subject:"\[tor\-relays\] The 9001\-9051\-v0.2.8.9 Gang\: 57 relays and counting..."

Re: [tor-relays] The 9001-9051-v0.2.8.9 Gang: 57 relays and counting...

2017-03-03 Thread nusenu

David Goulet:
>> - removal reason
> Proximity of fingerprint indicates a clear attempt at insertion in the
> hashring for an (some) onion address.

Are you also trying to find the matching onion address(es) that the
given relay IDs would become HSDirs due to their position on the ring?


Out of curiosity (which onions were they after?)
I generated the descriptor-ids for ~180 onions for the coming 90 days
and searched the prefixes (3 and 4 chars) of the removed relays
in the output and got some hits and although there is a minor
concentration about one topic on these onions I'm not sure it actually
means these relays tried to become HSDirs for these onions (could be
pure coincidence and the concentration around a topic might be caused by
a biased onion input list).



> https://gitweb.torproject.org/doctor.git/tree/data/tracked_relays.cfg
> 
> After that 6 months, you can find commit like this that removes a bunch of
> them:
> 
> https://gitweb.torproject.org/doctor.git/commit/data?id=f89e3dca452a0d776eed5d32136f8a474f892cac

interesting, thanks.



signature.asc
Description: OpenPGP digital signature
___
tor-relays mailing list
tor-relays@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays

Re: [tor-relays] The 9001-9051-v0.2.8.9 Gang: 57 relays and counting...

2017-02-28 Thread David Goulet

On 28 Feb (02:09:00), nusenu wrote:
> 
> 
> Donncha O'Cearbhaill:
> > nusenu:
> >> This group is still growing.
> >>
> >> Note that the following table is _not_ sorted by FP.
> >>
> >> The FP links these relays even across ISP, and given the FP column
> >> pattern it might be obvious what they are after.
> >>
> >> They do not have the hsdir flag yet.
> >>
> >> https://raw.githubusercontent.com/nusenu/tor-network-observations/master/2017-02-24_9001-9051-v0.2.8.9.txt
> >>
> > 
> > Nusenu, thank you for reporting these relay. They are now in the process
> > of being removed from the network.
> 
> Thanks for letting us know.
> 
> It would be nice if you could share:

Hello!

I'll try to help out as much as I can here.

> - if you reached out to the operator (via abuse contacts)

We do that if a valid contact address is present. In this case, we had only
one I believe and still no response. Email was sent yesterday ~afternoon EST.

> - removal reason

Proximity of fingerprint indicates a clear attempt at insertion in the
hashring for an (some) onion address. We are *always* better safe than sorry
with bad relays so even without a 100% confirmation, we go ahead.

> - what was removed

That, we don't disclose for obvious reasons that if the attackers can see what
we removed and when, it makes it easier for them to just adapt in time. Only
subscribers to bad-relays@ can know this.

However, those reject/badexit entries at the directory authority level expire
after a time period and when they do, they become public here in this DocTor
script that monitors any relay that we've expired and will be there for a 6
months period:

https://gitweb.torproject.org/doctor.git/tree/data/tracked_relays.cfg

After that 6 months, you can find commit like this that removes a bunch of
them:

https://gitweb.torproject.org/doctor.git/commit/data?id=f89e3dca452a0d776eed5d32136f8a474f892cac

> - method (by FP, IP, IP-range, ...)

We always reject both FP and IP. Sometimes, it can be a full network range.
Depends on the attack.

> - how long they will be blacklisted

The standard time period is 90 days *but* it's still a human that does that so
it goes beyond that time period sometimes. *HUGE* network block though, we are
more careful at not extending too much the reject time.

> - time of removal

We don't disclose that for now. Only subscribers to bad-relays@ can know this.

There has been *MANY* discussions about having this reject list public and
everything in the open. I believe it wasn't full agreement in the end but for
now it went towards keeping it close.

Thanks!
David

> 
> thanks,
> nusenu
> 

> ___
> tor-relays mailing list
> tor-relays@lists.torproject.org
> https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays

-- 
F7k4dGBiwJmiegoPb+2QbzdAVSSAfb5AitHDxdxsEV8=

signature.asc
Description: PGP signature
___
tor-relays mailing list
tor-relays@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays

Re: [tor-relays] The 9001-9051-v0.2.8.9 Gang: 57 relays and counting...

2017-02-27 Thread nusenu



Donncha O'Cearbhaill:
> nusenu:
>> This group is still growing.
>>
>> Note that the following table is _not_ sorted by FP.
>>
>> The FP links these relays even across ISP, and given the FP column
>> pattern it might be obvious what they are after.
>>
>> They do not have the hsdir flag yet.
>>
>> https://raw.githubusercontent.com/nusenu/tor-network-observations/master/2017-02-24_9001-9051-v0.2.8.9.txt
>>
> 
> Nusenu, thank you for reporting these relay. They are now in the process
> of being removed from the network.

Thanks for letting us know.

It would be nice if you could share:

- if you reached out to the operator (via abuse contacts)
- removal reason
- what was removed
- method (by FP, IP, IP-range, ...)
- how long they will be blacklisted
- time of removal

thanks,
nusenu



signature.asc
Description: OpenPGP digital signature
___
tor-relays mailing list
tor-relays@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays

Re: [tor-relays] The 9001-9051-v0.2.8.9 Gang: 57 relays and counting... // hsdir calc tool?

2017-02-27 Thread Donncha O'Cearbhaill

nusenu:
> This group is still growing.
> 
> Note that the following table is _not_ sorted by FP.
> 
> The FP links these relays even across ISP, and given the FP column
> pattern it might be obvious what they are after.
> 
> They do not have the hsdir flag yet.
> 
> https://raw.githubusercontent.com/nusenu/tor-network-observations/master/2017-02-24_9001-9051-v0.2.8.9.txt
> 

Nusenu, thank you for reporting these relay. They are now in the process
of being removed from the network.

I really appreciate the careful attention that you pay to the Tor
network. Many thanks for keeping users safe.

> 
> Is there a tool out there that tells me which HSDir is/will probably be
> responsible for a given onion address (and at what time)?
> 
> thanks,
> nusenu
> 
> 
> 
> ___
> tor-relays mailing list
> tor-relays@lists.torproject.org
> https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
> 
___
tor-relays mailing list
tor-relays@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays

Re: [tor-relays] The 9001-9051-v0.2.8.9 Gang: 57 relays and counting... // hsdir calc tool?

2017-02-27 Thread teor


> On 27 Feb 2017, at 23:48, nusenu  wrote:
> 
> This group is still growing.
> 
> Note that the following table is _not_ sorted by FP.
> 
> The FP links these relays even across ISP, and given the FP column
> pattern it might be obvious what they are after.
> 
> They do not have the hsdir flag yet.
> 
> https://raw.githubusercontent.com/nusenu/tor-network-observations/master/2017-02-24_9001-9051-v0.2.8.9.txt
> 
> Is there a tool out there that tells me which HSDir is/will probably be
> responsible for a given onion address (and at what time)?

There's no tool, unless you can reverse SHA1.
(Or brute-force a set of popular onion addresses.)

In short, it's the first 3 fingerprints following descriptor-id:

permanent-id = H(public-key)[:10]
descriptor-id = H(permanent-id | H(time-period | descriptor-cookie | replica))
where H is SHA1.

The spec is:
https://gitweb.torproject.org/torspec.git/tree/rend-spec.txt#n222
https://gitweb.torproject.org/torspec.git/tree/rend-spec.txt#n505

The implementation is:
https://gitweb.torproject.org/tor.git/tree/src/or/rendcommon.c#n127

As an aside, this attack is not possible with next-generation hidden
services, because the HSDir identities are hashed with the daily
shared random value:
https://gitweb.torproject.org/torspec.git/tree/proposals/224-rend-spec-ng.txt#n791

T

--
Tim Wilson-Brown (teor)

teor2345 at gmail dot com
PGP C855 6CED 5D90 A0C5 29F6 4D43 450C BA7F 968F 094B
ricochet:ekmygaiu4rzgsk6n
xmpp: teor at torproject dot org






signature.asc
Description: Message signed with OpenPGP
___
tor-relays mailing list
tor-relays@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays

[tor-relays] The 9001-9051-v0.2.8.9 Gang: 57 relays and counting... // hsdir calc tool?

2017-02-27 Thread nusenu

This group is still growing.

Note that the following table is _not_ sorted by FP.

The FP links these relays even across ISP, and given the FP column
pattern it might be obvious what they are after.

They do not have the hsdir flag yet.

https://raw.githubusercontent.com/nusenu/tor-network-observations/master/2017-02-24_9001-9051-v0.2.8.9.txt



Is there a tool out there that tells me which HSDir is/will probably be
responsible for a given onion address (and at what time)?

thanks,
nusenu



signature.asc
Description: OpenPGP digital signature
___
tor-relays mailing list
tor-relays@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays

Re: [tor-relays] The 9001-9051-v0.2.8.9 Gang: 57 relays and counting...

Re: [tor-relays] The 9001-9051-v0.2.8.9 Gang: 57 relays and counting...

Re: [tor-relays] The 9001-9051-v0.2.8.9 Gang: 57 relays and counting...

Re: [tor-relays] The 9001-9051-v0.2.8.9 Gang: 57 relays and counting... // hsdir calc tool?

Re: [tor-relays] The 9001-9051-v0.2.8.9 Gang: 57 relays and counting... // hsdir calc tool?

[tor-relays] The 9001-9051-v0.2.8.9 Gang: 57 relays and counting... // hsdir calc tool?

6 matches

Site Navigation

Mail list logo

Footer information