Opened 8 years ago

Closed 8 years ago

Last modified 7 years ago

#3095 closed task (fixed)

obsolete tor clients hammering original v1 dir authorities

Reported by: arma Owned by: arma
Priority: Very High Milestone: Tor: unspecified
Component: Core Tor/Tor Version:
Severity: Keywords: tor-auth
Cc: weasel Actual Points:
Parent ID: Points:
Reviewer: Sponsor:

Description

Several obsolete v3 certs expired recently, and it turns out there are still some Tor clients running that don't have this fix from 0.2.0.10-alpha:

    - Avoid sending a request for "keys/fp" (for which we'll get a 400 Bad
      Request) if we need more v3 certs but we've already got pending
      requests for all of them.

In particular, here are the three:
fingerprint E2A2AF570166665D738736D0DD58169CC61D8A8B
dir-key-published 2010-04-16 18:07:53
dir-key-expires 2011-04-16 18:07:53

fingerprint A9AC67E64B200BBF2FA26DF194AC0469E2A948C6
dir-key-published 2009-04-12 17:31:36
dir-key-expires 2011-04-12 17:31:36

fingerprint 5420FD8EA46BD4290F1D07A1883C9D85ECC486C4
dir-key-published 2010-04-16 18:00:26
dir-key-expires 2011-04-16 18:00:26

moria1 has 23000 directory connections open right now, and it's seeing a dozen requests a second for one or more of the above certs.

Child Tickets

Change History (13)

comment:1 Changed 8 years ago by arma

The way I see it, we've got two options:

1) Generate new certs for these three keys. This time maybe make them last 20 years rather than 1 or 2.

2) Figure out if any of our known security vulnerabilities apply to directory answers, and take the clients down.

comment:2 in reply to:  1 Changed 8 years ago by Sebastian

Replying to arma:

2) Figure out if any of our known security vulnerabilities apply to directory answers, and take the clients down.

I can't believe you'd be serious about this. This might even be a crime

comment:3 Changed 8 years ago by ioerror

I think it's important to note the tone of arma's statement: it's sarcasm

comment:4 in reply to:  3 Changed 8 years ago by arma

Replying to ioerror:

I think it's important to note the tone of arma's statement: it's sarcasm

Well, I admit that I do want to better understand the extent of the vulnerability of these obsolete versions of Tor.

They're clearly not able to function as Tor clients, so their only roles in life are a) making my upstream wonder if they should unplug moria, and b) being a security hazard to whatever user still runs them.

comment:5 in reply to:  1 Changed 8 years ago by rransom

Replying to arma:

The way I see it, we've got two options:

1) Generate new certs for these three keys. This time maybe make them last 20 years rather than 1 or 2.

Or make them last a few months, and investigate the legality and feasibility of crashing those clients in the meantime (before they start DDoSing moria1 again).

comment:6 Changed 8 years ago by rransom

From the 0.2.1.18 release notes:

  o Minor bugfixes (clients):
    - Treat duplicate certificate fetches as failures, so that we do
      not try to re-fetch an expired certificate over and over and over.

Clients that don't have this fix might still be a nuisance, although certainly a less severe one.

comment:7 in reply to:  6 ; Changed 8 years ago by rransom

Replying to rransom:

From the 0.2.1.18 release notes:

  o Minor bugfixes (clients):
    - Treat duplicate certificate fetches as failures, so that we do
      not try to re-fetch an expired certificate over and over and over.

Looks like this is for the same change that arma quoted above.

comment:8 Changed 8 years ago by arma

Owner: set to arma
Priority: normalcritical
Status: newassigned

comment:9 in reply to:  7 ; Changed 8 years ago by asn

I guess I'll just leave this here:
https://gitorious.org/mytor/mytor/commits/bug3095

It's not the best solution and possibly not the best implementation, but it's a start.

It should crash pre-d7be44f2380186c913be5a927d67b55e30e313c4 clients like this:

routerparse.c:2828 get_next_token: Assertion eol >= (*s+16) failed; aborting.
Aborted

FWIW, I don't have any particular feelings about this. I just found it a fun thing to do at the hackfest today.

comment:10 in reply to:  9 Changed 8 years ago by rransom

Replying to asn:

It should crash pre-d7be44f2380186c913be5a927d67b55e30e313c4 clients like this:

routerparse.c:2828 get_next_token: Assertion eol >= (*s+16) failed; aborting.
Aborted

When we fixed that assertion failure, we called the bugfix a ‘security fix’. That makes triggering the assertion failure sound close enough to something illegal under U.S. law that They will prosecute whoever they can show was involved in it, and They will be allowed to keep the jury from finding out why it was done, and They will be allowed to lie to the jury about the law if They need to in order to throw someone in prison to be raped for the rest of his/her/its life.

Would those Tor clients accept and understand a certificate valid for 1000 years?

comment:11 Changed 8 years ago by arma

Resolution: fixed
Status: assignedclosed

We made three new certs that last for 24 months each.

Next time we deal with this we should look at the old code and make sure it will tolerate certs longer than 24 months, and then change tor-gencert to generate some really long ones.

comment:12 Changed 7 years ago by nickm

Keywords: tor-auth added

comment:13 Changed 7 years ago by nickm

Component: Tor Directory AuthorityTor
Note: See TracTickets for help on using tickets.