[tor-relays] Network scan results for CVE-2016-5696 / RFC5961
dawuud
dawuud at riseup.net
Fri Dec 9 23:27:05 UTC 2016
> > btw i'm surprised you wrote https://github.com/nogoegst/rough/blob/master/tcp.go
> > instead of using https://github.com/google/gopacket
>
> You shouldn't; rough is just a convenient wrapper on top of TCP-ish
> stuff from gopacket (it makes TCP hacks simpler).
ah right. cool.
> > Maybe you could also implement my Tor guard discovery
> > attack that uses this vulnerability?
>
> Why not. I just don't know what the attack is. Can you point me to it?
On second thought I guess we better stick to writing scanners because if we
start writing exploits then eventually some script kitty will come along and
try to attack the Tor network with it; and even though my attack might not work
it involves doing various things that utilize resources on the Tor network;
so it would be bad for the health of the Tor network.
> > I've been asked to write a proof of concept but I don't feel motivated to do so.
> > Also, there are some doubts about weather this guard discovery attack would be
> > feasible on the real Tor network... though we could probably make it work in a test network.
> >
> > Now that such a small percentage of the Tor network is vulnerable it's probably safe/responsible
> > for me to post my theoretic Tor guard discovery attack, right?
>
> Hmm, I *don't* think that 1/4 of the network is actually small
> percentage... [I think we should somehow encourage vulnerable relays to
> update their kernels to lower affected percentage below ~10-15%.]
> Also, you saying "guard discovery attack based on pure off-path TCP
> attack" make this *slightly* obvious. So if someone actually got it,
> it's likely that they're already exploiting it.
It's traffic profile would be obviously identifiable for passive network observers.
A nation state actor would have much better/faster results using other
well known publicly documented Tor guard discovery attacks.
Pretty sure they like to be sneaky when they deanonymize Tor circuits.
I would however be very interested to hear back from tor-relay operators
if any of them have found Challenge ACK counter values higher than
a million... which would indicate some kind of funny business.
Cheers,
David
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: not available
URL: <http://lists.torproject.org/pipermail/tor-relays/attachments/20161209/fe20852a/attachment.sig>
More information about the tor-relays
mailing list