Opened 2 years ago

Closed 2 years ago

#26166 closed enhancement (invalid)

Protect directory servers and against TCP reset attacks

Reported by: indigotime Owned by:
Priority: Medium Milestone:
Component: Core Tor/Tor Version:
Severity: Major Keywords: TCP, RST, reset
Cc: Actual Points:
Parent ID: Points:
Reviewer: Sponsor:


Some ISP's using TCP reset attacks to enforce censorship and block Tor.
Is it possible to make and Tor directory servers to drop (ignore) all spoofed TCP reset packets?

Child Tickets

Change History (1)

comment:1 Changed 2 years ago by teor

Component: - Select a componentCore Tor/Tor
Resolution: invalid
Status: newclosed

It is difficult to distinguish spoofed RST packets from actual RST packets. A network-level adversary can generate packets that look like they came from the user's computer.

We certainly can't do it at the application level in Tor. (And it would be really hard to do in a cross-platform way.)

For machines we control on, I believe the situation is similar.

If you find documentation for a reliable method of distinguishing spoofed packets, please post a link here, and reopen the ticket.

Note: See TracTickets for help on using tickets.