[tor-dev] Is it time to drop support for the v1/v2 protos?
David Fifield
david at bamsoftware.com
Mon Jan 12 17:46:58 UTC 2015
On Mon, Jan 12, 2015 at 06:26:14PM +0100, Tom van der Woerdt wrote:
> > On 12 Jan 2015, at 16:25, Philipp Winter <phw at nymity.ch> wrote:
> > Versions | Amount total | Amount w/o duplicate hosts
> > ---------+---------------+---------------------------
> > 1 and 2 | 34,648 (9%) | 21,552 (23%)
>
> We debugged this last week on IRC, as 1,2 is an invalid combination
> according to the specification. After correlating the ip addresses, we
> concluded that this is GFW scanning and not actual client usage.
I'm sure some of the 1+2 is GFW scanning, but probably not all of it.
Mainstream tor definitely sends 1+2 when using a v2 handshake.
https://gitweb.torproject.org/tor.git/tree/src/or/connection_or.c?id=b0c32106b3559b4ee9fabfb1a49e2e328c850305#n2122
/** Array of recognized link protocol versions. */
static const uint16_t or_protocol_versions[] = { 1, 2, 3, 4 };
/** Number of versions in <b>or_protocol_versions</b>. */
static const int n_or_protocol_versions =
(int)( sizeof(or_protocol_versions)/sizeof(uint16_t) );
/** Send a VERSIONS cell on <b>conn</b>, telling the other host about the
* link protocol versions that this Tor can support.
*
* If <b>v3_plus</b>, this is part of a V3 protocol handshake, so only
* allow protocol version v3 or later. If not <b>v3_plus</b>, this is
* not part of a v3 protocol handshake, so don't allow protocol v3 or
* later.
**/
int
connection_or_send_versions(or_connection_t *conn, int v3_plus)
{
var_cell_t *cell;
int i;
int n_versions = 0;
const int min_version = v3_plus ? 3 : 0;
const int max_version = v3_plus ? UINT16_MAX : 2;
tor_assert(conn->handshake_state &&
!conn->handshake_state->sent_versions_at);
cell = var_cell_new(n_or_protocol_versions * 2);
cell->command = CELL_VERSIONS;
for (i = 0; i < n_or_protocol_versions; ++i) {
uint16_t v = or_protocol_versions[i];
if (v < min_version || v > max_version)
continue;
set_uint16(cell->payload+(2*n_versions), htons(v));
++n_versions;
}
cell->payload_len = n_versions * 2;
connection_or_write_var_cell_to_buf(cell, conn);
conn->handshake_state->sent_versions_at = time(NULL);
var_cell_free(cell);
return 0;
}
> Are you sure you are deduplicating correctly? That's a lot of hosts.
Even if it were only GFW probing, GFW rarely uses duplicate IPs, except
for a few. Most IPs you will only see once or twice over the course of
months.
David Fifield
More information about the tor-dev
mailing list