Re: [tor-relays] Lots of tor relays send out sequential IP IDs; please fix that!

2014-03-31 Thread Roger Dingledine 
On Mon, Mar 31, 2014 at 11:12:05PM +0200, Jann Horn wrote:
> Well, the subject line pretty much says it all: Lots of Tor relays send out
> globally sequential IP IDs, which, as far as I know, allows a remote party to
> measure how fast the relay is sending out IP packets with high precision,
> possibly making statistical attacks possible that could e.g. pinpoint the 
> entry
> guard a user or hidden service uses.

[Please don't cross-post on multiple lists -- you will splinter the
responses.]

For extra fun, check out this paper that turns this issue into a potential
anonymity attack:
http://freehaven.net/anonbib/#tcp-tor-pets12

Their suggestion for a fix iirc was that the Linux kernel should get
fixed.

--Roger

___
tor-relays mailing list
tor-relays@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays

Re: [tor-relays] Lots of tor relays send out sequential IP IDs; please fix that!

2014-03-31 Thread Jann Horn 
On Mon, Mar 31, 2014 at 04:34:20PM -0800, I wrote:
> I don't understand but I really want secure relays.
> All my relays are on VPSs running Debian 6/7 64 and I only know enough Linux 
> to get Tor going.
> Is being updated enough?

On Linux, that should be sufficient – looking at
, it seems that the last
related issue on linux was fixed back in 2006.

I scanned a good portion of all the tor exit nodes now, this is the
distribution of operating systems for the suspicious-looking relays:

  1 Linux
  1 Windows 98
  1 Windows Server 2003 Service Pack 2 [server]
  1 Windows XP Service Pack 3 [workstation]
  2 Windows 8 [server]
  2 Windows Server 2003
  3 FreeBSD amd64
  3 Windows 7 Service Pack 1 [workstation]
  5 Windows 8
  5 Windows Vista [server]
 14 Windows Server 2003 [server]
 17 Windows Vista
 33 Windows 7 [server]
 37 FreeBSD
 50 Windows XP
206 Windows 7

So, looks as if Windows and FreeBSD are the problems.


signature.asc
Description: Digital signature
___
tor-relays mailing list
tor-relays@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays

Re: [tor-relays] Lots of tor relays send out sequential IP IDs; please fix that!

2014-03-31 Thread I 
Jann,

I don't understand but I really want secure relays.
All my relays are on VPSs running Debian 6/7 64 and I only know enough Linux to 
get Tor going.
Is being updated enough?
If not would you explain how to remedy the problem you've outlined as it seems 
quite serious?

Robert


> another OS (or a newer version of the one you're using).
> 
> https://en.wikipedia.org/wiki/Idle_Scan says:
>> The latest versions of Linux, Solaris, OpenBSD, and Windows Vista are
>> not
>> suitable as zombie, since the IPID has been implemented with patches[4]
>> that randomized the IP ID.[1]


___
tor-relays mailing list
tor-relays@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays

Re: [tor-relays] Lots of tor relays send out sequential IP IDs; please fix that!

2014-03-31 Thread Jann Horn 
On Mon, Mar 31, 2014 at 06:25:46PM -0400, Tor Relay wrote:
> Could you please translate your instructions into XP that I might
> check and, if necessary, fix my relay?  (OnionTorte)

If you don't have hping, you could also e.g. start a capture in wireshark or
so, then connect to your host with telnet and send it some garbage. Like this:

$ telnet 74.104.160.171 443
Trying 74.104.160.171...
Connected to 74.104.160.171.
Escape character is '^]'.
a
a
a
a
Connection closed by foreign host.

Then apply the filter "ip.src==74.104.160.171&&tcp" (replace with
the values of your relay) in Wireshark and look at
"Internet Protocol -> Identification" for the packets wireshark captured.

Btw, it looks like your relay is affected.


I do not know of any way to disable this behavior on Windows machines, but I'm
also not very familiar with Windows.


signature.asc
Description: Digital signature
___
tor-relays mailing list
tor-relays@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays

Re: [tor-relays] Lots of tor relays send out sequential IP IDs; please fix that!

2014-03-31 Thread Jann Horn 
On Mon, Mar 31, 2014 at 02:45:47PM -0800, I wrote:
> How?

How to fix it, you mean? Good question. Probably depends on your OS. If your OS
doesn't let you change it and you can't patch it, I'm afraid you'd have to use
another OS (or a newer version of the one you're using).

https://en.wikipedia.org/wiki/Idle_Scan says:
> The latest versions of Linux, Solaris, OpenBSD, and Windows Vista are not
> suitable as zombie, since the IPID has been implemented with patches[4]
> that randomized the IP ID.[1]


signature.asc
Description: Digital signature
___
tor-relays mailing list
tor-relays@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays

Re: [tor-relays] Lots of tor relays send out sequential IP IDs; please fix that!

2014-03-31 Thread I 
How?


___
tor-relays mailing list
tor-relays@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays

Re: [tor-relays] Lots of tor relays send out sequential IP IDs; please fix that!

2014-03-31 Thread Tor Relay 
Could you please translate your instructions into XP that I might check 
and, if necessary, fix my relay?  (OnionTorte)


Thanks,

P


Jann Horn wrote:

Well, the subject line pretty much says it all: Lots of Tor relays send out
globally sequential IP IDs, which, as far as I know, allows a remote party to
measure how fast the relay is sending out IP packets with high precision,
possibly making statistical attacks possible that could e.g. pinpoint the entry
guard a user or hidden service uses.

This is how you can test whether a given relay has this issue:

$ sudo hping3 -r --syn -p 443 176.199.74.186 --count 10
HPING 176.199.74.186 (eth0 176.199.74.186): S set, 40 headers + 0 data bytes
len=46 ip=176.199.74.186 ttl=116 DF id=3025 sport=443 flags=SA seq=0 win=8192 
rtt=33.5 ms
len=46 ip=176.199.74.186 ttl=116 DF id=+38 sport=443 flags=SA seq=1 win=8192 
rtt=32.7 ms
len=46 ip=176.199.74.186 ttl=116 DF id=+42 sport=443 flags=SA seq=2 win=8192 
rtt=32.5 ms
len=46 ip=176.199.74.186 ttl=116 DF id=+34 sport=443 flags=SA seq=3 win=8192 
rtt=32.3 ms
len=46 ip=176.199.74.186 ttl=116 DF id=+36 sport=443 flags=SA seq=4 win=8192 
rtt=33.2 ms
len=46 ip=176.199.74.186 ttl=116 DF id=+36 sport=443 flags=SA seq=5 win=8192 
rtt=36.4 ms
len=46 ip=176.199.74.186 ttl=116 DF id=+35 sport=443 flags=SA seq=6 win=8192 
rtt=33.9 ms
len=46 ip=176.199.74.186 ttl=116 DF id=+56 sport=443 flags=SA seq=7 win=8192 
rtt=31.7 ms
len=46 ip=176.199.74.186 ttl=116 DF id=+46 sport=443 flags=SA seq=8 win=8192 
rtt=33.4 ms
len=46 ip=176.199.74.186 ttl=116 DF id=+34 sport=443 flags=SA seq=9 win=8192 
rtt=33.7 ms

In the last example, you can see that the "id" field has increased by 30-50 
every second.
That's an issue: It should be one of:

 - always 0
 - totally random

It can also be that it increments by one every time; that probably means that 
the relay
uses per-IP counters or so, and as far as I know, that should be fine.


After a bit of testing, I think that this issue is present on a lot of Tor 
relay nodes. Here
are the first few in the alphabet that look suspicious (didn't want to scan the 
whole Tor
network):





Please, everyone, check whether your Tor relay node behaves this way, and if so,
either change the behavior or take it offline until you can fix the issue.

Tor is not designed to be secure if an attacker can measure traffic at both
ends of a circuit (for a proof of concept for that, see
), and if your relay has this
issue, you're already allowing anyone to measure at your relay.




___
tor-relays mailing list
tor-relays@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays



--
Dirt kicked to the curb goes into the gutter.
Professionals kicked to the curb go into retail.
___
tor-relays mailing list
tor-relays@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays

[tor-relays] Lots of tor relays send out sequential IP IDs; please fix that!

2014-03-31 Thread Jann Horn 
Well, the subject line pretty much says it all: Lots of Tor relays send out
globally sequential IP IDs, which, as far as I know, allows a remote party to
measure how fast the relay is sending out IP packets with high precision,
possibly making statistical attacks possible that could e.g. pinpoint the entry
guard a user or hidden service uses.

This is how you can test whether a given relay has this issue:

$ sudo hping3 -r --syn -p 443 176.199.74.186 --count 10
HPING 176.199.74.186 (eth0 176.199.74.186): S set, 40 headers + 0 data bytes
len=46 ip=176.199.74.186 ttl=116 DF id=3025 sport=443 flags=SA seq=0 win=8192 
rtt=33.5 ms
len=46 ip=176.199.74.186 ttl=116 DF id=+38 sport=443 flags=SA seq=1 win=8192 
rtt=32.7 ms
len=46 ip=176.199.74.186 ttl=116 DF id=+42 sport=443 flags=SA seq=2 win=8192 
rtt=32.5 ms
len=46 ip=176.199.74.186 ttl=116 DF id=+34 sport=443 flags=SA seq=3 win=8192 
rtt=32.3 ms
len=46 ip=176.199.74.186 ttl=116 DF id=+36 sport=443 flags=SA seq=4 win=8192 
rtt=33.2 ms
len=46 ip=176.199.74.186 ttl=116 DF id=+36 sport=443 flags=SA seq=5 win=8192 
rtt=36.4 ms
len=46 ip=176.199.74.186 ttl=116 DF id=+35 sport=443 flags=SA seq=6 win=8192 
rtt=33.9 ms
len=46 ip=176.199.74.186 ttl=116 DF id=+56 sport=443 flags=SA seq=7 win=8192 
rtt=31.7 ms
len=46 ip=176.199.74.186 ttl=116 DF id=+46 sport=443 flags=SA seq=8 win=8192 
rtt=33.4 ms
len=46 ip=176.199.74.186 ttl=116 DF id=+34 sport=443 flags=SA seq=9 win=8192 
rtt=33.7 ms

In the last example, you can see that the "id" field has increased by 30-50 
every second.
That's an issue: It should be one of:

 - always 0
 - totally random

It can also be that it increments by one every time; that probably means that 
the relay
uses per-IP counters or so, and as far as I know, that should be fine.


After a bit of testing, I think that this issue is present on a lot of Tor 
relay nodes. Here
are the first few in the alphabet that look suspicious (didn't want to scan the 
whole Tor
network):

MiddlemanWV 65.199.52.129   902921948   +1  +3  +1  +8
000AAA420   86.56.139.182   900114461   +177+176+168+145
0urHomeOnNativeLand 64.231.156.165  443 18012   +4  +16 +11 
+12
0x05942 178.77.69.130   443 8387+5  +6  +7  +4
1234bubs2.108.151.161   443 17042   +19 +23 +22 +18
1294538115  86.195.35.119   50501   31861   +104+116+68 +114
2mpdhack98.216.168.108  80  41481   +194+162+213+174
404server   119.30.250.67   669953620   +195+5  +1  +3
4144414D2.120.211.98443 28587   +1  +1  +1  +1
594ec291a82938230   199.127.56.76   49152   20690   +861+893+328
+338
5979ft  97.122.184.135  443 15586   +1  +1  +1  +1
69m3x1xans  98.219.70.159   443 63  +320+286953 +286
6cody5  76.108.230.244  443 28107   +59 +57 +73 +71
893071.127.151.26   443 3119+111+83 +53 +59
8Mu 128.71.234.171  443 19080   +578+570+292+699
Absolution  94.247.41.130   900134427   +842+688+684+636
Ace 121.211.92.6900121567   +1  +1  +1  +1
Achim   79.251.152.183  452 8925+1  +1  +1  +1
admtg   94.73.222.62443 3025+441+286+318+286
Aeroplan46.72.45.143900129676   +166+184+189+169
AetherTor   71.135.40.76443 13379   +4  +3  +3  +3
alakazam74.52.112.2 443 30616   +221+234+210+249
aldgate 93.130.179.10   443 10989   +2  +13 +20 +4
AlfredJKwak 87.212.11.165   903113676   +22 +14 +2  +8
aliceandbob 66.85.144.247   90012869+20 +7  +23 +30
AllCowsEatGrass 173.48.97.207   443 30159   +404+783+616+401
amercury195.64.199.236  900126102   +1  +1  +3  +1
amercury87.224.217.221  90017043+26 +6  +15 +13
amercury94.31.242.41900127049   +41 +33 +88 +81
AmurTor23   2.93.161.46 900248802   +4  +115+14 +34
anonion 86.160.123.126  443 34526   +79 +94 +111+57
AnonMan 173.69.9.25 443 23551   +24 +33 +43 +51
anonymous   94.208.144.120  900124891   +391+39226027   +354
anonymous123117.16.24.142   443 6806+19 +40 +56 +19
AnonymousW  173.57.117.197  443 9862+1  +1  +1  +1
AnonymTorProxy2 78.42.56.35 90026479+246+266+258+234
ApophisGER  176.198.48.99   555 6287+1  +2  +2  +8
ArnoNym 178.142.2.45443 21741   +83 +112+57 +32
Arrowslash  90.1.117.14 443 1572+90 +166+4  +180
Arruffapopoli   84.223.102.90   443356233   +59 +60 +57 +54
AsCI158.110.41.101  900253052   +1  +1  +1  +1

Plea

[tor-relays] Low traffic on a small relay

2014-03-31 Thread Leandro Noferini 
Ciao a tutti,

I have a relay CyberTorValley on a house adsl.

I set up this relay to start in night and stop on morning when my adsl
is poorly used but the relay makes only a few traffic, say 35-40 mb at
night.

The poor traffic is due to limited time the relay is up?

Is there a way to change the bandwitdth on the run? I found this wiki
reference
https://trac.torproject.org/projects/tor/wiki/doc/BandwidthLimitChangeController
in tor web site but it is not linked anywhere.

-- 
Ciao
leandro
http://6xukrlqedfabdjrb.onion/blog/
gpg fingerprint: 54A4 2612 FD50 0313 7FED  6A91 DA5C 1552 E7A4 D6C2
"Noi di Es Toch narriamo un breve mito: all'inizio il Creatore disse
un'immensa bugia. Perché non c'era proprio nulla, ma il Creatore parlò
dicendo: Esiste. Ed ecco, affinché la menzogna di Dio potesse essere
la verità di Dio, l'universo cominciò subito a esistere..."



pgpcUyJiMisDp.pgp
Description: PGP signature
___
tor-relays mailing list
tor-relays@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays

Re: [tor-relays] Setting up AWS cloud-relay - don't reserve expensive storage!

2014-03-31 Thread Dan Rogers 
 

Hey Nick, 

Is there a particular reason you want to use AWS? 

Unless you are still on the free tier, I think you could find far a more
economical VPS provider. I currently run a tor relay for 5 euros a month
using http://www.edis.at/en/home/. 

http://lowendbox.com/ is a good resource to find cheap VPS providers. 

Cheers! 

Dan 

On 2014-03-30 17:34, Nick Sheppard wrote: 

> On 30/03/14 17:02, Runa A. Sandvik wrote:
> On Sun, Mar 30, 2014 at 3:29 PM, Nick Sheppard  wrote: 
> Hi Runa (and AWS users), Hi Nick, Did we ever get to the bottom of the 
> default storage/AMI copying issue? I'd like to have another go at setting up 
> a Tor relay on AWS eu-west-1. I haven't had the time to look into this, 
> unfortunately. If you want an eu-west-1 bridge, then you can set up an Ubuntu 
> instance and follow the steps in the ec2-prep.sh [1] script to turn it into a 
> Tor Cloud bridge. [1]: 
> https://gitweb.torproject.org/tor-cloud.git/blob_plain/HEAD:/ec2-prep.sh [1]

Many thanks!

Nick
___
tor-relays mailing list
tor-relays@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays [2]

-- 

Dan Rogers 
+44 7539 552349
skype: dan.j.rogers 
gpg key [3] 
linkedin [4] | songkick [5] | twitter [6] | spotify [7] | music [8] 

Links:
--
[1]
https://gitweb.torproject.org/tor-cloud.git/blob_plain/HEAD:/ec2-prep.sh
[2] https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
[3] https://secure.techwang.com/gpg/public_key.txt
[4] http://www.linkedin.com/in/danrogerslondon
[5] http://www.songkick.com/users/music-is-math
[6] http://twitter.com/danjrog
[7] http://open.spotify.com/user/bonkbonkonk
[8] http://holdingitwrong.com
___
tor-relays mailing list
tor-relays@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays