Hi David,
Thanks for your work!
dawuud:
I added the scan output to the repo, this includes the output csv file and a list of vulnerable relays:
https://github.com/david415/scan_tor_rfc5961/blob/master/scan_archive/nov17_... https://github.com/david415/scan_tor_rfc5961/blob/master/scan_archive/nov17_...
FYI, I produced results with platform strings and fingerprints based on this data [1].
It's pretty interesting that there are not only Linux relays are 'vulnerable' (90 < ChACKs < 220) in David's scan: % cat combined_results.csv | grep -v notvulnerable | grep -v Linux | grep Tor
Tor 0.2.8.9 on NetBSD,3F5440FF003DFF8A12AA308CFD4087FBC157ABE0,78.47.45.36:9001,1.08132791519,500,142,vulnerable Tor 0.2.5.10 on NetBSD,508004552343E5374B6570C76E9239AA23310684,86.62.117.171:63500,1.00646305084,500,103,vulnerable Tor 0.2.8.9 on NetBSD,8806C3E6FA42B07113F3A1553DE70C0A30101201,139.18.25.35:9001,1.02995896339,500,113,vulnerable Tor 0.2.7.6 on FreeBSD,9C5461498004325F87C0685BDA5DA99AC5335314,62.194.144.196:9001,1.06730103493,500,211,vulnerable Tor 0.2.8.9 on FreeBSD,BCFE548EA3FF8A0B3610779C238350124A8ED6DE,207.172.209.83:9001,1.06568193436,500,214,vulnerable Tor 0.2.7.6 on NetBSD,F88C4D522EE7BD8B18B6C6418B8548E6E6BC74E9,195.43.138.226:9001,0.994502782822,500,100,vulnerable
After I've rescanned these relays myself for several times, FreeBSD ones stopped being 'vulnereable' while NetBSD ones somehow still reproduce 'vulnerable' Linux status.
I don't know why does this happen, maybe someone can scan these relays (or maybe all NetBSD ones due to TCP stack specifics) themselves and get different results. Anyway these are just curious false positives.
[1] https://github.com/nogoegst/scan_tor_rfc5961/blob/master/scan_archive/nov17_...
-- Ivan Markin