[tor-bugs] #26294 [Core Tor/Tor]: attacker can force intro point rotation by ddos

Tor Bug Tracker & Wiki blackhole at torproject.org
Wed Sep 11 02:19:24 UTC 2019


#26294: attacker can force intro point rotation by ddos
-------------------------------------------------+-------------------------
 Reporter:  arma                                 |          Owner:  asn
     Type:  defect                               |         Status:
                                                 |  merge_ready
 Priority:  Medium                               |      Milestone:  Tor:
                                                 |  0.4.2.x-final
Component:  Core Tor/Tor                         |        Version:
 Severity:  Normal                               |     Resolution:
 Keywords:  tor-hs, tor-dos, network-team-       |  Actual Points:  6
  roadmap-august, security, 042-should           |
Parent ID:  #29999                               |         Points:  7
 Reviewer:  dgoulet                              |        Sponsor:
                                                 |  Sponsor27-must
-------------------------------------------------+-------------------------

Comment (by arma):

 Replying to [comment:33 arma]:
 > The impact is a bit subtle/indirect, but it would for example allow
 attacks where later you discover which rendezvous point a given
 introduction attempt used.

 For example, you could do this discovery by roving around the network
 looking at relays and seeing if they receive the burst of rendezvous
 attempts. Or you could run some fast inconsistent (i.e. not Guard) relays
 and get chosen sometimes as the hop before the rendezvous cell, and since
 our design doesn't use 'rendezvous guards', over time you become confident
 that the rendezvous point is the one receiving the connections more often
 than baseline.

 If the intro point can guess what onion service it's an intro point for,
 it can look up the descriptor, discover the ephemeral key for its intro
 point, and do introductions itself. So the original goal was that if it
 *doesn't* know what onion service it's introducing to, it can't cause the
 onion service to make any circuits.

--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/26294#comment:34>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online


More information about the tor-bugs mailing list