[tor-dev] "Seeing through Network-Protocol Obfuscation"

Yawning Angel yawning at schwanenlied.me
Sat Aug 22 07:43:59 UTC 2015


On Fri, 21 Aug 2015 17:51:20 -0700
Kevin P Dyer <kpdyer at gmail.com> wrote:

> On Wed, Aug 19, 2015 at 11:58 AM, Yawning Angel
> <yawning at schwanenlied.me> wrote:
> 
> > [snip]
> >
> > The FTE semantic attack they presented isn't the easiest one I know
> > of (the GET request as defined by the regex is pathologically
> > malformed).
> >
> 
> Very interesting! This is news to me. I'm assuming I did something
> silly. (Even though I tested it against bro, wireshark, etc.)

Huh. I brought it up in conversation with a few people and was under
the impression it was passed on.  I probably should have e-mailed you
about it or something.

> How is it pathologically malformed?

 "manual-http-request": {
   "regex": "^GET\\ \\/([a-zA-Z0-9\\.\\/]*) HTTP/1\\.1\\r\\n\\r\\n$"
 },

No "Host" header.  All complaint requests MUST include one per RFC
2616, and all compliant servers MUST respond with a 400 if it is
missing.

Since requests of that sort should invoke the error path on RFC
compliant servers it's a really good distinguisher since legitimate
clients will not do such a thing.  Existing realistic adversaries
already have "identify 'suspicious behavior', call back to confirm"
style filtering in production, so false positive rate can be reduce to
0 if needed.

Regards,

-- 
Yawning Angel
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 819 bytes
Desc: OpenPGP digital signature
URL: <http://lists.torproject.org/pipermail/tor-dev/attachments/20150822/1075a9bd/attachment.sig>


More information about the tor-dev mailing list