Opened 7 years ago

Closed 23 months ago

#5928 closed task (wontfix)

Research: IP discovery through Tor behind isolated network

Reported by: proper Owned by:
Priority: Medium Milestone:
Component: Metrics/Analysis Version:
Severity: Keywords:
Cc: proper@…, coderman Actual Points:
Parent ID: Points:
Reviewer: Sponsor:

Description

There are some integrations with Tor possible, where the client operating system is not aware of its own external IP address. It can only exit traffic through Tor. No direct connections possible.

The setup is implemented, because Tor is running on machine 1, which acts as server. And the client operating system is running on machine 2. The machines can be either a virtual machines or real hardware and are connected through an isolated LAN. The server has two network cards, one for the internal network and one to allow Tor to communicate with the outside world. All connections go through Tor. [1] [2]

The setup as many advantages [8], for example that some severe IP leaks, such as [6], [7] are prevented in the first place.

It is also assumed, that a successful exploit and infection (for example with a Trojan horse) of the isolated client system would not lead into IP discovery.* As long as the adversary is unable to exploit and infect the Tor server from there as well.

The research question is, is that actually true?

One, already mentioned way, for IP discovery would be to exploit and infect the Tor server as well. That's obvious and should be excluded from the research.

It may make a difference if the whole client system is directed with help of iptables through Tor's TransPort or if the client operating system is supposed to use Tor's SocksPort(s).

Another attack vector may be mistakes in the configuration, which no one has noticed yet.

The most interesting question is, how resistant is the Tor process against malicious input (in form of network traffic)?

Obviously the attacker could control if any traffic and how much traffic is transmitted into the Tor network. This might make certain active or passive attacks easier.

The research paper could cover attacks and additional propose defenses.

The topic has been discussed a few times on the mailing list, but with no results to this particular question. [3] [4] [5]

[1] https://trac.torproject.org/projects/tor/wiki/doc/TransparentProxy

[2] https://trac.torproject.org/projects/tor/wiki/doc/TorBOX

[3] tor-talk Can Tor resist active IP discovery attacks from inside the client?

[4] tor-talk Risk with transparent proxy mode was Re:Operating system updates / software installation behind Tor Transparent Proxy

[5] tor-talk Obtain real IP behind Tor transparent proxy; was: Operating system updates / software installation behind Tor Transparent Proxy

[6] https://tails.boum.org/security/IP_address_leak_with_icedove/index.en.html

[7] https://blog.torproject.org/blog/firefox-security-bug-proxy-bypass-current-tbbs

[8] https://trac.torproject.org/projects/tor/wiki/doc/TorBOX#AdvantagesofTorBOX

Feel free to edit Summary and Description as required, if something is not optimally chosen.

Child Tickets

Change History (2)

comment:1 Changed 7 years ago by arma

Cc: coderman added
Component: Tor ClientAnalysis

comment:2 Changed 23 months ago by karsten

Resolution: wontfix
Status: newclosed

Closing tickets in Metrics/Analysis that have been created 5+ years ago and not seen progress recently, except for the ones that "nickm-cares" about.

Note: See TracTickets for help on using tickets.