#26166 closed enhancement (invalid)

Protect directory servers and torproject.org against TCP reset attacks

Reported by: indigotime Owned by:
Priority: Medium Milestone:
Component: Core Tor/Tor Version:
Severity: Major Keywords: TCP, RST, reset
Cc: Actual Points:
Parent ID: Points:
Reviewer: Sponsor:

Description

Some ISP's using TCP reset attacks to enforce censorship and block Tor.
Is it possible to make torproject.org and Tor directory servers to drop (ignore) all spoofed TCP reset packets?

Child Tickets

Change History (1)

comment:1 Changed 14 months ago by teor

Component: - Select a componentCore Tor/Tor
Resolution: invalid
Status: newclosed

It is difficult to distinguish spoofed RST packets from actual RST packets. A network-level adversary can generate packets that look like they came from the user's computer.

We certainly can't do it at the application level in Tor. (And it would be really hard to do in a cross-platform way.)

For machines we control on torproject.org, I believe the situation is similar.

If you find documentation for a reliable method of distinguishing spoofed packets, please post a link here, and reopen the ticket.

Note: See TracTickets for help on using tickets.