[tor-bugs] #26294 [Core Tor/Tor]: attacker can force intro point rotation by ddos
Tor Bug Tracker & Wiki
blackhole at torproject.org
Wed Sep 11 02:19:24 UTC 2019
#26294: attacker can force intro point rotation by ddos
-------------------------------------------------+-------------------------
Reporter: arma | Owner: asn
Type: defect | Status:
| merge_ready
Priority: Medium | Milestone: Tor:
| 0.4.2.x-final
Component: Core Tor/Tor | Version:
Severity: Normal | Resolution:
Keywords: tor-hs, tor-dos, network-team- | Actual Points: 6
roadmap-august, security, 042-should |
Parent ID: #29999 | Points: 7
Reviewer: dgoulet | Sponsor:
| Sponsor27-must
-------------------------------------------------+-------------------------
Comment (by arma):
Replying to [comment:33 arma]:
> The impact is a bit subtle/indirect, but it would for example allow
attacks where later you discover which rendezvous point a given
introduction attempt used.
For example, you could do this discovery by roving around the network
looking at relays and seeing if they receive the burst of rendezvous
attempts. Or you could run some fast inconsistent (i.e. not Guard) relays
and get chosen sometimes as the hop before the rendezvous cell, and since
our design doesn't use 'rendezvous guards', over time you become confident
that the rendezvous point is the one receiving the connections more often
than baseline.
If the intro point can guess what onion service it's an intro point for,
it can look up the descriptor, discover the ephemeral key for its intro
point, and do introductions itself. So the original goal was that if it
*doesn't* know what onion service it's introducing to, it can't cause the
onion service to make any circuits.
--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/26294#comment:34>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online
More information about the tor-bugs
mailing list