'relay early' attack detection at the infrastructure level
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 [moved to tor-relays] Hi relay ops, please consider having a regular look at your logs after upgrading to the latest tor releases to spot relay_early attacks (even if the attack origin is not directly attributable from a relays point of view). searching your logs for 'Received an inbound RELAY_EARLY cell' should do it. https://gitweb.torproject.org/tor.git/commitdiff/68a2e4ca4baa595cc4595a511db...
It doesn't have to decrypt the stream to see it, because whether a cell is relay or relay_early is a property of the (per hop) link, not a property of the (end-to-end) stream.
Does a patched relay also create a log entry as soon as it "kills" the circuit or is logging only happening on tor instances acting as clients?
The patched relay also does a log message, yes.
But the relay can only see its immediate neighbor in the circuit, so it will only log that. Whether the attacking relay is that (adjacent) one, or one farther on the circuit, isn't something your relay can learn.
-----BEGIN PGP SIGNATURE----- iQIcBAEBCgAGBQJT3Bt6AAoJEDcK3SCCSvoensYQAJnuXhPNbhdJF7C6P9L8elG7 elPinCK6vmTbRXCoQam5j1VeL9C3FCBv415s811hfZxA37K17VdiKoS1NXB2kzkW 7WvL5/lH8culr83GTxrca0m7i2x6n0gCPOVPUWI3Go5bzwlsEidZsj7V14h2lfXH Ew8ZavvL0SLnRYJTvcjzqrWf3L8LsfYou6R2Y7yn085rGaGtUyVkQM44G9Zy3TVY 3lS4XqkZekXmmKjP06JjWdFMFdkaQhItbcdn3fF131ptlZlM5hFUaEpZHbpLLcjz fgJOt36jlkfILKRvxGyzcI118wmgrFVJFz9d7fuLVOdekK49aWxKh9Yh2aAekQEn Z3uF/eskL+Txptrc7iEKuWQZVlEkA8WVaQ70F1ADD/irln6ShJ17zrKqJ0qtaYlU V+CNfj/v2R6AgRhbVsNRdq8SWhDz4Nk4WgdYoUvxzgM1jmkAhQamlkC4f6JCqVQE /O0qeuXr/Z02pBwshcZlqKnBmPtuilSZwmlstIEfPAX9Tg6S1a0B/ycp3ByyJHJP QUNKwJ/cHtLpdPmIh2XUOT/5Kf10qmrLP5amYdRtBh304GoeHir3N/zfPmxdLfy7 Spb8W4p2C1HITzRlb9J97OGdKOR/2OOziZHOWZimF5O3fsrzsXQZe3Wlwbt5AxtY LJ5aXCUjNJ/TXe93nSQH =3FwX -----END PGP SIGNATURE-----
On 14-08-01 06:58 PM, Nusenu wrote:
[moved to tor-relays]
Hi relay ops,
please consider having a regular look at your logs after upgrading to the latest tor releases to spot relay_early attacks (even if the attack origin is not directly attributable from a relays point of view).
searching your logs for 'Received an inbound RELAY_EARLY cell' should do it.
https://gitweb.torproject.org/tor.git/commitdiff/68a2e4ca4baa595cc4595a511db...
According to https://blog.torproject.org/blog/tor-security-advisory-relay-early-traffic-c... the RELAY_EARLY cell has common legitimate uses. How can we distinguish an attack from those?
On Fri, Aug 01, 2014 at 10:08:41PM -0400, krishna e bera wrote:
According to
https://blog.torproject.org/blog/tor-security-advisory-relay-early-traffic-c...
the RELAY_EARLY cell has common legitimate uses. How can we distinguish an attack from those?
Correctly-behaving Tor relays never send RELAY_CELL cells backwards (towards the client) on the circuit. So if you see one, it's somebody not following the protocol. --Roger
On 8/2/14, Roger Dingledine <arma@mit.edu> wrote:
On Fri, Aug 01, 2014 at 10:08:41PM -0400, krishna e bera wrote:
According to
https://blog.torproject.org/blog/tor-security-advisory-relay-early-traffic-c...
the RELAY_EARLY cell has common legitimate uses. How can we distinguish an attack from those?
Correctly-behaving Tor relays never send RELAY_CELL cells backwards (towards the client) on the circuit.
So if you see one, it's somebody not following the protocol.
Might be a stupid question sorry, but why not just block such relay-early packets coming in the wrong direction?
On Sat, Aug 02, 2014 at 03:38:51PM +1000, Zenaan Harkness wrote:
the RELAY_EARLY cell has common legitimate uses. How can we distinguish an attack from those?
Correctly-behaving Tor relays never send RELAY_CELL cells backwards (towards the client) on the circuit.
Gah. I should have written RELAY_EARLY above. Sorry for the confusion.
So if you see one, it's somebody not following the protocol.
Might be a stupid question sorry, but why not just block such relay-early packets coming in the wrong direction?
New relays do block them. Actually they close the circuit and warn, since once somebody has violated the protocol like this, it's unwise to let them continue interacting with you. Or is that what you meant? --Roger
On 8/2/14, Roger Dingledine <arma@mit.edu> wrote:
On Sat, Aug 02, 2014 at 03:38:51PM +1000, Zenaan Harkness wrote:
the RELAY_EARLY cell has common legitimate uses. How can we distinguish an attack from those?
Correctly-behaving Tor relays never send RELAY_CELL cells backwards (towards the client) on the circuit.
Gah. I should have written RELAY_EARLY above. Sorry for the confusion.
So if you see one, it's somebody not following the protocol.
Might be a stupid question sorry, but why not just block such relay-early packets coming in the wrong direction?
New relays do block them. Actually they close the circuit and warn, since once somebody has violated the protocol like this, it's unwise to let them continue interacting with you.
Or is that what you meant?
ACK. Thanks.
participants (4)
-
krishna e bera -
Nusenu -
Roger Dingledine -
Zenaan Harkness