dawuud:
Maybe you could also implement my Tor guard discovery attack that uses this vulnerability?
Why not. I just don't know what the attack is. Can you point me to it?
On second thought I guess we better stick to writing scanners because if we start writing exploits then eventually some script kitty will come along and try to attack the Tor network with it; and even though my attack might not work it involves doing various things that utilize resources on the Tor network; so it would be bad for the health of the Tor network.
Right, I didn't mean that to be an exploit but just a PoC of this attack vector. But you're right, I haven't thought that it will put load on the network, and doing this is definitely not OK. It's not just some harmless TCP segments, there is much more than this (circuit rebuilding, etc).
It's traffic profile would be obviously identifiable for passive network observers. A nation state actor would have much better/faster results using other well known publicly documented Tor guard discovery attacks. Pretty sure they like to be sneaky when they deanonymize Tor circuits.
I doesn't mean that nobody would like to use it. There are attackers that use botnets to do their nasty business and they don't care much about how visible it is.
I would however be very interested to hear back from tor-relay operators if any of them have found Challenge ACK counter values higher than a million... which would indicate some kind of funny business.
It may not indicate this. Since I was able to scan whole Tor network in just 7 minutes (someone can use more than 127 concurrent scans and scan even faster), it may indicate that there is some aggressive scanning is going on by multiple parties.
-- Ivan Markin