Opened 22 months ago

Closed 21 months ago

Last modified 16 months ago

#6252 closed defect (fixed)

We obey sendme cells even when we shouldn't get them

Reported by: arma Owned by:
Priority: major Milestone: Tor: 0.2.3.x-final
Component: Tor Version:
Keywords: tor-relay Cc:
Actual Points: Parent ID:
Points:

Description

A client can send sendme cells preemptively to the exit relay, allowing:

  • cheating on her flow/congestion control, to get her bytes faster
  • DoS on the network, by adding way more cells into the network than she was supposed to.
  • perhaps a memory DoS on the entry relay, if she stops reading from the TLS connection but keeps up the blitz of sendme cells.

I believe the fix is to tear down the circuit when we get a sendme we should not have gotten.

Child Tickets

Attachments (1)

notices-sendmecells.log (75.4 KB) - added by mo 16 months ago.
grep "Bug/attack" /var/log/tor/notices*

Download all attachments as: .zip

Change History (19)

comment:1 Changed 22 months ago by arma

  • Status changed from new to needs_review

see my branch 6252

not intended to go into 0.2.3.18-rc

comment:2 Changed 22 months ago by nickm

Looks okay to me.

comment:3 Changed 22 months ago by arma

  • Resolution set to fixed
  • Status changed from needs_review to closed

Merged then.

comment:4 Changed 22 months ago by arma

  • Resolution fixed deleted
  • Status changed from closed to reopened

comment:5 Changed 22 months ago by arma

Hm. Running it on moria1 with protocolwarnings 1, I see quite a few

Jul 01 05:37:54.000 [warn] Bug/attack: unexpected sendme cell from client. Closing circ.
Jul 01 05:37:54.000 [warn] connection_edge_process_relay_cell (away from origin) failed.
Jul 01 05:37:54.000 [warn] circuit_receive_relay_cell (forward) failed. Closing.

I wonder if these are people performing the exploit, or people otherwise doing something unexpected.

comment:6 Changed 22 months ago by arma

Ok, I reverted.

moria1 was seeing circwindows of 1950+ in normal operation.

comment:7 Changed 22 months ago by arma

  • Status changed from reopened to needs_information

#6271 for the new bug.

comment:8 Changed 22 months ago by arma

Fyi, I'm running the #6271 patch and the #6252 patch on moria1, with no complaints now.

comment:9 Changed 21 months ago by nickm

  • Status changed from needs_information to needs_review

So do you think we can re-cherrypick the 6252 patch again? If so see branch "bug6252_again" in my public repository.

comment:10 Changed 21 months ago by arma

Still no warnings on moria1. What could go wrong! Let's do it.

comment:11 Changed 21 months ago by arma

(should we make the warnings louder for a few versions, in case they show up on, say, exit relays?)

comment:12 Changed 21 months ago by nickm

Maybe we should rate-limit them if we do?

comment:13 Changed 21 months ago by arma

Sure.

Or we could merge it into master first, with warnings loud, and later put it into 0.2.3 with fewer warnings?

comment:14 Changed 21 months ago by nickm

Or put it into 0.2.3 nice and quiet and make it loud in master. The possibilities are endless. "Feel free" say I

comment:15 Changed 21 months ago by nickm

  • Resolution set to fixed
  • Status changed from needs_review to closed

Merging into maint-0.2.3; making the warnings louder in master.

If you want to change that, feel free.

comment:16 Changed 19 months ago by nickm

  • Keywords tor-relay added

comment:17 Changed 19 months ago by nickm

  • Component changed from Tor Relay to Tor

Changed 16 months ago by mo

grep "Bug/attack" /var/log/tor/notices*

comment:18 Changed 16 months ago by mo

Replying to arma:

(should we make the warnings louder for a few versions, in case they show up on, say, exit relays?)

I'm not sure if this is interesting, but I see these warnings quite often on our exits. (see attachment for example)

Tor 0.2.4.6-alpha (git-6fd93dcf3fbabe2b) straight from deb repository.

Note: See TracTickets for help on using tickets.