Fwd: Potential vulnerability found in your Tor Relay
Hi all, Just got the below notice from researchers. Is the stated vulnerability an actively exploited problem or is this a DoS attack by scaremongering? This topic seems to have been covered in https://nusenu.medium.com/how-vulnerable-is-the-tor-network-to-bgp-hijacking... but i am not sure how to apply it to my situation. I have turned off the Guard capability for now. Doubtful i can influence the service provider to get them to publish a new ROA. Is there another mitigation? Regrets to all who were using the service :( -------- Forwarded Message -------- Subject: Potential vulnerability found in your Tor Relay Date: Thu, 18 Dec 2025 23:57:20 +0000 From: ENGR - SIDR Hello, We are writing to alert you that your Tor relay(s) (Pasquino3) is/are vulnerable to active BGP attacks that could be used to de-anonymize users. The best mitigation to help protect your relay is to have your service provider publish a ROA for prefix(es) 209.44.96.0/19 at AS(es) 10929 with a maxLength(s) of 19. We are researchers from the University of Connecticut reaching out to inform you that your Tor guard relay with IP address(es) 209.44.114.178 (Pasquino3) is/are currently covered by a Route Origin Authorization (ROA) which has an improperly configured maxLength attribute. This makes it vulnerable to BGP subprefix origin hijacks, where a malicious autonomous-system-level attacker may announce a subprefix of 209.44.96.0/19 and misdirect traffic destined with a high (>99%) rate of success. Guidance on how to correctly set the maxLength attribute is contained in https://datatracker.ietf.org/doc/html/rfc9319. We determined this vulnerability using public data sets including relay information from the Tor consensus, the RIPEStat data for IP prefix, and ROA coverage information. Feel free to contact us if you have further questions. For further information on ROAs, see https://www.ripe.net/manage-ips-and-asns/resource-management/rpki/bgp-origin... If you are not a Tor relay operator and this message reached you in error, please let us know. Thank you, UConn Secure Interdomain Routing Group
On 18.12.2025 19:46 krishna e bera via tor-relays <tor-relays@lists.torproject.org> wrote:
but i am not sure how to apply it to my situation.
As long as you don't own the address space, you cannot change ROA or IRR settings, your ISP can do. I also received that message and it seems to be an automated mass mailing. They also don't answer to replies. -- kind regards Marco Send spam to abfall1766083588@stinkedores.dorfdsl.de
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Hello. krishna e bera wrote:
Is the stated vulnerability an actively exploited problem or is this a DoS attack by scaremongering?
My guess is it is neither. I would be that it's just some over-excited researchers who want to get the news out about just how awful BGP is. But, while it is "exploitable", there's not much that can be done with it. All an attacker could do is cause the connections destined for your relay to go to their servers instead. But crucially, they do not have your relay key, so all other relays and clients would refuse to connect to them. I suppose it could be used in combination with a guard discovery attack to deanonymize a small set of people if the attacker does not have any access between you and the targets (and cannot buy NetFlow logs, etc.). They could perform BGP hijacking then monitor which IPs are trying to connect to them to discover if they are users of your guard. Such an attack is very noisy and would not go unnoticed for long. Think of it like a remote denial of service attack where the attackers are also able to see who is getting denied.
I have turned off the Guard capability for now.
You don't have to turn it off. It's still helpful to the network. Regards, forest -----BEGIN PGP SIGNATURE----- iQIzBAEBCgAdFiEEvLrj6cuOL+I/KdxYBh18rEKN1gsFAmlFHysACgkQBh18rEKN 1gsQzRAAgsyP9JwTEdQUlnDC+f49rcvlrSzCSQ5bXIw5XofWcmvITWlX4/ll/sjE x/GUEF5CEXI0EISosWNp2u+w3/BwYou0Zz/ihcrH+STACnt2OaD2x6Em2jEebYUU +WKmIlCVqIlsBNr99KecS0QOz2pBUthkb1/sw6quwgPi/Yi2HIQpKzUXECJwgBbc RpVZCE7xAGS1rsm2oNR3KDbUXGrbvY0WAOFxYbBtJtPvA3sbsWNIrMm6Q1QVqmf9 9j6cUP+aNs8uKi9BWLcEhQAv9Pb657IUvONHI90mq8aGz+iW3oN/bRFd/1XLUrL7 sE2zmuEvQsLDFEyZrK0eQTShtO7ZVT9D37AiBxUxIDM3XdDpCNgd9HqlVd0Nbr0G j9aK2k3W+BdpptjHVTfaL/M9P9UePNMzuZTCTNsHygx3b8aJsOFuYKOAgitcfmYY mkRjtW343IzKC67MCJEGe+qISodnnzXJ9iMiEj0gqNknOzbaJaZm0ndhDcTovijy YiNVZ84H/+JA5DnRZ43JkXLTjitO+vZbWvR9obCs9fkgDXm6Z4CJadHiXCEkTwpj UIySlPjq0au4ln2uzKoYO4fwSJ+M/sMbDVu9IxtL1UlENMBTd4v6XLUvv7T1SmT2 DUodg7WO2uzRfdpacm5uYafLh5mkAnCmc5ZLE6wkvsLArW0z/VQ= =hGdW -----END PGP SIGNATURE-----
On 19 December 2025 00:46:28 GMT, krishna e bera via tor-relays <tor-relays@lists.torproject.org> wrote:
Hi all,
Just got the below notice from researchers.
Is the stated vulnerability an actively exploited problem or is this a DoS attack by scaremongering?
This topic seems to have been covered in https://nusenu.medium.com/how-vulnerable-is-the-tor-network-to-bgp-hijacking...
but i am not sure how to apply it to my situation.
I have turned off the Guard capability for now.
Doubtful i can influence the service provider to get them to publish a new ROA.
Is there another mitigation?
Regrets to all who were using the service :(
-------- Forwarded Message -------- Subject: Potential vulnerability found in your Tor Relay Date: Thu, 18 Dec 2025 23:57:20 +0000 From: ENGR - SIDR
Hello,
We are writing to alert you that your Tor relay(s) (Pasquino3) is/are vulnerable to active BGP attacks that could be used to de-anonymize users. The best mitigation to help protect your relay is to have your service provider publish a ROA for prefix(es) 209.44.96.0/19 at AS(es) 10929 with a maxLength(s) of 19.
We are researchers from the University of Connecticut reaching out to inform you that your Tor guard relay with IP address(es) 209.44.114.178 (Pasquino3) is/are currently covered by a Route Origin Authorization (ROA) which has an improperly configured maxLength attribute. This makes it vulnerable to BGP subprefix origin hijacks, where a malicious autonomous-system-level attacker may announce a subprefix of 209.44.96.0/19 and misdirect traffic destined with a high (>99%) rate of success. Guidance on how to correctly set the maxLength attribute is contained in https://datatracker.ietf.org/doc/html/rfc9319.
We determined this vulnerability using public data sets including relay information from the Tor consensus, the RIPEStat data for IP prefix, and ROA coverage information. Feel free to contact us if you have further questions.
For further information on ROAs, see https://www.ripe.net/manage-ips-and-asns/resource-management/rpki/bgp-origin...
If you are not a Tor relay operator and this message reached you in error, please let us know.
Thank you,
UConn Secure Interdomain Routing Group _______________________________________________ tor-relays mailing list -- tor-relays@lists.torproject.org To unsubscribe send an email to tor-relays-leave@lists.torproject.org
I have just received this message too. Any advice would be helpful. Mick -- Sent from a mobile device. Please excuse my brevity.
Hello, I got the same message this week for my servers. I find it difficult to determine the actual risk, but even if there's a small change it can be used to de-anonymize or cause havoc like spamming or DDoS, it's worth solving in my opinion. Setting maxLength smaller reduces the attack surface at least, but really solving it needs stuff like BGPSec. Reached out to my service provider and they sent my request to the specific department. I'm curious what they will respond. Regards, Jonathan Am 19. Dezember 2025 01:46:28 MEZ schrieb krishna e bera via tor-relays <tor-relays@lists.torproject.org>:
Hi all,
Just got the below notice from researchers.
Is the stated vulnerability an actively exploited problem or is this a DoS attack by scaremongering?
This topic seems to have been covered in https://nusenu.medium.com/how-vulnerable-is-the-tor-network-to-bgp-hijacking...
but i am not sure how to apply it to my situation.
I have turned off the Guard capability for now.
Doubtful i can influence the service provider to get them to publish a new ROA.
Is there another mitigation?
Regrets to all who were using the service :(
-------- Forwarded Message -------- Subject: Potential vulnerability found in your Tor Relay Date: Thu, 18 Dec 2025 23:57:20 +0000 From: ENGR - SIDR
Hello,
We are writing to alert you that your Tor relay(s) (Pasquino3) is/are vulnerable to active BGP attacks that could be used to de-anonymize users. The best mitigation to help protect your relay is to have your service provider publish a ROA for prefix(es) 209.44.96.0/19 at AS(es) 10929 with a maxLength(s) of 19.
We are researchers from the University of Connecticut reaching out to inform you that your Tor guard relay with IP address(es) 209.44.114.178 (Pasquino3) is/are currently covered by a Route Origin Authorization (ROA) which has an improperly configured maxLength attribute. This makes it vulnerable to BGP subprefix origin hijacks, where a malicious autonomous-system-level attacker may announce a subprefix of 209.44.96.0/19 and misdirect traffic destined with a high (>99%) rate of success. Guidance on how to correctly set the maxLength attribute is contained in https://datatracker.ietf.org/doc/html/rfc9319.
We determined this vulnerability using public data sets including relay information from the Tor consensus, the RIPEStat data for IP prefix, and ROA coverage information. Feel free to contact us if you have further questions.
For further information on ROAs, see https://www.ripe.net/manage-ips-and-asns/resource-management/rpki/bgp-origin...
If you are not a Tor relay operator and this message reached you in error, please let us know.
Thank you,
UConn Secure Interdomain Routing Group _______________________________________________ tor-relays mailing list -- tor-relays@lists.torproject.org To unsubscribe send an email to tor-relays-leave@lists.torproject.org
-- / Jonathan van der Steege My GnuPG key is: c6f32128e7522f4acb878d6a4a9f0b50ace75416 <https://keys.openpgp.org/search?q=jonathan@jonakeys.nl>
This is also my assesment. It is "real" but not very high risk. I got the same notice and may have some traction since my "ISP" is another unit in my university. If you can get it fixed that's better, but if your ISP doesn't doesn't respond I wouldn't change your operations becasue of it. -Jon -- Jonathan Proulx (he/him) Sr. Technical Architect The Infrastructure Group MIT CSAIL On Fri, Dec 19, 2025 at 09:47:59AM +0000, forest-relay-contact--- via tor-relays wrote: :-----BEGIN PGP SIGNED MESSAGE----- :Hash: SHA512 : :Hello. : :krishna e bera wrote: :> Is the stated vulnerability an actively exploited problem or is this :> a DoS attack by scaremongering? : :My guess is it is neither. I would be that it's just some over-excited :researchers who want to get the news out about just how awful BGP is. :But, while it is "exploitable", there's not much that can be done with :it. All an attacker could do is cause the connections destined for your :relay to go to their servers instead. But crucially, they do not have :your relay key, so all other relays and clients would refuse to connect :to them. : :I suppose it could be used in combination with a guard discovery attack :to deanonymize a small set of people if the attacker does not have any :access between you and the targets (and cannot buy NetFlow logs, etc.). :They could perform BGP hijacking then monitor which IPs are trying to :connect to them to discover if they are users of your guard. Such an :attack is very noisy and would not go unnoticed for long. : :Think of it like a remote denial of service attack where the attackers :are also able to see who is getting denied. : :> I have turned off the Guard capability for now. : :You don't have to turn it off. It's still helpful to the network. : :Regards, :forest :-----BEGIN PGP SIGNATURE----- : :iQIzBAEBCgAdFiEEvLrj6cuOL+I/KdxYBh18rEKN1gsFAmlFHysACgkQBh18rEKN :1gsQzRAAgsyP9JwTEdQUlnDC+f49rcvlrSzCSQ5bXIw5XofWcmvITWlX4/ll/sjE :x/GUEF5CEXI0EISosWNp2u+w3/BwYou0Zz/ihcrH+STACnt2OaD2x6Em2jEebYUU :+WKmIlCVqIlsBNr99KecS0QOz2pBUthkb1/sw6quwgPi/Yi2HIQpKzUXECJwgBbc :RpVZCE7xAGS1rsm2oNR3KDbUXGrbvY0WAOFxYbBtJtPvA3sbsWNIrMm6Q1QVqmf9 :9j6cUP+aNs8uKi9BWLcEhQAv9Pb657IUvONHI90mq8aGz+iW3oN/bRFd/1XLUrL7 :sE2zmuEvQsLDFEyZrK0eQTShtO7ZVT9D37AiBxUxIDM3XdDpCNgd9HqlVd0Nbr0G :j9aK2k3W+BdpptjHVTfaL/M9P9UePNMzuZTCTNsHygx3b8aJsOFuYKOAgitcfmYY :mkRjtW343IzKC67MCJEGe+qISodnnzXJ9iMiEj0gqNknOzbaJaZm0ndhDcTovijy :YiNVZ84H/+JA5DnRZ43JkXLTjitO+vZbWvR9obCs9fkgDXm6Z4CJadHiXCEkTwpj :UIySlPjq0au4ln2uzKoYO4fwSJ+M/sMbDVu9IxtL1UlENMBTd4v6XLUvv7T1SmT2 :DUodg7WO2uzRfdpacm5uYafLh5mkAnCmc5ZLE6wkvsLArW0z/VQ= :=hGdW :-----END PGP SIGNATURE----- :_______________________________________________ :tor-relays mailing list -- tor-relays@lists.torproject.org :To unsubscribe send an email to tor-relays-leave@lists.torproject.org
participants (6)
-
forest-relay-contact@cryptolab.net -
Jonathan Proulx -
Jonathan van der Steege -
krishna e bera -
Marco Moock -
Mick