Delivery-Date: Wed, 20 May 2015 11:10:23 -0400
Return-Path: <tor-talk-bounces@lists.torproject.org>
X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on moria.seul.org
X-Spam-Level: 
X-Spam-Status: No, score=-4.2 required=5.0 tests=BAYES_00,RCVD_IN_DNSWL_MED,
	T_RP_MATCHES_RCVD,UNPARSEABLE_RELAY autolearn=ham version=3.3.1
X-Original-To: archiver@seul.org
Delivered-To: archiver@seul.org
Received: from eugeni.torproject.org (eugeni.torproject.org [38.229.72.13])
	(using TLSv1.2 with cipher ADH-AES256-GCM-SHA384 (256/256 bits))
	(No client certificate requested)
	by khazad-dum.seul.org (Postfix) with ESMTPS id 34CCE1E087D
	for <archiver@seul.org>; Wed, 20 May 2015 11:10:21 -0400 (EDT)
Received: from eugeni.torproject.org (localhost [127.0.0.1])
	by eugeni.torproject.org (Postfix) with ESMTP id 5594F34F0F;
	Wed, 20 May 2015 15:10:17 +0000 (UTC)
Received: from localhost (localhost [127.0.0.1])
 by eugeni.torproject.org (Postfix) with ESMTP id 983FE34EEB
 for <tor-talk@lists.torproject.org>; Wed, 20 May 2015 15:10:13 +0000 (UTC)
X-Virus-Scanned: Debian amavisd-new at 
Received: from eugeni.torproject.org ([127.0.0.1])
 by localhost (eugeni.torproject.org [127.0.0.1]) (amavisd-new, port 10024)
 with ESMTP id AfQ9vJN-qK2a for <tor-talk@lists.torproject.org>;
 Wed, 20 May 2015 15:10:13 +0000 (UTC)
Received: from mx1.riseup.net (mx1.riseup.net [198.252.153.129])
 (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
 (Client CN "*.riseup.net",
 Issuer "COMODO RSA Domain Validation Secure Server CA" (not verified))
 by eugeni.torproject.org (Postfix) with ESMTPS id 7395A34ED8
 for <tor-talk@lists.torproject.org>; Wed, 20 May 2015 15:10:13 +0000 (UTC)
Received: from berryeater.riseup.net (berryeater-pn.riseup.net [10.0.1.120])
 (using TLSv1 with cipher ECDHE-RSA-AES256-SHA (256/256 bits))
 (Client CN "*.riseup.net",
 Issuer "COMODO RSA Domain Validation Secure Server CA" (verified OK))
 by mx1.riseup.net (Postfix) with ESMTPS id 0583941068
 for <tor-talk@lists.torproject.org>; Wed, 20 May 2015 15:10:10 +0000 (UTC)
Received: from [127.0.0.1] (localhost [127.0.0.1]) (Authenticated sender: phw)
 with ESMTPSA id 86F4D401F7
Date: Wed, 20 May 2015 17:10:04 +0200
From: Philipp Winter <phw@nymity.ch>
To: tor-talk@lists.torproject.org
Message-ID: <20150520151004.GB30057@nymity.ch>
Mail-Followup-To: tor-talk@lists.torproject.org
References: <CADop2NHxbKqiMVAW0uzfTGA-wa6Nuv+x6aGAGRDiE=5Af+oUPQ@mail.gmail.com>
MIME-Version: 1.0
Content-Disposition: inline
In-Reply-To: <CADop2NHxbKqiMVAW0uzfTGA-wa6Nuv+x6aGAGRDiE=5Af+oUPQ@mail.gmail.com>
X-PGP-Fpr: B369 E7A2 18FE CEAD EB96  8C73 CF70 89E3 D7FD C0D0
X-Virus-Scanned: clamav-milter 0.98.7 at mx1
X-Virus-Status: Clean
Subject: Re: [tor-talk] reverse enumeration attacks on bridges (re: 100-foot
 overview on Tor)
X-BeenThere: tor-talk@lists.torproject.org
X-Mailman-Version: 2.1.15
Precedence: list
Reply-To: tor-talk@lists.torproject.org
List-Id: "all discussion about theory, design,
 and development of Onion Routing" <tor-talk.lists.torproject.org>
List-Unsubscribe: <https://lists.torproject.org/cgi-bin/mailman/options/tor-talk>, 
 <mailto:tor-talk-request@lists.torproject.org?subject=unsubscribe>
List-Archive: <http://lists.torproject.org/pipermail/tor-talk/>
List-Post: <mailto:tor-talk@lists.torproject.org>
List-Help: <mailto:tor-talk-request@lists.torproject.org?subject=help>
List-Subscribe: <https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk>, 
 <mailto:tor-talk-request@lists.torproject.org?subject=subscribe>
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: tor-talk-bounces@lists.torproject.org
Sender: "tor-talk" <tor-talk-bounces@lists.torproject.org>

On Wed, May 20, 2015 at 10:42:27AM +0800, Virgil Griffith wrote:
> Tom: If a hostile relay receives a connection from a ip-address A that
> is not listed in the Tor consensus, as far as I understand the hostile
> relay stills has two possibilities about ip-address A:
> 
> (1) A is the client
> (2) A is a bridge
> 
> I do not understand how the "reverse renumeration" attack you mention
> (p136 of your 100-ft-summary) is able to distinguish between these two
> cases.

If the hostile relay has no Guard flag, it shouldn't receive direct
connections from clients.  If it does have the Guard flag, it could port
scan the previous hop to see if it has an open (OR) port.  (Active
probing-resistant bridges would leave some uncertainty, though.)

Some more details about this attack are in Section III.D of:
<http://www.cs.uml.edu/~xinwenfu/paper/Bridge.pdf>

Cheers,
Philipp
-- 
tor-talk mailing list - tor-talk@lists.torproject.org
To unsubscribe or change other settings go to
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk

