Well, the subject line pretty much says it all: Lots of Tor relays send out
globally sequential IP IDs, which, as far as I know, allows a remote party to
measure how fast the relay is sending out IP packets with high precision,
possibly making statistical attacks possible that could e.g. pinpoint the entry
guard a user or hidden service uses.
This is how you can test whether a given relay has this issue:
$ sudo hping3 -r --syn -p 443 176.199.74.186 --count 10
HPING 176.199.74.186 (eth0 176.199.74.186): S set, 40 headers + 0 data bytes
len=46 ip=176.199.74.186 ttl=116 DF id=3025 sport=443 flags=SA seq=0 win=8192 rtt=33.5 ms
len=46 ip=176.199.74.186 ttl=116 DF id=+38 sport=443 flags=SA seq=1 win=8192 rtt=32.7 ms
len=46 ip=176.199.74.186 ttl=116 DF id=+42 sport=443 flags=SA seq=2 win=8192 rtt=32.5 ms
len=46 ip=176.199.74.186 ttl=116 DF id=+34 sport=443 flags=SA seq=3 win=8192 rtt=32.3 ms
len=46 ip=176.199.74.186 ttl=116 DF id=+36 sport=443 flags=SA seq=4 win=8192 rtt=33.2 ms
len=46 ip=176.199.74.186 ttl=116 DF id=+36 sport=443 flags=SA seq=5 win=8192 rtt=36.4 ms
len=46 ip=176.199.74.186 ttl=116 DF id=+35 sport=443 flags=SA seq=6 win=8192 rtt=33.9 ms
len=46 ip=176.199.74.186 ttl=116 DF id=+56 sport=443 flags=SA seq=7 win=8192 rtt=31.7 ms
len=46 ip=176.199.74.186 ttl=116 DF id=+46 sport=443 flags=SA seq=8 win=8192 rtt=33.4 ms
len=46 ip=176.199.74.186 ttl=116 DF id=+34 sport=443 flags=SA seq=9 win=8192 rtt=33.7 ms
In the last example, you can see that the "id" field has increased by 30-50 every second.
That's an issue: It should be one of:
- always 0
- totally random
It can also be that it increments by one every time; that probably means that the relay
uses per-IP counters or so, and as far as I know, that should be fine.
After a bit of testing, I think that this issue is present on a lot of Tor relay nodes. Here
are the first few in the alphabet that look suspicious (didn't want to scan the whole Tor
network):
0000MiddlemanWV 65.199.52.129 9029 21948 +1 +3 +1 +8
000AAA420 86.56.139.182 9001 14461 +177 +176 +168 +145
0urHomeOnNativeLand 64.231.156.165 443 18012 +4 +16 +11 +12
0x05942 178.77.69.130 443 8387 +5 +6 +7 +4
1234bubs 2.108.151.161 443 17042 +19 +23 +22 +18
1294538115 86.195.35.119 50501 31861 +104 +116 +68 +114
2mpdhack 98.216.168.108 80 41481 +194 +162 +213 +174
404server 119.30.250.67 6699 53620 +195 +5 +1 +3
4144414D 2.120.211.98 443 28587 +1 +1 +1 +1
594ec291a82938230 199.127.56.76 49152 20690 +861 +893 +328 +338
5979ft 97.122.184.135 443 15586 +1 +1 +1 +1
69m3x1xans 98.219.70.159 443 63 +320 +286 953 +286
6cody5 76.108.230.244 443 28107 +59 +57 +73 +71
8930 71.127.151.26 443 3119 +111 +83 +53 +59
8Mu 128.71.234.171 443 19080 +578 +570 +292 +699
Absolution 94.247.41.130 9001 34427 +842 +688 +684 +636
Ace 121.211.92.6 9001 21567 +1 +1 +1 +1
Achim 79.251.152.183 452 8925 +1 +1 +1 +1
admtg 94.73.222.62 443 3025 +441 +286 +318 +286
Aeroplan 46.72.45.143 9001 29676 +166 +184 +189 +169
AetherTor 71.135.40.76 443 13379 +4 +3 +3 +3
alakazam 74.52.112.2 443 30616 +221 +234 +210 +249
aldgate 93.130.179.10 443 10989 +2 +13 +20 +4
AlfredJKwak 87.212.11.165 9031 13676 +22 +14 +2 +8
aliceandbob 66.85.144.247 9001 2869 +20 +7 +23 +30
AllCowsEatGrass 173.48.97.207 443 30159 +404 +783 +616 +401
amercury 195.64.199.236 9001 26102 +1 +1 +3 +1
amercury 87.224.217.221 9001 7043 +26 +6 +15 +13
amercury 94.31.242.41 9001 27049 +41 +33 +88 +81
AmurTor23 2.93.161.46 9002 48802 +4 +115 +14 +34
anonion 86.160.123.126 443 34526 +79 +94 +111 +57
AnonMan 173.69.9.25 443 23551 +24 +33 +43 +51
anonymous 94.208.144.120 9001 24891 +391 +392 26027 +354
anonymous123 117.16.24.142 443 6806 +19 +40 +56 +19
AnonymousW 173.57.117.197 443 9862 +1 +1 +1 +1
AnonymTorProxy2 78.42.56.35 9002 6479 +246 +266 +258 +234
ApophisGER 176.198.48.99 555 6287 +1 +2 +2 +8
ArnoNym 178.142.2.45 443 21741 +83 +112 +57 +32
Arrowslash 90.1.117.14 443 1572 +90 +166 +4 +180
Arruffapopoli 84.223.102.90 4433 56233 +59 +60 +57 +54
AsCI 158.110.41.101 9002 53052 +1 +1 +1 +1
Please, everyone, check whether your Tor relay node behaves this way, and if so,
either change the behavior or take it offline until you can fix the issue.
Tor is not designed to be secure if an attacker can measure traffic at both
ends of a circuit (for a proof of concept for that, see
<http://seclists.org/fulldisclosure/2014/Mar/414>), and if your relay has this
issue, you're already allowing anyone to measure at your relay.
