[tor-relays] 'relay early' attack detection at the infrastructure level

[Nusenu]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

[moved to tor-relays]

Hi relay ops,

please consider having a regular look at your logs after upgrading to
the latest tor releases to spot relay_early attacks (even if the
attack origin is not directly attributable from a relays point of view).

searching your logs for

'Received an inbound RELAY_EARLY cell'

should do it.


https://gitweb.torproject.org/tor.git/commitdiff/68a2e4ca4baa595cc4595a511db11fa7ccbbc8f7


>>> It doesn't have to decrypt the stream to see it, because
>>> whether a cell is relay or relay_early is a property of the
>>> (per hop) link, not a property of the (end-to-end) stream.
>> 
>> Does a patched relay also create a log entry as soon as it
>> "kills" the circuit or is logging only happening on tor instances
>> acting as clients?
> 
> The patched relay also does a log message, yes.
> 
> But the relay can only see its immediate neighbor in the circuit,
> so it will only log that. Whether the attacking relay is that
> (adjacent) one, or one farther on the circuit, isn't something your
> relay can learn.




-----BEGIN PGP SIGNATURE-----

iQIcBAEBCgAGBQJT3Bt6AAoJEDcK3SCCSvoensYQAJnuXhPNbhdJF7C6P9L8elG7
elPinCK6vmTbRXCoQam5j1VeL9C3FCBv415s811hfZxA37K17VdiKoS1NXB2kzkW
7WvL5/lH8culr83GTxrca0m7i2x6n0gCPOVPUWI3Go5bzwlsEidZsj7V14h2lfXH
Ew8ZavvL0SLnRYJTvcjzqrWf3L8LsfYou6R2Y7yn085rGaGtUyVkQM44G9Zy3TVY
3lS4XqkZekXmmKjP06JjWdFMFdkaQhItbcdn3fF131ptlZlM5hFUaEpZHbpLLcjz
fgJOt36jlkfILKRvxGyzcI118wmgrFVJFz9d7fuLVOdekK49aWxKh9Yh2aAekQEn
Z3uF/eskL+Txptrc7iEKuWQZVlEkA8WVaQ70F1ADD/irln6ShJ17zrKqJ0qtaYlU
V+CNfj/v2R6AgRhbVsNRdq8SWhDz4Nk4WgdYoUvxzgM1jmkAhQamlkC4f6JCqVQE
/O0qeuXr/Z02pBwshcZlqKnBmPtuilSZwmlstIEfPAX9Tg6S1a0B/ycp3ByyJHJP
QUNKwJ/cHtLpdPmIh2XUOT/5Kf10qmrLP5amYdRtBh304GoeHir3N/zfPmxdLfy7
Spb8W4p2C1HITzRlb9J97OGdKOR/2OOziZHOWZimF5O3fsrzsXQZe3Wlwbt5AxtY
LJ5aXCUjNJ/TXe93nSQH
=3FwX
-----END PGP SIGNATURE-----