Re: [tor-relays] network scan results for CVE-2016-5696 / rfc 5961

2016-12-01 Thread dawuud 


Hello,

I think the best approach for elliminating the false positives
would be to make the scanner perform the timing inference attack
as described in the paper.

Unfortunately I don't have enough time to look into this more.


Cheers,
David


On Thu, Nov 17, 2016 at 09:22:47PM +, dawuud wrote:
> 
> Hi all,
> 
> I'm sorry that there are some false positives.
> I did previously test against a FreeBSD tor relay and presumed NetBSD
> would have a similar result.
> 
> Thanks for looking closely at this Ivan.
> It sounds like the scanner needs to be fixed.
> I'll try to test with a netbsd host soon.
> 
> 
> Cheers!
> 
> David
> 
> 
> On Thu, Nov 17, 2016 at 07:46:00PM +, Ivan Markin wrote:
> > Hi David,
> > 
> > Thanks for your work!
> > 
> > dawuud:
> > > I added the scan output to the repo, this includes the output csv file
> > > and a list of vulnerable relays:
> > > 
> > > https://github.com/david415/scan_tor_rfc5961/blob/master/scan_archive/nov17_2016/probe_out.csv
> > > https://github.com/david415/scan_tor_rfc5961/blob/master/scan_archive/nov17_2016/vulnerable_tor_relays
> > 
> > FYI, I produced results with platform strings and fingerprints based on
> > this data [1].
> > 
> > It's pretty interesting that there are not only Linux relays are
> > 'vulnerable' (90 < ChACKs < 220) in David's scan:
> > % cat combined_results.csv | grep -v notvulnerable | grep -v Linux |
> > grep Tor
> > 
> > Tor 0.2.8.9 on
> > NetBSD,3F5440FF003DFF8A12AA308CFD4087FBC157ABE0,78.47.45.36:9001,1.08132791519,500,142,vulnerable
> > Tor 0.2.5.10 on
> > NetBSD,508004552343E5374B6570C76E9239AA23310684,86.62.117.171:63500,1.00646305084,500,103,vulnerable
> > Tor 0.2.8.9 on
> > NetBSD,8806C3E6FA42B07113F3A1553DE70C0A30101201,139.18.25.35:9001,1.02995896339,500,113,vulnerable
> > Tor 0.2.7.6 on
> > FreeBSD,9C5461498004325F87C0685BDA5DA99AC5335314,62.194.144.196:9001,1.06730103493,500,211,vulnerable
> > Tor 0.2.8.9 on
> > FreeBSD,BCFE548EA3FF8A0B3610779C238350124A8ED6DE,207.172.209.83:9001,1.06568193436,500,214,vulnerable
> > Tor 0.2.7.6 on
> > NetBSD,F88C4D522EE7BD8B18B6C6418B8548E6E6BC74E9,195.43.138.226:9001,0.994502782822,500,100,vulnerable
> > 
> > After I've rescanned these relays myself for several times, FreeBSD ones
> > stopped being 'vulnereable' while NetBSD ones somehow still reproduce
> > 'vulnerable' Linux status.
> > 
> > I don't know why does this happen, maybe someone can scan these relays
> > (or maybe all NetBSD ones due to TCP stack specifics) themselves and get
> > different results. Anyway these are just curious false positives.
> > 
> > [1]
> > https://github.com/nogoegst/scan_tor_rfc5961/blob/master/scan_archive/nov17_2016/combined_results.csv
> > 
> > --
> > Ivan Markin
> > ___
> > tor-relays mailing list
> > tor-relays@lists.torproject.org
> > https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays



> ___
> tor-relays mailing list
> tor-relays@lists.torproject.org
> https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays



signature.asc
Description: PGP signature
___
tor-relays mailing list
tor-relays@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays

Re: [tor-relays] network scan results for CVE-2016-5696 / rfc 5961

2016-11-21 Thread Alex Haydock 
On 21/11/16 14:43, Olaf Selke wrote:
> Am 19.11.2016 um 16:49 schrieb Alex Haydock:
>>
>> There are some graphs showing (the lack of) network diversity here,
>> which are interesting to look at:
>>
>> http://torstatus.blutmagie.de/network_detail.php
>
> yes, this chart displays routers' domain country codes

Further down the page is a chart displaying routers by OS family, which
is the one I was referring to.

Though I do also agree that having a large number of relays running
under just a few AS networks is a problem too.

Regards,
Alex
___
tor-relays mailing list
tor-relays@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays

Re: [tor-relays] network scan results for CVE-2016-5696 / rfc 5961

2016-11-21 Thread Olaf Selke 

Am 19.11.2016 um 16:49 schrieb Alex Haydock:


There are some graphs showing (the lack of) network diversity here,
which are interesting to look at:

http://torstatus.blutmagie.de/network_detail.php


yes, this chart displays routers' domain country codes

Another view on the blutmagie live database is showing the distribution 
over autonomous systems.


all routers https://torstatus.blutmagie.de/as-scoring.php?exit=0
exits only https://torstatus.blutmagie.de/as-scoring.php?exit=1

More than 10% of all exit network AS are under french control. The total 
number of routers is show at the table bottom.


regards Olaf
___
tor-relays mailing list
tor-relays@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays

Re: [tor-relays] network scan results for CVE-2016-5696 / rfc 5961

2016-11-19 Thread Alex Haydock 
Hi,

I don't really want to derail this thread, and I'm sure it's been said
before, but I'd love to put in a plug for the TorBSD Diversity Project here:

https://torbsd.github.io/

As a whole, the network is pretty homogeneous in terms of its reliance
on the Linux kernel so kernel bugs and exploits like this can end up
affecting a great portion of the network.

There are some graphs showing (the lack of) network diversity here,
which are interesting to look at:

http://torstatus.blutmagie.de/network_detail.php

Just a thought to consider when setting up future relays, for those who
already have experience working with other kernels like
FreeBSD/OpenBSD/Solaris etc.

Cheers,

Alex


On 17/11/16 07:30, dawuud wrote:
> Hi.
>
> I added the scan output to the repo, this includes the output csv file
> and a list of vulnerable relays:
>
> https://github.com/david415/scan_tor_rfc5961/blob/master/scan_archive/nov17_2016/probe_out.csv
> https://github.com/david415/scan_tor_rfc5961/blob/master/scan_archive/nov17_2016/vulnerable_tor_relays
>
>
> Upgrade your Linux kernel and reboot your tor relays!
>
> Cheers,
> David
>
>
> ___
> tor-relays mailing list
> tor-relays@lists.torproject.org
> https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays

___
tor-relays mailing list
tor-relays@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays

Re: [tor-relays] network scan results for CVE-2016-5696 / rfc 5961

2016-11-17 Thread dawuud 

Hi Jason,

Thanks for your observation. I'll try to investigate soon.

Cheers,

David

On Thu, Nov 17, 2016 at 12:02:05PM -0500, Jason Ross wrote:
> Hi David,
> Thanks for the heads up! It turns out that my relay is in the list of
> affected hosts, however, the kernel I was running (3.16.36-1+deb8u1)
> is claimed by Debian to be fixed (see:
> https://security-tracker.debian.org/tracker/CVE-2016-5696).
> 
> Since your script determines whether the host is affected or not based
> on the actual TCP comms (rather than banner grabbing a kernel version
> or something), I'm not sure what to make of that - it would seem to
> indicate that either the weighting you've devised doesn't fit Debian
> hosts, or it could indicate perhaps that the patch Debian maintainers
> applied to address the issue wasn't sufficient. I won't pretend to be
> clueful enough about low-level TCP stack programming to be able to
> tell for sure which is the case, but wanted to mention it in case
> others see the same thing.
> 
> For my part, I've since updated the kernel on my relay to
> 3.16.36-1+deb8u2, and applied the sysctl work-around as an additional
> measure.
> I checked the ACK count using netstat both before and after, and have
> included those results here:
> 
> Before:
> TCPChallengeACK: 1107
> TCPSYNChallenge: 7
> 
> After:
> TCPChallengeACK: 2
> TCPSYNChallenge: 2
> 
> 
> Thanks!
> 
> --
> Jason
> 
> On Thu, Nov 17, 2016 at 2:30 AM, dawuud  wrote:
> >
> > Hi.
> >
> > I added the scan output to the repo, this includes the output csv file
> > and a list of vulnerable relays:
> >
> > https://github.com/david415/scan_tor_rfc5961/blob/master/scan_archive/nov17_2016/probe_out.csv
> > https://github.com/david415/scan_tor_rfc5961/blob/master/scan_archive/nov17_2016/vulnerable_tor_relays
> >
> >
> > Upgrade your Linux kernel and reboot your tor relays!
> >
> > Cheers,
> > David
> >
> > ___
> > tor-relays mailing list
> > tor-relays@lists.torproject.org
> > https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
> >
> ___
> tor-relays mailing list
> tor-relays@lists.torproject.org
> https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays


signature.asc
Description: PGP signature
___
tor-relays mailing list
tor-relays@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays

Re: [tor-relays] network scan results for CVE-2016-5696 / rfc 5961

2016-11-17 Thread dawuud 

Hi all,

I'm sorry that there are some false positives.
I did previously test against a FreeBSD tor relay and presumed NetBSD
would have a similar result.

Thanks for looking closely at this Ivan.
It sounds like the scanner needs to be fixed.
I'll try to test with a netbsd host soon.


Cheers!

David


On Thu, Nov 17, 2016 at 07:46:00PM +, Ivan Markin wrote:
> Hi David,
> 
> Thanks for your work!
> 
> dawuud:
> > I added the scan output to the repo, this includes the output csv file
> > and a list of vulnerable relays:
> > 
> > https://github.com/david415/scan_tor_rfc5961/blob/master/scan_archive/nov17_2016/probe_out.csv
> > https://github.com/david415/scan_tor_rfc5961/blob/master/scan_archive/nov17_2016/vulnerable_tor_relays
> 
> FYI, I produced results with platform strings and fingerprints based on
> this data [1].
> 
> It's pretty interesting that there are not only Linux relays are
> 'vulnerable' (90 < ChACKs < 220) in David's scan:
> % cat combined_results.csv | grep -v notvulnerable | grep -v Linux |
> grep Tor
> 
> Tor 0.2.8.9 on
> NetBSD,3F5440FF003DFF8A12AA308CFD4087FBC157ABE0,78.47.45.36:9001,1.08132791519,500,142,vulnerable
> Tor 0.2.5.10 on
> NetBSD,508004552343E5374B6570C76E9239AA23310684,86.62.117.171:63500,1.00646305084,500,103,vulnerable
> Tor 0.2.8.9 on
> NetBSD,8806C3E6FA42B07113F3A1553DE70C0A30101201,139.18.25.35:9001,1.02995896339,500,113,vulnerable
> Tor 0.2.7.6 on
> FreeBSD,9C5461498004325F87C0685BDA5DA99AC5335314,62.194.144.196:9001,1.06730103493,500,211,vulnerable
> Tor 0.2.8.9 on
> FreeBSD,BCFE548EA3FF8A0B3610779C238350124A8ED6DE,207.172.209.83:9001,1.06568193436,500,214,vulnerable
> Tor 0.2.7.6 on
> NetBSD,F88C4D522EE7BD8B18B6C6418B8548E6E6BC74E9,195.43.138.226:9001,0.994502782822,500,100,vulnerable
> 
> After I've rescanned these relays myself for several times, FreeBSD ones
> stopped being 'vulnereable' while NetBSD ones somehow still reproduce
> 'vulnerable' Linux status.
> 
> I don't know why does this happen, maybe someone can scan these relays
> (or maybe all NetBSD ones due to TCP stack specifics) themselves and get
> different results. Anyway these are just curious false positives.
> 
> [1]
> https://github.com/nogoegst/scan_tor_rfc5961/blob/master/scan_archive/nov17_2016/combined_results.csv
> 
> --
> Ivan Markin
> ___
> tor-relays mailing list
> tor-relays@lists.torproject.org
> https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays


signature.asc
Description: PGP signature
___
tor-relays mailing list
tor-relays@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays

Re: [tor-relays] network scan results for CVE-2016-5696 / rfc 5961

2016-11-17 Thread Ivan Markin 
Hi David,

Thanks for your work!

dawuud:
> I added the scan output to the repo, this includes the output csv file
> and a list of vulnerable relays:
> 
> https://github.com/david415/scan_tor_rfc5961/blob/master/scan_archive/nov17_2016/probe_out.csv
> https://github.com/david415/scan_tor_rfc5961/blob/master/scan_archive/nov17_2016/vulnerable_tor_relays

FYI, I produced results with platform strings and fingerprints based on
this data [1].

It's pretty interesting that there are not only Linux relays are
'vulnerable' (90 < ChACKs < 220) in David's scan:
% cat combined_results.csv | grep -v notvulnerable | grep -v Linux |
grep Tor

Tor 0.2.8.9 on
NetBSD,3F5440FF003DFF8A12AA308CFD4087FBC157ABE0,78.47.45.36:9001,1.08132791519,500,142,vulnerable
Tor 0.2.5.10 on
NetBSD,508004552343E5374B6570C76E9239AA23310684,86.62.117.171:63500,1.00646305084,500,103,vulnerable
Tor 0.2.8.9 on
NetBSD,8806C3E6FA42B07113F3A1553DE70C0A30101201,139.18.25.35:9001,1.02995896339,500,113,vulnerable
Tor 0.2.7.6 on
FreeBSD,9C5461498004325F87C0685BDA5DA99AC5335314,62.194.144.196:9001,1.06730103493,500,211,vulnerable
Tor 0.2.8.9 on
FreeBSD,BCFE548EA3FF8A0B3610779C238350124A8ED6DE,207.172.209.83:9001,1.06568193436,500,214,vulnerable
Tor 0.2.7.6 on
NetBSD,F88C4D522EE7BD8B18B6C6418B8548E6E6BC74E9,195.43.138.226:9001,0.994502782822,500,100,vulnerable

After I've rescanned these relays myself for several times, FreeBSD ones
stopped being 'vulnereable' while NetBSD ones somehow still reproduce
'vulnerable' Linux status.

I don't know why does this happen, maybe someone can scan these relays
(or maybe all NetBSD ones due to TCP stack specifics) themselves and get
different results. Anyway these are just curious false positives.

[1]
https://github.com/nogoegst/scan_tor_rfc5961/blob/master/scan_archive/nov17_2016/combined_results.csv

--
Ivan Markin
___
tor-relays mailing list
tor-relays@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays

Re: [tor-relays] network scan results for CVE-2016-5696 / rfc 5961

2016-11-17 Thread Petrusko 
On a Raspberry pi... Linux 4.4.26+ #915 Thu Oct 20 17:02:14 BST 2016
armv6l GNU/Linux

$ netstat -s | grep -i challenge
TCPChallengeACK: 10

(no TCPSYNChallenge result ??)



Le 17/11/2016 à 20:24, Univibe a écrit :
> My relays have been patched to the latest available kernels, and
> aren't in the list of vulnerable relays, however they still show high
> values for TCPSYNChallenge:
>
> 
>
> $ ansible tor -a 'bash -c "netstat -s | grep -i challenge"' -b
> --ask-become-pass
>
> lon | SUCCESS | rc=0 >>
> TCPChallengeACK: 14197
> TCPSYNChallenge: 2926
>
> fra | SUCCESS | rc=0 >>
> TCPChallengeACK: 12907
> TCPSYNChallenge: 3461
>
> 
>
> $ ansible tor -a 'bash -c "cat /etc/lsb-release && uname -rv"' -b
> --ask-become-pass
>
> fra | SUCCESS | rc=0 >>
> DISTRIB_ID=Ubuntu
> DISTRIB_RELEASE=14.04
> DISTRIB_CODENAME=trusty
> DISTRIB_DESCRIPTION="Ubuntu 14.04.5 LTS"
> 3.13.0-101-generic #148-Ubuntu SMP Thu Oct 20 22:08:32 UTC 2016
>
> lon | SUCCESS | rc=0 >>
> DISTRIB_ID=Ubuntu
> DISTRIB_RELEASE=14.04
> DISTRIB_CODENAME=trusty
> DISTRIB_DESCRIPTION="Ubuntu 14.04.5 LTS"
> 3.13.0-101-generic #148-Ubuntu SMP Thu Oct 20 22:08:32 UTC 2016
>
> 
>
>
>
> ___
> tor-relays mailing list
> tor-relays@lists.torproject.org
> https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays

-- 
Petrusko
EBE23AE5




signature.asc
Description: OpenPGP digital signature
___
tor-relays mailing list
tor-relays@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays

Re: [tor-relays] network scan results for CVE-2016-5696 / rfc 5961

2016-11-17 Thread Petrusko 
On a Debian 8 updated relay too :
# netstat -s | grep -i challenge
TCPChallengeACK: 19497
TCPSYNChallenge: 12991

Linux 3.16.0-4-amd64 #1 SMP Debian 3.16.36-1+deb8u2 (2016-10-19) x86_64
GNU/Linux

Something else for being sure ?


Le 17/11/2016 à 20:24, Univibe a écrit :
> $ ansible tor -a 'bash -c "netstat -s | grep -i challenge"' -b
> --ask-become-pass
>
> lon | SUCCESS | rc=0 >>
> TCPChallengeACK: 14197
> TCPSYNChallenge: 2926
>
> fra | SUCCESS | rc=0 >>
> TCPChallengeACK: 12907
> TCPSYNChallenge: 3461

-- 
Petrusko
EBE23AE5




signature.asc
Description: OpenPGP digital signature
___
tor-relays mailing list
tor-relays@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays

Re: [tor-relays] network scan results for CVE-2016-5696 / rfc 5961

2016-11-17 Thread Univibe 
My relays have been patched to the latest available kernels, and aren't in the 
list of vulnerable relays, however they still show high values for 
TCPSYNChallenge:



$ ansible tor -a 'bash -c "netstat -s | grep -i challenge"' -b --ask-become-pass

lon | SUCCESS | rc=0 >>
TCPChallengeACK: 14197
TCPSYNChallenge: 2926

fra | SUCCESS | rc=0 >>
TCPChallengeACK: 12907
TCPSYNChallenge: 3461



$ ansible tor -a 'bash -c "cat /etc/lsb-release && uname -rv"' -b 
--ask-become-pass

fra | SUCCESS | rc=0 >>
DISTRIB_ID=Ubuntu
DISTRIB_RELEASE=14.04
DISTRIB_CODENAME=trusty
DISTRIB_DESCRIPTION="Ubuntu 14.04.5 LTS"
3.13.0-101-generic #148-Ubuntu SMP Thu Oct 20 22:08:32 UTC 2016

lon | SUCCESS | rc=0 >>
DISTRIB_ID=Ubuntu
DISTRIB_RELEASE=14.04
DISTRIB_CODENAME=trusty
DISTRIB_DESCRIPTION="Ubuntu 14.04.5 LTS"
3.13.0-101-generic #148-Ubuntu SMP Thu Oct 20 22:08:32 UTC 2016

___
tor-relays mailing list
tor-relays@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays

Re: [tor-relays] network scan results for CVE-2016-5696 / rfc 5961

2016-11-17 Thread Jason Ross 
Hi David,
Thanks for the heads up! It turns out that my relay is in the list of
affected hosts, however, the kernel I was running (3.16.36-1+deb8u1)
is claimed by Debian to be fixed (see:
https://security-tracker.debian.org/tracker/CVE-2016-5696).

Since your script determines whether the host is affected or not based
on the actual TCP comms (rather than banner grabbing a kernel version
or something), I'm not sure what to make of that - it would seem to
indicate that either the weighting you've devised doesn't fit Debian
hosts, or it could indicate perhaps that the patch Debian maintainers
applied to address the issue wasn't sufficient. I won't pretend to be
clueful enough about low-level TCP stack programming to be able to
tell for sure which is the case, but wanted to mention it in case
others see the same thing.

For my part, I've since updated the kernel on my relay to
3.16.36-1+deb8u2, and applied the sysctl work-around as an additional
measure.
I checked the ACK count using netstat both before and after, and have
included those results here:

Before:
TCPChallengeACK: 1107
TCPSYNChallenge: 7

After:
TCPChallengeACK: 2
TCPSYNChallenge: 2


Thanks!

--
Jason

On Thu, Nov 17, 2016 at 2:30 AM, dawuud  wrote:
>
> Hi.
>
> I added the scan output to the repo, this includes the output csv file
> and a list of vulnerable relays:
>
> https://github.com/david415/scan_tor_rfc5961/blob/master/scan_archive/nov17_2016/probe_out.csv
> https://github.com/david415/scan_tor_rfc5961/blob/master/scan_archive/nov17_2016/vulnerable_tor_relays
>
>
> Upgrade your Linux kernel and reboot your tor relays!
>
> Cheers,
> David
>
> ___
> tor-relays mailing list
> tor-relays@lists.torproject.org
> https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
>
___
tor-relays mailing list
tor-relays@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays

Re: [tor-relays] network scan results for CVE-2016-5696 / rfc 5961

2016-11-16 Thread dawuud 

Hi.

I added the scan output to the repo, this includes the output csv file
and a list of vulnerable relays:

https://github.com/david415/scan_tor_rfc5961/blob/master/scan_archive/nov17_2016/probe_out.csv
https://github.com/david415/scan_tor_rfc5961/blob/master/scan_archive/nov17_2016/vulnerable_tor_relays


Upgrade your Linux kernel and reboot your tor relays!

Cheers,
David


signature.asc
Description: PGP signature
___
tor-relays mailing list
tor-relays@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays