Re: [tor-relays] network scan results for CVE-2016-5696 / rfc 5961
Hello, I think the best approach for elliminating the false positives would be to make the scanner perform the timing inference attack as described in the paper. Unfortunately I don't have enough time to look into this more. Cheers, David On Thu, Nov 17, 2016 at 09:22:47PM +, dawuud wrote: > > Hi all, > > I'm sorry that there are some false positives. > I did previously test against a FreeBSD tor relay and presumed NetBSD > would have a similar result. > > Thanks for looking closely at this Ivan. > It sounds like the scanner needs to be fixed. > I'll try to test with a netbsd host soon. > > > Cheers! > > David > > > On Thu, Nov 17, 2016 at 07:46:00PM +, Ivan Markin wrote: > > Hi David, > > > > Thanks for your work! > > > > dawuud: > > > I added the scan output to the repo, this includes the output csv file > > > and a list of vulnerable relays: > > > > > > https://github.com/david415/scan_tor_rfc5961/blob/master/scan_archive/nov17_2016/probe_out.csv > > > https://github.com/david415/scan_tor_rfc5961/blob/master/scan_archive/nov17_2016/vulnerable_tor_relays > > > > FYI, I produced results with platform strings and fingerprints based on > > this data [1]. > > > > It's pretty interesting that there are not only Linux relays are > > 'vulnerable' (90 < ChACKs < 220) in David's scan: > > % cat combined_results.csv | grep -v notvulnerable | grep -v Linux | > > grep Tor > > > > Tor 0.2.8.9 on > > NetBSD,3F5440FF003DFF8A12AA308CFD4087FBC157ABE0,78.47.45.36:9001,1.08132791519,500,142,vulnerable > > Tor 0.2.5.10 on > > NetBSD,508004552343E5374B6570C76E9239AA23310684,86.62.117.171:63500,1.00646305084,500,103,vulnerable > > Tor 0.2.8.9 on > > NetBSD,8806C3E6FA42B07113F3A1553DE70C0A30101201,139.18.25.35:9001,1.02995896339,500,113,vulnerable > > Tor 0.2.7.6 on > > FreeBSD,9C5461498004325F87C0685BDA5DA99AC5335314,62.194.144.196:9001,1.06730103493,500,211,vulnerable > > Tor 0.2.8.9 on > > FreeBSD,BCFE548EA3FF8A0B3610779C238350124A8ED6DE,207.172.209.83:9001,1.06568193436,500,214,vulnerable > > Tor 0.2.7.6 on > > NetBSD,F88C4D522EE7BD8B18B6C6418B8548E6E6BC74E9,195.43.138.226:9001,0.994502782822,500,100,vulnerable > > > > After I've rescanned these relays myself for several times, FreeBSD ones > > stopped being 'vulnereable' while NetBSD ones somehow still reproduce > > 'vulnerable' Linux status. > > > > I don't know why does this happen, maybe someone can scan these relays > > (or maybe all NetBSD ones due to TCP stack specifics) themselves and get > > different results. Anyway these are just curious false positives. > > > > [1] > > https://github.com/nogoegst/scan_tor_rfc5961/blob/master/scan_archive/nov17_2016/combined_results.csv > > > > -- > > Ivan Markin > > ___ > > tor-relays mailing list > > tor-relays@lists.torproject.org > > https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays > ___ > tor-relays mailing list > tor-relays@lists.torproject.org > https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays signature.asc Description: PGP signature ___ tor-relays mailing list tor-relays@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
Re: [tor-relays] network scan results for CVE-2016-5696 / rfc 5961
On 21/11/16 14:43, Olaf Selke wrote: > Am 19.11.2016 um 16:49 schrieb Alex Haydock: >> >> There are some graphs showing (the lack of) network diversity here, >> which are interesting to look at: >> >> http://torstatus.blutmagie.de/network_detail.php > > yes, this chart displays routers' domain country codes Further down the page is a chart displaying routers by OS family, which is the one I was referring to. Though I do also agree that having a large number of relays running under just a few AS networks is a problem too. Regards, Alex ___ tor-relays mailing list tor-relays@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
Re: [tor-relays] network scan results for CVE-2016-5696 / rfc 5961
Am 19.11.2016 um 16:49 schrieb Alex Haydock: There are some graphs showing (the lack of) network diversity here, which are interesting to look at: http://torstatus.blutmagie.de/network_detail.php yes, this chart displays routers' domain country codes Another view on the blutmagie live database is showing the distribution over autonomous systems. all routers https://torstatus.blutmagie.de/as-scoring.php?exit=0 exits only https://torstatus.blutmagie.de/as-scoring.php?exit=1 More than 10% of all exit network AS are under french control. The total number of routers is show at the table bottom. regards Olaf ___ tor-relays mailing list tor-relays@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
Re: [tor-relays] network scan results for CVE-2016-5696 / rfc 5961
Hi, I don't really want to derail this thread, and I'm sure it's been said before, but I'd love to put in a plug for the TorBSD Diversity Project here: https://torbsd.github.io/ As a whole, the network is pretty homogeneous in terms of its reliance on the Linux kernel so kernel bugs and exploits like this can end up affecting a great portion of the network. There are some graphs showing (the lack of) network diversity here, which are interesting to look at: http://torstatus.blutmagie.de/network_detail.php Just a thought to consider when setting up future relays, for those who already have experience working with other kernels like FreeBSD/OpenBSD/Solaris etc. Cheers, Alex On 17/11/16 07:30, dawuud wrote: > Hi. > > I added the scan output to the repo, this includes the output csv file > and a list of vulnerable relays: > > https://github.com/david415/scan_tor_rfc5961/blob/master/scan_archive/nov17_2016/probe_out.csv > https://github.com/david415/scan_tor_rfc5961/blob/master/scan_archive/nov17_2016/vulnerable_tor_relays > > > Upgrade your Linux kernel and reboot your tor relays! > > Cheers, > David > > > ___ > tor-relays mailing list > tor-relays@lists.torproject.org > https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays ___ tor-relays mailing list tor-relays@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
Re: [tor-relays] network scan results for CVE-2016-5696 / rfc 5961
Hi Jason, Thanks for your observation. I'll try to investigate soon. Cheers, David On Thu, Nov 17, 2016 at 12:02:05PM -0500, Jason Ross wrote: > Hi David, > Thanks for the heads up! It turns out that my relay is in the list of > affected hosts, however, the kernel I was running (3.16.36-1+deb8u1) > is claimed by Debian to be fixed (see: > https://security-tracker.debian.org/tracker/CVE-2016-5696). > > Since your script determines whether the host is affected or not based > on the actual TCP comms (rather than banner grabbing a kernel version > or something), I'm not sure what to make of that - it would seem to > indicate that either the weighting you've devised doesn't fit Debian > hosts, or it could indicate perhaps that the patch Debian maintainers > applied to address the issue wasn't sufficient. I won't pretend to be > clueful enough about low-level TCP stack programming to be able to > tell for sure which is the case, but wanted to mention it in case > others see the same thing. > > For my part, I've since updated the kernel on my relay to > 3.16.36-1+deb8u2, and applied the sysctl work-around as an additional > measure. > I checked the ACK count using netstat both before and after, and have > included those results here: > > Before: > TCPChallengeACK: 1107 > TCPSYNChallenge: 7 > > After: > TCPChallengeACK: 2 > TCPSYNChallenge: 2 > > > Thanks! > > -- > Jason > > On Thu, Nov 17, 2016 at 2:30 AM, dawuudwrote: > > > > Hi. > > > > I added the scan output to the repo, this includes the output csv file > > and a list of vulnerable relays: > > > > https://github.com/david415/scan_tor_rfc5961/blob/master/scan_archive/nov17_2016/probe_out.csv > > https://github.com/david415/scan_tor_rfc5961/blob/master/scan_archive/nov17_2016/vulnerable_tor_relays > > > > > > Upgrade your Linux kernel and reboot your tor relays! > > > > Cheers, > > David > > > > ___ > > tor-relays mailing list > > tor-relays@lists.torproject.org > > https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays > > > ___ > tor-relays mailing list > tor-relays@lists.torproject.org > https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays signature.asc Description: PGP signature ___ tor-relays mailing list tor-relays@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
Re: [tor-relays] network scan results for CVE-2016-5696 / rfc 5961
Hi all, I'm sorry that there are some false positives. I did previously test against a FreeBSD tor relay and presumed NetBSD would have a similar result. Thanks for looking closely at this Ivan. It sounds like the scanner needs to be fixed. I'll try to test with a netbsd host soon. Cheers! David On Thu, Nov 17, 2016 at 07:46:00PM +, Ivan Markin wrote: > Hi David, > > Thanks for your work! > > dawuud: > > I added the scan output to the repo, this includes the output csv file > > and a list of vulnerable relays: > > > > https://github.com/david415/scan_tor_rfc5961/blob/master/scan_archive/nov17_2016/probe_out.csv > > https://github.com/david415/scan_tor_rfc5961/blob/master/scan_archive/nov17_2016/vulnerable_tor_relays > > FYI, I produced results with platform strings and fingerprints based on > this data [1]. > > It's pretty interesting that there are not only Linux relays are > 'vulnerable' (90 < ChACKs < 220) in David's scan: > % cat combined_results.csv | grep -v notvulnerable | grep -v Linux | > grep Tor > > Tor 0.2.8.9 on > NetBSD,3F5440FF003DFF8A12AA308CFD4087FBC157ABE0,78.47.45.36:9001,1.08132791519,500,142,vulnerable > Tor 0.2.5.10 on > NetBSD,508004552343E5374B6570C76E9239AA23310684,86.62.117.171:63500,1.00646305084,500,103,vulnerable > Tor 0.2.8.9 on > NetBSD,8806C3E6FA42B07113F3A1553DE70C0A30101201,139.18.25.35:9001,1.02995896339,500,113,vulnerable > Tor 0.2.7.6 on > FreeBSD,9C5461498004325F87C0685BDA5DA99AC5335314,62.194.144.196:9001,1.06730103493,500,211,vulnerable > Tor 0.2.8.9 on > FreeBSD,BCFE548EA3FF8A0B3610779C238350124A8ED6DE,207.172.209.83:9001,1.06568193436,500,214,vulnerable > Tor 0.2.7.6 on > NetBSD,F88C4D522EE7BD8B18B6C6418B8548E6E6BC74E9,195.43.138.226:9001,0.994502782822,500,100,vulnerable > > After I've rescanned these relays myself for several times, FreeBSD ones > stopped being 'vulnereable' while NetBSD ones somehow still reproduce > 'vulnerable' Linux status. > > I don't know why does this happen, maybe someone can scan these relays > (or maybe all NetBSD ones due to TCP stack specifics) themselves and get > different results. Anyway these are just curious false positives. > > [1] > https://github.com/nogoegst/scan_tor_rfc5961/blob/master/scan_archive/nov17_2016/combined_results.csv > > -- > Ivan Markin > ___ > tor-relays mailing list > tor-relays@lists.torproject.org > https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays signature.asc Description: PGP signature ___ tor-relays mailing list tor-relays@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
Re: [tor-relays] network scan results for CVE-2016-5696 / rfc 5961
Hi David, Thanks for your work! dawuud: > I added the scan output to the repo, this includes the output csv file > and a list of vulnerable relays: > > https://github.com/david415/scan_tor_rfc5961/blob/master/scan_archive/nov17_2016/probe_out.csv > https://github.com/david415/scan_tor_rfc5961/blob/master/scan_archive/nov17_2016/vulnerable_tor_relays FYI, I produced results with platform strings and fingerprints based on this data [1]. It's pretty interesting that there are not only Linux relays are 'vulnerable' (90 < ChACKs < 220) in David's scan: % cat combined_results.csv | grep -v notvulnerable | grep -v Linux | grep Tor Tor 0.2.8.9 on NetBSD,3F5440FF003DFF8A12AA308CFD4087FBC157ABE0,78.47.45.36:9001,1.08132791519,500,142,vulnerable Tor 0.2.5.10 on NetBSD,508004552343E5374B6570C76E9239AA23310684,86.62.117.171:63500,1.00646305084,500,103,vulnerable Tor 0.2.8.9 on NetBSD,8806C3E6FA42B07113F3A1553DE70C0A30101201,139.18.25.35:9001,1.02995896339,500,113,vulnerable Tor 0.2.7.6 on FreeBSD,9C5461498004325F87C0685BDA5DA99AC5335314,62.194.144.196:9001,1.06730103493,500,211,vulnerable Tor 0.2.8.9 on FreeBSD,BCFE548EA3FF8A0B3610779C238350124A8ED6DE,207.172.209.83:9001,1.06568193436,500,214,vulnerable Tor 0.2.7.6 on NetBSD,F88C4D522EE7BD8B18B6C6418B8548E6E6BC74E9,195.43.138.226:9001,0.994502782822,500,100,vulnerable After I've rescanned these relays myself for several times, FreeBSD ones stopped being 'vulnereable' while NetBSD ones somehow still reproduce 'vulnerable' Linux status. I don't know why does this happen, maybe someone can scan these relays (or maybe all NetBSD ones due to TCP stack specifics) themselves and get different results. Anyway these are just curious false positives. [1] https://github.com/nogoegst/scan_tor_rfc5961/blob/master/scan_archive/nov17_2016/combined_results.csv -- Ivan Markin ___ tor-relays mailing list tor-relays@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
Re: [tor-relays] network scan results for CVE-2016-5696 / rfc 5961
On a Raspberry pi... Linux 4.4.26+ #915 Thu Oct 20 17:02:14 BST 2016 armv6l GNU/Linux $ netstat -s | grep -i challenge TCPChallengeACK: 10 (no TCPSYNChallenge result ??) Le 17/11/2016 à 20:24, Univibe a écrit : > My relays have been patched to the latest available kernels, and > aren't in the list of vulnerable relays, however they still show high > values for TCPSYNChallenge: > > > > $ ansible tor -a 'bash -c "netstat -s | grep -i challenge"' -b > --ask-become-pass > > lon | SUCCESS | rc=0 >> > TCPChallengeACK: 14197 > TCPSYNChallenge: 2926 > > fra | SUCCESS | rc=0 >> > TCPChallengeACK: 12907 > TCPSYNChallenge: 3461 > > > > $ ansible tor -a 'bash -c "cat /etc/lsb-release && uname -rv"' -b > --ask-become-pass > > fra | SUCCESS | rc=0 >> > DISTRIB_ID=Ubuntu > DISTRIB_RELEASE=14.04 > DISTRIB_CODENAME=trusty > DISTRIB_DESCRIPTION="Ubuntu 14.04.5 LTS" > 3.13.0-101-generic #148-Ubuntu SMP Thu Oct 20 22:08:32 UTC 2016 > > lon | SUCCESS | rc=0 >> > DISTRIB_ID=Ubuntu > DISTRIB_RELEASE=14.04 > DISTRIB_CODENAME=trusty > DISTRIB_DESCRIPTION="Ubuntu 14.04.5 LTS" > 3.13.0-101-generic #148-Ubuntu SMP Thu Oct 20 22:08:32 UTC 2016 > > > > > > ___ > tor-relays mailing list > tor-relays@lists.torproject.org > https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays -- Petrusko EBE23AE5 signature.asc Description: OpenPGP digital signature ___ tor-relays mailing list tor-relays@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
Re: [tor-relays] network scan results for CVE-2016-5696 / rfc 5961
On a Debian 8 updated relay too : # netstat -s | grep -i challenge TCPChallengeACK: 19497 TCPSYNChallenge: 12991 Linux 3.16.0-4-amd64 #1 SMP Debian 3.16.36-1+deb8u2 (2016-10-19) x86_64 GNU/Linux Something else for being sure ? Le 17/11/2016 à 20:24, Univibe a écrit : > $ ansible tor -a 'bash -c "netstat -s | grep -i challenge"' -b > --ask-become-pass > > lon | SUCCESS | rc=0 >> > TCPChallengeACK: 14197 > TCPSYNChallenge: 2926 > > fra | SUCCESS | rc=0 >> > TCPChallengeACK: 12907 > TCPSYNChallenge: 3461 -- Petrusko EBE23AE5 signature.asc Description: OpenPGP digital signature ___ tor-relays mailing list tor-relays@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
Re: [tor-relays] network scan results for CVE-2016-5696 / rfc 5961
My relays have been patched to the latest available kernels, and aren't in the list of vulnerable relays, however they still show high values for TCPSYNChallenge: $ ansible tor -a 'bash -c "netstat -s | grep -i challenge"' -b --ask-become-pass lon | SUCCESS | rc=0 >> TCPChallengeACK: 14197 TCPSYNChallenge: 2926 fra | SUCCESS | rc=0 >> TCPChallengeACK: 12907 TCPSYNChallenge: 3461 $ ansible tor -a 'bash -c "cat /etc/lsb-release && uname -rv"' -b --ask-become-pass fra | SUCCESS | rc=0 >> DISTRIB_ID=Ubuntu DISTRIB_RELEASE=14.04 DISTRIB_CODENAME=trusty DISTRIB_DESCRIPTION="Ubuntu 14.04.5 LTS" 3.13.0-101-generic #148-Ubuntu SMP Thu Oct 20 22:08:32 UTC 2016 lon | SUCCESS | rc=0 >> DISTRIB_ID=Ubuntu DISTRIB_RELEASE=14.04 DISTRIB_CODENAME=trusty DISTRIB_DESCRIPTION="Ubuntu 14.04.5 LTS" 3.13.0-101-generic #148-Ubuntu SMP Thu Oct 20 22:08:32 UTC 2016 ___ tor-relays mailing list tor-relays@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
Re: [tor-relays] network scan results for CVE-2016-5696 / rfc 5961
Hi David, Thanks for the heads up! It turns out that my relay is in the list of affected hosts, however, the kernel I was running (3.16.36-1+deb8u1) is claimed by Debian to be fixed (see: https://security-tracker.debian.org/tracker/CVE-2016-5696). Since your script determines whether the host is affected or not based on the actual TCP comms (rather than banner grabbing a kernel version or something), I'm not sure what to make of that - it would seem to indicate that either the weighting you've devised doesn't fit Debian hosts, or it could indicate perhaps that the patch Debian maintainers applied to address the issue wasn't sufficient. I won't pretend to be clueful enough about low-level TCP stack programming to be able to tell for sure which is the case, but wanted to mention it in case others see the same thing. For my part, I've since updated the kernel on my relay to 3.16.36-1+deb8u2, and applied the sysctl work-around as an additional measure. I checked the ACK count using netstat both before and after, and have included those results here: Before: TCPChallengeACK: 1107 TCPSYNChallenge: 7 After: TCPChallengeACK: 2 TCPSYNChallenge: 2 Thanks! -- Jason On Thu, Nov 17, 2016 at 2:30 AM, dawuudwrote: > > Hi. > > I added the scan output to the repo, this includes the output csv file > and a list of vulnerable relays: > > https://github.com/david415/scan_tor_rfc5961/blob/master/scan_archive/nov17_2016/probe_out.csv > https://github.com/david415/scan_tor_rfc5961/blob/master/scan_archive/nov17_2016/vulnerable_tor_relays > > > Upgrade your Linux kernel and reboot your tor relays! > > Cheers, > David > > ___ > tor-relays mailing list > tor-relays@lists.torproject.org > https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays > ___ tor-relays mailing list tor-relays@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
Re: [tor-relays] network scan results for CVE-2016-5696 / rfc 5961
Hi. I added the scan output to the repo, this includes the output csv file and a list of vulnerable relays: https://github.com/david415/scan_tor_rfc5961/blob/master/scan_archive/nov17_2016/probe_out.csv https://github.com/david415/scan_tor_rfc5961/blob/master/scan_archive/nov17_2016/vulnerable_tor_relays Upgrade your Linux kernel and reboot your tor relays! Cheers, David signature.asc Description: PGP signature ___ tor-relays mailing list tor-relays@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays