Opened 5 years ago

Last modified 22 months ago

#10221 new enhancement

Implement BGP malicious route checks before publishing descriptor in consensus

Reported by: anon Owned by:
Priority: High Milestone: Tor: unspecified
Component: Core Tor/Tor Version:
Severity: Normal Keywords: BGP needs-design tor-dirauth badrelays
Cc: Actual Points:
Parent ID: Points:
Reviewer: Sponsor:

Description

Alternatively, treat as normal and simply flag the BGP route as malicious or not for the listed endpoints in a consensus.

This is in response to observed, repeated, malicious route jacking attacks for specific address ranges through monkey-in-the-middle attackers.

"Malicious route jacking" is explicitly mentioned here as distinct from anomalous route changes or advertisement behavior, nor does it encompass benign incompetence affecting widespread route behavior of an indiscriminate nature.

See also:
http://www.renesys.com/2013/11/mitm-internet-hijacking/
http://www.renesys.com/2010/11/chinas-18-minute-mystery/

Child Tickets

Change History (2)

comment:1 Changed 5 years ago by nickm

Keywords: needs-proposal added
Milestone: Tor: unspecified

Interesting. Is there an easy-to-use tool to check for route hijacking?

One worrisome thing here is that you'd need a way to keep this feature from turning into a selective DoS tool. If any Tor node gets kicked out of the consensus for having any (!) route to that node hijacked, then we're effectively giving the adversary the ability to kick Tor nodes off the network, potentially reshaping the network more to their likelihood. Somebody needs to do the math to figure out whether this is somehow an improvement or not.

comment:2 Changed 22 months ago by nickm

Keywords: needs-design tor-dirauth badrelays added; needs-proposal removed
Priority: MediumHigh
Severity: Normal
Note: See TracTickets for help on using tickets.