Hello,
I think the best approach for elliminating the false positives would be to make the scanner perform the timing inference attack as described in the paper. Unfortunately I don't have enough time to look into this more. Cheers, David On Thu, Nov 17, 2016 at 09:22:47PM +0000, dawuud wrote: > > Hi all, > > I'm sorry that there are some false positives. > I did previously test against a FreeBSD tor relay and presumed NetBSD > would have a similar result. > > Thanks for looking closely at this Ivan. > It sounds like the scanner needs to be fixed. > I'll try to test with a netbsd host soon. > > > Cheers! > > David > > > On Thu, Nov 17, 2016 at 07:46:00PM +0000, Ivan Markin wrote: > > Hi David, > > > > Thanks for your work! > > > > dawuud: > > > I added the scan output to the repo, this includes the output csv file > > > and a list of vulnerable relays: > > > > > > https://github.com/david415/scan_tor_rfc5961/blob/master/scan_archive/nov17_2016/probe_out.csv > > > https://github.com/david415/scan_tor_rfc5961/blob/master/scan_archive/nov17_2016/vulnerable_tor_relays > > > > FYI, I produced results with platform strings and fingerprints based on > > this data [1]. > > > > It's pretty interesting that there are not only Linux relays are > > 'vulnerable' (90 < ChACKs < 220) in David's scan: > > % cat combined_results.csv | grep -v notvulnerable | grep -v Linux | > > grep Tor > > > > Tor 0.2.8.9 on > > NetBSD,3F5440FF003DFF8A12AA308CFD4087FBC157ABE0,78.47.45.36:9001,1.08132791519,500,142,vulnerable > > Tor 0.2.5.10 on > > NetBSD,508004552343E5374B6570C76E9239AA23310684,86.62.117.171:63500,1.00646305084,500,103,vulnerable > > Tor 0.2.8.9 on > > NetBSD,8806C3E6FA42B07113F3A1553DE70C0A30101201,139.18.25.35:9001,1.02995896339,500,113,vulnerable > > Tor 0.2.7.6 on > > FreeBSD,9C5461498004325F87C0685BDA5DA99AC5335314,62.194.144.196:9001,1.06730103493,500,211,vulnerable > > Tor 0.2.8.9 on > > FreeBSD,BCFE548EA3FF8A0B3610779C238350124A8ED6DE,207.172.209.83:9001,1.06568193436,500,214,vulnerable > > Tor 0.2.7.6 on > > NetBSD,F88C4D522EE7BD8B18B6C6418B8548E6E6BC74E9,195.43.138.226:9001,0.994502782822,500,100,vulnerable > > > > After I've rescanned these relays myself for several times, FreeBSD ones > > stopped being 'vulnereable' while NetBSD ones somehow still reproduce > > 'vulnerable' Linux status. > > > > I don't know why does this happen, maybe someone can scan these relays > > (or maybe all NetBSD ones due to TCP stack specifics) themselves and get > > different results. Anyway these are just curious false positives. > > > > [1] > > https://github.com/nogoegst/scan_tor_rfc5961/blob/master/scan_archive/nov17_2016/combined_results.csv > > > > -- > > Ivan Markin > > _______________________________________________ > > tor-relays mailing list > > tor-relays@lists.torproject.org > > https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays > _______________________________________________ > tor-relays mailing list > tor-relays@lists.torproject.org > https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
signature.asc
Description: PGP signature
_______________________________________________ tor-relays mailing list tor-relays@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
