[tor-relays] Lots of tor relays send out sequential IP IDs; please fix that!

Tor Relay Tor at MicroCephalic-Endeavors.com
Mon Mar 31 22:25:46 UTC 2014

Could you please translate your instructions into XP that I might check 
and, if necessary, fix my relay?  (OnionTorte)



Jann Horn wrote:
> Well, the subject line pretty much says it all: Lots of Tor relays send out
> globally sequential IP IDs, which, as far as I know, allows a remote party to
> measure how fast the relay is sending out IP packets with high precision,
> possibly making statistical attacks possible that could e.g. pinpoint the entry
> guard a user or hidden service uses.
> This is how you can test whether a given relay has this issue:
> $ sudo hping3 -r --syn -p 443 --count 10
> HPING (eth0 S set, 40 headers + 0 data bytes
> len=46 ip= ttl=116 DF id=3025 sport=443 flags=SA seq=0 win=8192 rtt=33.5 ms
> len=46 ip= ttl=116 DF id=+38 sport=443 flags=SA seq=1 win=8192 rtt=32.7 ms
> len=46 ip= ttl=116 DF id=+42 sport=443 flags=SA seq=2 win=8192 rtt=32.5 ms
> len=46 ip= ttl=116 DF id=+34 sport=443 flags=SA seq=3 win=8192 rtt=32.3 ms
> len=46 ip= ttl=116 DF id=+36 sport=443 flags=SA seq=4 win=8192 rtt=33.2 ms
> len=46 ip= ttl=116 DF id=+36 sport=443 flags=SA seq=5 win=8192 rtt=36.4 ms
> len=46 ip= ttl=116 DF id=+35 sport=443 flags=SA seq=6 win=8192 rtt=33.9 ms
> len=46 ip= ttl=116 DF id=+56 sport=443 flags=SA seq=7 win=8192 rtt=31.7 ms
> len=46 ip= ttl=116 DF id=+46 sport=443 flags=SA seq=8 win=8192 rtt=33.4 ms
> len=46 ip= ttl=116 DF id=+34 sport=443 flags=SA seq=9 win=8192 rtt=33.7 ms
> In the last example, you can see that the "id" field has increased by 30-50 every second.
> That's an issue: It should be one of:
>  - always 0
>  - totally random
> It can also be that it increments by one every time; that probably means that the relay
> uses per-IP counters or so, and as far as I know, that should be fine.
> After a bit of testing, I think that this issue is present on a lot of Tor relay nodes. Here
> are the first few in the alphabet that look suspicious (didn't want to scan the whole Tor
> network):

> Please, everyone, check whether your Tor relay node behaves this way, and if so,
> either change the behavior or take it offline until you can fix the issue.
> Tor is not designed to be secure if an attacker can measure traffic at both
> ends of a circuit (for a proof of concept for that, see
> <http://seclists.org/fulldisclosure/2014/Mar/414>), and if your relay has this
> issue, you're already allowing anyone to measure at your relay.
> ------------------------------------------------------------------------
> _______________________________________________
> tor-relays mailing list
> tor-relays at lists.torproject.org
> https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays

Dirt kicked to the curb goes into the gutter.
Professionals kicked to the curb go into retail.

More information about the tor-relays mailing list