[tor-relays] Network scan results for CVE-2016-5696 / RFC5961

Ivan Markin twim at riseup.net
Fri Dec 9 07:23:00 UTC 2016


dawuud:
> The Golang rewrite of the scanner is cool!

Thanks!

> btw i'm surprised you wrote https://github.com/nogoegst/rough/blob/master/tcp.go
> instead of using https://github.com/google/gopacket

You shouldn't; rough is just a convenient wrapper on top of TCP-ish
stuff from gopacket (it makes TCP hacks simpler).

> Maybe you could also implement my Tor guard discovery
> attack that uses this vulnerability?

Why not. I just don't know what the attack is. Can you point me to it?

> I've been asked to write a proof of concept but I don't feel motivated to do so.
> Also, there are some doubts about weather this guard discovery attack would be
> feasible on the real Tor network... though we could probably make it work in a test network.
> 
> Now that such a small percentage of the Tor network is vulnerable it's probably safe/responsible
> for me to post my theoretic Tor guard discovery attack, right?

Hmm, I *don't* think that 1/4 of the network is actually small
percentage... [I think we should somehow encourage vulnerable relays to
update their kernels to lower affected percentage below ~10-15%.]
Also, you saying "guard discovery attack based on pure off-path TCP
attack" make this *slightly* obvious. So if someone actually got it,
it's likely that they're already exploiting it.

--
Ivan Markin


More information about the tor-relays mailing list