[tor-bugs] #11624 [Tor]: Malicious relays may be able to be assigned Exit flag without exiting anywhere

Tor Bug Tracker & Wiki blackhole at torproject.org
Sun Apr 27 15:55:08 UTC 2014 

#11624: Malicious relays may be able to be assigned Exit flag without exiting
anywhere
--------------------+----------------------------------
 Reporter:  tom     |          Owner:
     Type:  defect  |         Status:  new
 Priority:  minor   |      Milestone:
Component:  Tor     |        Version:  Tor: unspecified
 Keywords:          |  Actual Points:
Parent ID:          |         Points:
--------------------+----------------------------------
 The IANA for Multicast addresses indicates there are many /8's that are
 not yet allocated[0], such as 232.0.0.0-232.255.255.255.

 The current voting mechanism in exit_policy_is_general_exit_helper allows
 an Exit flag to be assigned if it supports exiting to at least one /8 for
 2 out of 3 ports of [80, 443, 6667]. exit_policy_is_general_exit_helper
 calls tor_addr_is_internal, this function only looks for the following
 IPv4 spaces: 10/8, 0/8, 127/8, 169.254/16, 172.16/12, 192.168/16.

 A relay could put one of the unallocated IPv4 blocks and fool the
 Directory Authorities.  Of course, if such a relay really wanted to do
 this, they could also set their relay up to exit to an uninteresting /8 no
 one would ever visit, such as one of the many military/DoD /8's.

 Zack Weinberg's thread on tor-relays seems to have a good collection of
 addresses[1]. Other sources are the exclude list from massscan[2] and the
 IANA registry[3].

 This would probably doubly true for IPv6, which only looks for fc00/7,
 fe80/10, fec0/10 - but right now exit_policy_is_general_exit_helper
 ignores IPv6.

 [0] http://www.iana.org/assignments/multicast-addresses/multicast-
 addresses.xhtml
 [1] https://lists.torproject.org/pipermail/tor-
 relays/2014-April/004431.html
 [2]
 https://github.com/robertdavidgraham/masscan/blob/master/data/exclude.conf
 [3] http://www.iana.org/assignments/ipv4-address-space/ipv4-address-
 space.xhtml

--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/11624>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online

More information about the tor-bugs mailing list