[tor-talk] reverse enumeration attacks on bridges (re: 100-foot overview on Tor)

Philipp Winter phw at nymity.ch
Wed May 20 15:10:04 UTC 2015


On Wed, May 20, 2015 at 10:42:27AM +0800, Virgil Griffith wrote:
> Tom: If a hostile relay receives a connection from a ip-address A that
> is not listed in the Tor consensus, as far as I understand the hostile
> relay stills has two possibilities about ip-address A:
> 
> (1) A is the client
> (2) A is a bridge
> 
> I do not understand how the "reverse renumeration" attack you mention
> (p136 of your 100-ft-summary) is able to distinguish between these two
> cases.

If the hostile relay has no Guard flag, it shouldn't receive direct
connections from clients.  If it does have the Guard flag, it could port
scan the previous hop to see if it has an open (OR) port.  (Active
probing-resistant bridges would leave some uncertainty, though.)

Some more details about this attack are in Section III.D of:
<http://www.cs.uml.edu/~xinwenfu/paper/Bridge.pdf>

Cheers,
Philipp


More information about the tor-talk mailing list