[tor-bugs] #16659 [- Select a component]: Linux TCP Initial Sequence Numbers may aid correlation

Tor Bug Tracker & Wiki blackhole at torproject.org
Thu Jul 30 00:44:43 UTC 2015


#16659: Linux TCP Initial Sequence Numbers may aid correlation
--------------------------------------+----------------------
     Reporter:  source                |      Owner:
         Type:  defect                |     Status:  reopened
     Priority:  normal                |  Milestone:
    Component:  - Select a component  |    Version:
   Resolution:                        |   Keywords:
Actual Points:                        |  Parent ID:
       Points:                        |
--------------------------------------+----------------------

Comment (by source):

 At the moment I'm brushing up documentation about Time/Clock based attacks
 and I wanted to confirm some things about the mitigation advice I'm giving
 for those in high risk situations like running an Onion Service:
 https://www.whonix.org/wiki/Time_Attacks

 If I understand correctly, when running Tor, a passive network adversary
 looking at the Tor connection from outside cannot abuse this vector unless
 they are running your guard node. So the advice goes that Torrifying all
 connections from a machine will limit potential attackers to a colluding
 guard node (until defenses are introduced).

 ^ Is this right?

 I am basing these conclusions on advice from Robert Ransom on defending
 against Clock skew attacks:
 http://archives.seul.org/or/talk/Sep-2011/msg00060.html

 >They can only use that to locate your server if they can either
 >connect to it directly (not through Tor) or accept a non-Torified
 >connection from it, and determine what your server thinks is the
 >current time based on information it receives on that connection.
 >
 >The obvious ways that your server could leak its current time include
 >running a web server and sending e-mail messages.  The less obvious
 >ways include opening an outbound TLS connection and running a cron job
 >with externally observable effects (e.g. an automatic update
 >downloader).

 and on information about how the measurer confirms their victim in the Hot
 or Not paper:

 >Measurer:
 >Connects directly to the Hidden Server’s public
 >IP address, requesting TCP timestamps, ICMP times-
 >tamps and TCP sequence numbers

--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/16659#comment:16>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online


More information about the tor-bugs mailing list