[tor-relays] 'relay early' attack detection at the infrastructure level
BM-2D8wMEVgGVY76je1WXNPfo8SrpZt5yGHES at bitmessage.ch
Fri Aug 1 22:58:02 UTC 2014
-----BEGIN PGP SIGNED MESSAGE-----
[moved to tor-relays]
Hi relay ops,
please consider having a regular look at your logs after upgrading to
the latest tor releases to spot relay_early attacks (even if the
attack origin is not directly attributable from a relays point of view).
searching your logs for
'Received an inbound RELAY_EARLY cell'
should do it.
>>> It doesn't have to decrypt the stream to see it, because
>>> whether a cell is relay or relay_early is a property of the
>>> (per hop) link, not a property of the (end-to-end) stream.
>> Does a patched relay also create a log entry as soon as it
>> "kills" the circuit or is logging only happening on tor instances
>> acting as clients?
> The patched relay also does a log message, yes.
> But the relay can only see its immediate neighbor in the circuit,
> so it will only log that. Whether the attacking relay is that
> (adjacent) one, or one farther on the circuit, isn't something your
> relay can learn.
-----BEGIN PGP SIGNATURE-----
-----END PGP SIGNATURE-----
More information about the tor-relays