Could you please translate your instructions into XP that I might check and, if necessary, fix my relay? (OnionTorte)
Thanks,
P
Jann Horn wrote:
Well, the subject line pretty much says it all: Lots of Tor relays send out globally sequential IP IDs, which, as far as I know, allows a remote party to measure how fast the relay is sending out IP packets with high precision, possibly making statistical attacks possible that could e.g. pinpoint the entry guard a user or hidden service uses.
This is how you can test whether a given relay has this issue:
$ sudo hping3 -r --syn -p 443 176.199.74.186 --count 10 HPING 176.199.74.186 (eth0 176.199.74.186): S set, 40 headers + 0 data bytes len=46 ip=176.199.74.186 ttl=116 DF id=3025 sport=443 flags=SA seq=0 win=8192 rtt=33.5 ms len=46 ip=176.199.74.186 ttl=116 DF id=+38 sport=443 flags=SA seq=1 win=8192 rtt=32.7 ms len=46 ip=176.199.74.186 ttl=116 DF id=+42 sport=443 flags=SA seq=2 win=8192 rtt=32.5 ms len=46 ip=176.199.74.186 ttl=116 DF id=+34 sport=443 flags=SA seq=3 win=8192 rtt=32.3 ms len=46 ip=176.199.74.186 ttl=116 DF id=+36 sport=443 flags=SA seq=4 win=8192 rtt=33.2 ms len=46 ip=176.199.74.186 ttl=116 DF id=+36 sport=443 flags=SA seq=5 win=8192 rtt=36.4 ms len=46 ip=176.199.74.186 ttl=116 DF id=+35 sport=443 flags=SA seq=6 win=8192 rtt=33.9 ms len=46 ip=176.199.74.186 ttl=116 DF id=+56 sport=443 flags=SA seq=7 win=8192 rtt=31.7 ms len=46 ip=176.199.74.186 ttl=116 DF id=+46 sport=443 flags=SA seq=8 win=8192 rtt=33.4 ms len=46 ip=176.199.74.186 ttl=116 DF id=+34 sport=443 flags=SA seq=9 win=8192 rtt=33.7 ms
In the last example, you can see that the "id" field has increased by 30-50 every second. That's an issue: It should be one of:
- always 0
- totally random
It can also be that it increments by one every time; that probably means that the relay uses per-IP counters or so, and as far as I know, that should be fine.
After a bit of testing, I think that this issue is present on a lot of Tor relay nodes. Here are the first few in the alphabet that look suspicious (didn't want to scan the whole Tor network):
<snip>
Please, everyone, check whether your Tor relay node behaves this way, and if so, either change the behavior or take it offline until you can fix the issue.
Tor is not designed to be secure if an attacker can measure traffic at both ends of a circuit (for a proof of concept for that, see http://seclists.org/fulldisclosure/2014/Mar/414), and if your relay has this issue, you're already allowing anyone to measure at your relay.
tor-relays mailing list tor-relays@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays