Hi Jason,
Thanks for your observation. I'll try to investigate soon.
Cheers,
David
On Thu, Nov 17, 2016 at 12:02:05PM -0500, Jason Ross wrote:
Hi David, Thanks for the heads up! It turns out that my relay is in the list of affected hosts, however, the kernel I was running (3.16.36-1+deb8u1) is claimed by Debian to be fixed (see: https://security-tracker.debian.org/tracker/CVE-2016-5696).
Since your script determines whether the host is affected or not based on the actual TCP comms (rather than banner grabbing a kernel version or something), I'm not sure what to make of that - it would seem to indicate that either the weighting you've devised doesn't fit Debian hosts, or it could indicate perhaps that the patch Debian maintainers applied to address the issue wasn't sufficient. I won't pretend to be clueful enough about low-level TCP stack programming to be able to tell for sure which is the case, but wanted to mention it in case others see the same thing.
For my part, I've since updated the kernel on my relay to 3.16.36-1+deb8u2, and applied the sysctl work-around as an additional measure. I checked the ACK count using netstat both before and after, and have included those results here:
Before: TCPChallengeACK: 1107 TCPSYNChallenge: 7
After: TCPChallengeACK: 2 TCPSYNChallenge: 2
Thanks!
-- Jason
On Thu, Nov 17, 2016 at 2:30 AM, dawuud dawuud@riseup.net wrote:
Hi.
I added the scan output to the repo, this includes the output csv file and a list of vulnerable relays:
https://github.com/david415/scan_tor_rfc5961/blob/master/scan_archive/nov17_... https://github.com/david415/scan_tor_rfc5961/blob/master/scan_archive/nov17_...
Upgrade your Linux kernel and reboot your tor relays!
Cheers, David
tor-relays mailing list tor-relays@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
tor-relays mailing list tor-relays@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays