btw i'm surprised you wrote https://github.com/nogoegst/rough/blob/master/tcp.go instead of using https://github.com/google/gopacket
You shouldn't; rough is just a convenient wrapper on top of TCP-ish stuff from gopacket (it makes TCP hacks simpler).
ah right. cool.
Maybe you could also implement my Tor guard discovery attack that uses this vulnerability?
Why not. I just don't know what the attack is. Can you point me to it?
On second thought I guess we better stick to writing scanners because if we start writing exploits then eventually some script kitty will come along and try to attack the Tor network with it; and even though my attack might not work it involves doing various things that utilize resources on the Tor network; so it would be bad for the health of the Tor network.
I've been asked to write a proof of concept but I don't feel motivated to do so. Also, there are some doubts about weather this guard discovery attack would be feasible on the real Tor network... though we could probably make it work in a test network.
Now that such a small percentage of the Tor network is vulnerable it's probably safe/responsible for me to post my theoretic Tor guard discovery attack, right?
Hmm, I *don't* think that 1/4 of the network is actually small percentage... [I think we should somehow encourage vulnerable relays to update their kernels to lower affected percentage below ~10-15%.]
Also, you saying "guard discovery attack based on pure off-path TCP attack" make this *slightly* obvious. So if someone actually got it, it's likely that they're already exploiting it.
It's traffic profile would be obviously identifiable for passive network observers. A nation state actor would have much better/faster results using other well known publicly documented Tor guard discovery attacks. Pretty sure they like to be sneaky when they deanonymize Tor circuits.
I would however be very interested to hear back from tor-relay operators if any of them have found Challenge ACK counter values higher than a million... which would indicate some kind of funny business.
Cheers, David