't work, because the networkstatus
consensus they get won't be signed by any of the keys they demand
signatures from, but at least they'll cry quietly to themselves rather
than harming the rest of the network.)

I'll let you know how it goes,
--Roger