[tor-relays] Lots of tor relays send out sequential IP IDs; please fix that!

Tor Relay Tor at MicroCephalic-Endeavors.com
Mon Mar 31 22:25:46 UTC 2014


Could you please translate your instructions into XP that I might check 
and, if necessary, fix my relay?  (OnionTorte)

Thanks,

P


Jann Horn wrote:
> Well, the subject line pretty much says it all: Lots of Tor relays send out
> globally sequential IP IDs, which, as far as I know, allows a remote party to
> measure how fast the relay is sending out IP packets with high precision,
> possibly making statistical attacks possible that could e.g. pinpoint the entry
> guard a user or hidden service uses.
> 
> This is how you can test whether a given relay has this issue:
> 
> $ sudo hping3 -r --syn -p 443 176.199.74.186 --count 10
> HPING 176.199.74.186 (eth0 176.199.74.186): S set, 40 headers + 0 data bytes
> len=46 ip=176.199.74.186 ttl=116 DF id=3025 sport=443 flags=SA seq=0 win=8192 rtt=33.5 ms
> len=46 ip=176.199.74.186 ttl=116 DF id=+38 sport=443 flags=SA seq=1 win=8192 rtt=32.7 ms
> len=46 ip=176.199.74.186 ttl=116 DF id=+42 sport=443 flags=SA seq=2 win=8192 rtt=32.5 ms
> len=46 ip=176.199.74.186 ttl=116 DF id=+34 sport=443 flags=SA seq=3 win=8192 rtt=32.3 ms
> len=46 ip=176.199.74.186 ttl=116 DF id=+36 sport=443 flags=SA seq=4 win=8192 rtt=33.2 ms
> len=46 ip=176.199.74.186 ttl=116 DF id=+36 sport=443 flags=SA seq=5 win=8192 rtt=36.4 ms
> len=46 ip=176.199.74.186 ttl=116 DF id=+35 sport=443 flags=SA seq=6 win=8192 rtt=33.9 ms
> len=46 ip=176.199.74.186 ttl=116 DF id=+56 sport=443 flags=SA seq=7 win=8192 rtt=31.7 ms
> len=46 ip=176.199.74.186 ttl=116 DF id=+46 sport=443 flags=SA seq=8 win=8192 rtt=33.4 ms
> len=46 ip=176.199.74.186 ttl=116 DF id=+34 sport=443 flags=SA seq=9 win=8192 rtt=33.7 ms
> 
> In the last example, you can see that the "id" field has increased by 30-50 every second.
> That's an issue: It should be one of:
> 
>  - always 0
>  - totally random
> 
> It can also be that it increments by one every time; that probably means that the relay
> uses per-IP counters or so, and as far as I know, that should be fine.
> 
> 
> After a bit of testing, I think that this issue is present on a lot of Tor relay nodes. Here
> are the first few in the alphabet that look suspicious (didn't want to scan the whole Tor
> network):
> 
<snip>

> Please, everyone, check whether your Tor relay node behaves this way, and if so,
> either change the behavior or take it offline until you can fix the issue.
> 
> Tor is not designed to be secure if an attacker can measure traffic at both
> ends of a circuit (for a proof of concept for that, see
> <http://seclists.org/fulldisclosure/2014/Mar/414>), and if your relay has this
> issue, you're already allowing anyone to measure at your relay.
> 
> 
> ------------------------------------------------------------------------
> 
> _______________________________________________
> tor-relays mailing list
> tor-relays at lists.torproject.org
> https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays


-- 
Dirt kicked to the curb goes into the gutter.
Professionals kicked to the curb go into retail.


More information about the tor-relays mailing list