29 Oct
2024
29 Oct
'24
2:15 p.m.
Hi,
I suppose it's relevant to anyone who might be target of harassment, but
for the three of you¹ currently running Tor relays at BitFolk please be
aware of:
https://delroth.net/posts/spoofed-mass-scan-abuse/
There isn't actually anything you can do about it other than reply to
abuse reports accordingly.
Thanks,
Andy
¹ curl -s 'https://onionoo.torproject.org/details?search=running:true' | \
jq '.relays[] | select(.or_addresses[] | startswith("85.119.8"))'
--
https://bitfolk.com/ -- No-nonsense VPS hosting
"I am the permanent milk monitor of all hobbies!" — Simon Quinlank
30 Oct
30 Oct
12:12 p.m.
New subject: Backscatter attacks on TCP connections (not limited to Tor) triggering abuse honeypots of service providers
At Z+0000=2024-10-29Tue14:15:32, Andy Smith via BitFolk Users sent:
[For the three of you running Tor relays at BitFolk…]
I suppose it's relevant to anyone who might be target of harassment, but for the
three of you¹ currently running Tor relays at BitFolk please be aware of:
https://delroth.net/posts/spoofed-mass-scan-abuse/
There isn't actually anything you can do about it other than reply to abuse reports
accordingly.
Having read that article, it looks like this issue is of most relevance to the service
providers of those 3 customers -- so more relevant to BitFolk, right Andy?, or
BitFolk's ISP. The article finds that the only threat that seems to be present in
this backscatter attack on TCP connections, ordinarily benign, is that it is triggering
abuse warnings of some ISPs or hosts, which may have further consequences if not responded
to. The article implies that if it were not for these abuse honeypots, backscatter
attacks on TCP would be ineffective, unless part of an ordinary DDoS attack on some other
target.
The article also draws the realisation that this nefarious activity is not specific to
Tor, even though the Tor network is currently observing this backscatter activity from
multiple countries and continents, but the concept of the attack could just as easily
target any TCP-based service into triggering the automatic abuse honeypots -- whatever
those consequences may be from minor nuisance to termination of service contract.
The article implies that this attack is an exploitation of a vulnerability that was
created by the abuse prevention measures themselves, and is only as severe as those
consequences are. If backscatter on TCP connections is ordinarily benign, then maybe it
is the responsibility of service providers to adjust their abuse policy to act differently
on TCP packets, such as to undermine the motive of this kind of attack -- which could be
worse than the DDoS attacks that the abuse prevention measures are trying to address,
depending on the severity of the consequences triggered. If the abuse prevention can
trigger actions as hostile as termination of contract, then the service providers will
have "jumped out of the frying pan and into the fire", replacing DDoS
vulnerability with a vulnerability that is far more hostile. Then again, the DDoS
vulnerability never really goes away, so actually they have just added more attack surface
area with little gain, it seems.
The article does not suggest any technical remedy on the part of the service user, and
merely suggests replying to the automatic abuse messages asserting that "you are in
fact a victim and not a perpetrator", but seeing as this attack seems to be
targetting port 22 -- the port for SSH -- surely there is some set of filtering rules that
could differentiate the spoofed packets from the rest of the Tor traffic, without blocking
SSH as well.
I still don't get how we jump from whatever port Tor uses to port 22 for SSH.
I'm wondering whether this is perhaps an abuse of the Tor network to somehow conduct a
distributed SSH port-knocking-style attack, somehow finding machines listening for SSH
connections. But as the article already points-out, the attacker does not get to see the
replies from this backscatter, so we believe.
What if actually it is more specific to Tor than Delroth first realised? What if it
is possible to detect the replies to the backscatter from within the Tor network? You run
some data through the Tor network, you can see what relay you are connected to, you send a
TCP RST packet to that relay that backscatters to some server you want to knock for SSH,
if the server replies, you somehow detect this in your Tor connection -- maybe the reply
disrupts the TCP connections in some obvious and detectable way, such as a connection
tear-down. That then gives feedback as to whether that server has SSH running on port 22.
Just an idea. It is way beyond me to prove or disprove this. I don't even run Tor.
jq '.relays[] | select(.or_addresses[] |
startswith("85.119.8"))'
Nice! :-D Jq is a very useful tool. I discovered it a few years ago.
Thanks for this share, Andy, it has certainly been an interesting and
thought-provoking read! :-)
Kind regards,
James.
--
Wealth doesn't bring happiness, but poverty brings sadness.
Sent from Debian with Claws Mail, using email subaddressing as an alternative to
error-prone heuristical spam filtering.
1:43 p.m.
New subject: Backscatter attacks on TCP connections (not limited to Tor) triggering abuse honeypots of service providers
Hi James,
On Wed, Oct 30, 2024 at 12:12:12PM +0000, James R. Haigh (+BitFolk subaddress) via BitFolk
Users wrote:
At Z+0000=2024-10-29Tue14:15:32, Andy Smith via
BitFolk Users sent:
In general where we don't think actual abuse is taking place, we expect
the customer to reply to abuse reports involving them. Particularly in
the case of Tor nodes these generate a lot of abuse reports although
that is mainly for exit nodes and there aren't any of those at BitFolk
right now, only relay nodes (internal to Tor so never visible to an
end-host outside Tor).
https://delroth.net/posts/spoofed-mass-scan-abuse/
There isn't actually anything you can do about it other than reply to abuse reports
accordingly.
Having read that article, it looks like this issue is of most
relevance to the service providers of those 3 customers -- so more
relevant to BitFolk, right Andy? The article finds that the only threat that seems
to be present in
this backscatter attack on TCP connections, ordinarily benign, is
that it is triggering abuse warnings of some ISPs or hosts, which
may have further consequences if not responded to.
SSH dictionary attacks are so common that when someone sees a number of
TCP SYN packets to their port 22 they just think it is one of those and
report it as such, and the hosting company at the other end would often
be inclined to believe it, as initially seen in that article.
The article implies that if it were not for these
abuse honeypots,
backscatter attacks on TCP would be ineffective, unless part of an
t>
ordinary DDoS attack on some other target.
T he honeypots do an important job of detecting this sort of activity but
it does seem necessary for them to gather more information than some TCP
SYN packets before taking any action.
If
backscatter on TCP connections is ordinarily benign,
I wouldn't necessarily call it benign as it does imply some forging is
going on for some reason. It could indicate a misconfiguration such as
two or more devices with the same IP address.
maybe it
is the responsibility of service providers to adjust their abuse
policy to act differently on TCP packets, such as to undermine the
motive of this kind of attack -- which could be worse than the
DDoS attacks that the abuse prevention measures are trying to
address, depending on the severity of the consequences triggered.
Certainly from BitFolk point of view but also I think generally, most
kinds of abuse report would need to show some actual content, and that
is not possible with spoofed TCP. I think it is only because port
scanning and SSH dictionary attacks are so common that a lazy report
like that could ever be taken seriously.
seeing as this attack seems to be targetting
port 22 -- the port for SSH -- surely there is some set of
filtering rules that could differentiate the spoofed packets from
the rest of the Tor traffic, without blocking SSH as well.
Tor is a proxy. What comes out of it is just normal Internet traffic,
like if it were a SOCKS proxy or a HTTP proxy. When a TCP SYN packet
comes in, all you have is the source address as there is no payload yet.
The only way to tell that it is a legitimate connection attempt from a
non-spoofed source is to complete the TCP three way handshake. Spoofed
sources can't complete that.
What if actually it is more specific to Tor than
Delroth first
realised? What if it is possible to detect the replies to the
backscatter from within the Tor network?
Tor, being a proxy, runs as a user process on some server. User
processes should never see these partially set up TCP connections as all
that happens is the kernel receives a SYN+ACK packet from the SSH host
with a sequence number that does not match any SYN it has sent itself.
It knows something strange has happened and sends back a TCP RST packet
to destroy the connection before it was ever established.
You can't even see this happening unless you run a process with elevated
privileges in order to trace it like tcpdump.
So no, it should not get as far as the Tor process.
Anyway, multiple companies are scanning all 65k ports of the entire IPv4
address apace multiple times a day to look for every service there is and
they sell the database of that, so there is no need for anyone to do it
through Tor if the goal were purely to identify SSH servers.
It may also be worth noting that most Tor exit nodes are configured to
not permit TCP port 22 connections out since they just get used for SSH
dictionary attacks otherwise. Similarly they don't allow port 25 as they
just get used to relay spam.
Thanks,
Andy
--
https://bitfolk.com/ -- No-nonsense VPS hosting
"It is I, Simon Quinlank. The chief conductor on the bus that is called
hobby." — Simon Quinlank
5:32 p.m.
New subject: Backscatter attacks on TCP connections (not limited to Tor) triggering abuse honeypots of service providers
At Z+0000=2024-10-30Wed13:43:01, Andy Smith via BitFolk Users sent:
I was thinking more via some side-channel, like a timing side-channel. But I also was
not seeing the independence of the spoofed and incomplete SSH connections from the Tor
connections, until it was revealed later in the article that this is not specific to Tor.
So on 2nd-thought, I agree with you that the replies to the backscatters have no impact on
the Tor relays that is detectable from a Tor client.
On Wed, Oct 30, 2024 at 12:12:12PM +0000, James R.
Haigh (+BitFolk subaddress) via BitFolk Users wrote:
[...]
In general where we don't think actual abuse is taking place, we expect the customer
to reply to abuse reports involving them. [...]
How does the customer reply to abuse reports from BitFolk's ISP to BitFolk? Does
BitFolk automatically forward such abuse reports to the customer? Or does BitFolk
generate its own abuse reports?
SSH dictionary attacks are so common that when someone
sees a number of TCP SYN packets to their port 22 they just think it is one of those and
report it as such, and the hosting company at the other end would often be inclined to
believe it, as initially seen in that article.
I often wonder about how to mitigate this problem.
The honeypots do an important job of detecting this
sort of activity but it does seem necessary for them to gather more information than some
TCP SYN packets before taking any action.
I was wondering about the payload of the packets. Delroth did not go into that
detail, but his article also states at the bottom that it was written hastily before a
plane flight. He may not have had time to look at the payloads in more detail, like in
WireShark.
I wouldn't necessarily call it benign as it does
imply some forging is going on for some reason.
Sorry, I meant "ineffective". I.e., there is malicious intent there, but
not one that can harm us because the TCP connections never complete their handshake.
It could indicate a misconfiguration such as two or
more devices with the same IP address.
Accidental backscatter -- good point. I have seen this on LANs on many occasions.
[...]
Tor is a proxy. What comes out of it is just normal Internet traffic,
If we are talking about the relay nodes (Delroth specifically states that these are
not also exit nodes), then no normal Internet traffic is coming out of it at this point.
The traffic is inside an encrypted tunnel, being "onion routed" through 3 relay
nodes, iirc..
According to the WireShark wiki, Tor's TLS connection is the usual port 443, and
it also uses ports 9001 and 9030:-
http://frogfind.com/read.php?a=https://wiki.wireshark.org/Tor
My understanding is that the servers running Tor are being sent -- completely
unrelatedly on port 22, and from /outside/ of the Tor tunnels -- TCP packets with a
spoofed source IP address, backscattering to other machines that of course fail to
establish the full handshake, meaning that these connections are instantly dropped -- but
sometimes can trigger anti-abuse honeypots, even though the abuse did not originate on the
server that received the spoofed TCP packets.
So what has it got to do with Tor? Delroth says not much, beside maybe a motive to
cause disruption to the Tor network -- by means of attempting to trigger anti-abuse
measures against operators of Tor services such as relays. These servers may only be
being targetted as such because they are being listed as available relay nodes in the Tor
network.
Machines not running Tor are apparently just as susceptible to this vulnerability, but
simply are not being targetted yet.
[...] When a TCP SYN packet comes in, all you have is
the source address as there is no payload yet.
Oh, okay.
The only way to tell that it is a legitimate
connection attempt from a non-spoofed source is to complete the TCP three way handshake.
Spoofed sources can't complete that.
I think what I might do if I was in this situation is to run my SSH on some other much
higher port, and just drop all packets for port 22, because it has nothing to do with Tor.
Or I would capture them and maybe honeypot them somehow to further protect my real SSH
port.
What if
actually it is more specific to Tor than Delroth first realised? What if it is possible
to detect the replies to the backscatter from within the Tor network?
Tor, being a proxy, runs as a user process on some server. User processes should never
see these partially set up TCP connections as all that happens is the kernel receives a
SYN+ACK packet from the SSH host with a sequence number that does not match any SYN it has
sent itself. It knows something strange has happened and sends back a TCP RST packet to
destroy the connection before it was ever established.
You can't even see this happening unless you run a process with elevated privileges
in order to trace it like tcpdump.
So no, it should not get as far as the Tor process. Anyway, multiple companies are scanning all 65k ports
of the entire IPv4 address space multiple times a day to look for every service there is
and they sell the database of that, so there is no need for anyone to do it through Tor if
the goal were purely to identify SSH servers.
Heh, how is that not against computer misuse? I'm sure if I did that sort of
thing I'd be in big trouble for it, but they are allowed to do it for profit, hey?
Hmm.
Point taken, though.
It may also be worth noting that most Tor exit nodes
are configured to not permit TCP port 22 connections out since they just get used for SSH
dictionary attacks otherwise.
Oh right. Delroth's article states that their Tor relays are not also exit nodes,
though, so I don't think it is this.
Similarly they don't allow port 25 as they just
get used to relay spam.
SMTP. Okay.
Well, I through a few other ideas into the mix trying to question whether there is a
deeper motive besides triggering these honeypots against the wrong people (a TCP/IP
version of "stitching someone up"), but I don't think they came to much
beyond Delroth's understanding that the intent of these spoofed TCP packets is none
other than to turn the honeypots and automatic abuse blockers onto innocent
users/operators.
It still seems odd to me as to why port 22? Why not any port if it is just a spoof
packet to cause a nuisance? Is it because this is the port that is most likely to trigger
various honeypots?
Kind regards,
James.
--
Wealth doesn't bring happiness, but poverty brings sadness.
Sent from Debian with Claws Mail, using email subaddressing as an alternative to
error-prone heuristical spam filtering.
8:45 p.m.
New subject: Backscatter attacks on TCP connections (not limited to Tor) triggering abuse honeypots of service providers
Hi James,
On Wed, Oct 30, 2024 at 05:32:49PM +0000, James R. Haigh (+BitFolk subaddress) via BitFolk
Users wrote:
Okay, yes. But in this case the only link between Tor and SSH is that
some miscreant has apparently decided to harass operators of known Tor
nodes by means of attacking servers known to run SSH. Tor is really
incidental here and the attacker could just as well have decided to
target IP addresses thought to be in Spain, or IP address that are
prime numbers or something.
When the forged traffic hits the TARGET, it has not been anywhere near
the VICTIM yet, so whatever software the VICTIM is running is not
relevant.
When the TARGET sends back a SYN+ACK response to the VICTIM, the
VICTIM's kernel deals with it (either by ignoring it or sending a RST)
before it reaches user space so again Tor is not a factor here.
So what I mean is that it wouldn't matter if VICTIM is a Tor exit node
or relay node or not a Tor node at all, it could even be a networked
coffee machine. It was a human attacker who seems to have chosen to
harass people operating Tor nodes.
At Z+0000=2024-10-30Wed13:43:01, Andy Smith via
BitFolk Users sent:
Since BitFolk has a business relationship with its suppliers, if they
have an issue they will contact us about it and we'll probably iron it
out without BitFolk's customer being involved.
It is when an abuse report comes in from some third party that has no
contractual relationship with BitFolk or the customer concerned that we
would pass this on to the customer to deal with because it will be
boring administrative work. First though we must determine if it's a
genuine report of malicious behaviour, as we wouldn't want to just pass
on an abuse report with the reporter's contact details to the possible
bad actor.
I am really only talking about the cases where it's clear it is some
misunderstanding or at least something to be discussed and negotiated,
and with permission of the reporter.
An non-Tor-related example that springs to mind is when automated scans
of web servers by "good cause" projects find a binary that is a known
piece of malware, so they report it to us as a possibly infected host,
but we happen to know for example that the customer concerned is a
security researcher or penetration tester and the file is there on
purpose. Rather than explain all this on our customer's behalf we would
like to put them in direct contact with each other.
On Wed, Oct 30, 2024 at 12:12:12PM +0000, James
R. Haigh (+BitFolk subaddress) via BitFolk Users wrote:
[...]
In general where we don't think actual abuse is taking place, we expect the customer
to reply to abuse reports involving them. [...]
How does the customer reply to abuse reports from BitFolk's ISP to
BitFolk? Does BitFolk automatically forward such abuse reports to
the customer? Or does BitFolk generate its own abuse reports? I was wondering about the payload of the packets.
Delroth did not
go into that detail, but his article also states at the bottom
that it was written hastily before a plane flight. He may not
have had time to look at the payloads in more detail, like in
WireShark.
In this case there cannot be any payload because a TCP connection can't
exchange any data until the three way handshake is completed to set it
up. All that happens here is:
ATTACKER --SYN packet with source IP of VICTIM--> TARGET
TARGET --SYN+ACK packet back------------------> VICTIM
VICTIM --RST back because sequence number-----> TARGET
didn't match any SYN it had sent
All of these are empty TCP packets with only flags and src/dst IPs in
them.
ATTACKER's real IP address is not known to anyone because they have
forged VICTIM's IP as the source on their packets.
Normally this would probably go totally unnoticed. It's only because
certain sites are hyper sensitive to port 22 SYN packets being received
and think it is an SSH dictionary attack. Really they should wait for
the connection to be established and log the actual login attempt before
assuming that.
Tor is a
proxy. What comes out of it is just normal Internet traffic,
If we are talking about the relay nodes (Delroth specifically
states that these are not also exit nodes), then no normal
Internet traffic is coming out of it at this point. The traffic
is inside an encrypted tunnel, being "onion routed" through 3
relay nodes, iirc.. My understanding is that the servers running Tor
are being sent --
completely unrelatedly on port 22, and from /outside/ of the Tor
tunnels -- TCP packets with a spoofed source IP address,
backscattering to other machines that of course fail to establish
the full handshake, meaning that these connections are instantly
dropped -- but sometimes can trigger anti-abuse honeypots, even
though the abuse did not originate on the server that received the
spoofed TCP packets.
That is correct. It seems that some setups require only to see TCP SYN
packets and consider that an attack. Over-sensitive intrusion detection
systems have been a thing for as long as there have been networks and
ways to report abuse.
So what has it got to do with Tor? Delroth says
not much, beside
maybe a motive to cause disruption to the Tor network -- by means
of attempting to trigger anti-abuse measures against operators of
Tor services such as relays.
As the article mentioned, a lot of people seem to dislike Tor and are
willing to attack it. I suppose a bit like how a lot of people seem to
dislike archive.org and are regularly willing to DDoS it.
It is in some ways a pity that there is a publ;ic directory of all Tor
nodes which makes it easier for people to harass them, but it's an open
decentralised network so these things need ways to find each other. Also
a lot of site operators demand a way to know all Tor exit node IPs so
they can pre-emptively block them.
Probably there are multiple other things like Tor but with more secretive
node directories.
Machines not running Tor are apparently just as
susceptible to
this vulnerability, but simply are not being targetted yet.
Yep. Like with all DDoS.
It still seems odd to me as to why port 22? Why
not any port if
it is just a spoof packet to cause a nuisance? Is it because this
is the port that is most likely to trigger various honeypots?
I think so yes. I cannot really think of any other service where people
are so twitchy about looking at multiple "strange" connections attempts
to it.
You would not even notice if this were port 80/443 for example because
you do expect the world to visit a public web site and the web server
would log nothing as none of those connections ever get established far
enough for user space to see them.
Thanks,
Andy
--
https://bitfolk.com/ -- No-nonsense VPS hosting
31 Oct
31 Oct
12:46 p.m.
New subject: Backscatter attacks on TCP connections (not limited to Tor) triggering abuse honeypots of service providers
Hi Andy,
At Z+0000=2024-10-30Wed20:45:22, Andy Smith via BitFolk Users sent:
[...]
Since BitFolk has a business relationship with its suppliers, if they have an issue they
will contact us about it and we'll probably iron it out without BitFolk's customer
being involved.
It is when an abuse report comes in from some third party that has no contractual
relationship with BitFolk or the customer concerned that we would pass this on to the
customer to deal with because it will be boring administrative work. First though we must
determine if it's a genuine report of malicious behaviour, as we wouldn't want to
just pass on an abuse report with the reporter's contact details to the possible bad
actor.
I am really only talking about the cases where it's clear it is some misunderstanding
or at least something to be discussed and negotiated, and with permission of the
reporter.
An non-Tor-related example that springs to mind is when automated scans of web servers by
"good cause" projects find a binary that is a known piece of malware, so they
report it to us as a possibly infected host, but we happen to know for example that the
customer concerned is a security researcher or penetration tester and the file is there on
purpose. Rather than explain all this on our customer's behalf we would like to put
them in direct contact with each other.
Yep, this all makes sense. Thanks for clarifying. :-)
[...]
In this case there cannot be any payload because a TCP connection can't exchange any
data until the three way handshake is completed to set it up.
Yep, it can't transmit any TCP payload data. When I first mentioned
"payload", I think I was actually thinking about the payload of the IP packet --
in this case the IP payloads are the TCP packets that are all TCP header.
In other words, when I was wondering about looking closer at the packets for details
that might help differentiate, I was wondering whether there were any other details in
these spoofed packets that could be used to distinguish them from legitimate SSH
connections, in either the fields that have been listed by Delroth, or in fields or flags
that were in Delroth's TCPdump that were not listed, if any. Given that these IP
packets are small and all-header, with just a few header fields, if anything could
distinguish them, these details are probably already visible in Delroth's article.
I have been thinking about this some more, and something that I am wondering about is
whether the src and dst /ports/ seem to be back-to-front from the usual way of doing it.
This comprises a single bit of information hidden in plain sight which is actually quite
helpful in potentially blocking this attack, if I am not mistaken.
My understanding, in the 3-stage handshake, SYN, SYN+ACK, ACK, is that that initial
SYN packet usually goes from a high port to a low port -- e.g. a low port of 22 for SSH.
Now, Delroth's article does open with this quoted abuse alert email listing a number
of packets outbound from Delroth's server at 195.201.9.37 with high src ports, and
heading towards dst port 22 on various other hosts -- making it look like, at first
glance, that these are SSH connection attempts initiating on Delroth's 195.201.9.37.
But as Delroth soon discovers that these are backscatters triggered by incoming spoofed
SYN packets, it means that these outgoing packets are actually SYN+ACK packets, and thus
/out-of-phase/ with the usual sequence. This could be a really key way to detect and
block this kind of attack, both for operators of servers and for service providers running
honeypots with automated abuse warnings.
I also notice that the destination IP addresses listed are all within the range of
202.91.16[1-3].* -- in the quoted email, that is -- the others listed below are different,
though. I also wonder whether the TTL of these packets would be 1 less than normal --
however, this can be spoofed as well, and also depends on how far these have travelled
across the Internet, so not really very helpful.
The SYN versus SYN+ACK phase mismatch seems to me like the most useful thing here.
Also, simply blocking outbound SSH, except for a whitelist, seems like a quick easy fix.
This would not block me from SSH'ing-in to the server, and if I find that I want to
SSH-out to another server, maybe for SCP, SFTP, Rsync, a temporary port forward, or
whatever and I find that I have blocked myself -- well I can fix that from that server
that I am already SSH'd into! :-) I don't see the harm in blocking outbound SSH
until otherwise needed, if it avoids transmitting abuse, seeing as I can always change
that later if it becomes a problem.
All that happens here is:
ATTACKER --SYN packet with source IP of VICTIM--> TARGET
TARGET --SYN+ACK packet back------------------> VICTIM
VICTIM --RST back because sequence number-----> TARGET
didn't match any SYN it had sent
All of these are empty TCP packets with only flags and src/dst IPs in them.
ATTACKER's real IP address is not known to anyone because they have forged
VICTIM's IP as the source on their packets.
Yep, so, for clarity, I will annotate that with what I think the high/low port numbers
are doing in the activity that Delroth has observed:-
ATTACKER
\
\
-SYN packet with source IP of VICTIM--> TARGET
VICTIM <------------------SYN+ACK packet back-- TARGET (e.g. Delroth's
VICTIM --RST back because sequence number-----> TARGET 195.201.9.37:xxxxx)
(port 22) didn't match any SYN it had sent
Btw., it seems to me that both TARGET and VICTIM are victim to different parts of the
attack -- VICTIM is victim to a more typical DDoS attack, whereas TARGET is victim to
consequences that may be more severe than mere Denial-of-Service. I would label these
VICTIM1 and VICTIM2, if not for matching the labels with your own diagram.
Normally this would probably go totally unnoticed.
It's only because certain sites are hyper sensitive to port 22 SYN packets being
received and think it is an SSH dictionary attack. Really they should wait for the
connection to be established and log the actual login attempt before assuming that.
Yes, hypersensitive security can create new vulnerabilities and instabilities. But if
I am not mistaken about the aforementioned phase mismatch, there could be a small
adjustment to those detections that avoids incentivising this new kind of attack that
seems to be leveraging those abuse alerts as a new form of abuse in itself. Well, nothing
new about the concept of a "stitch-up", but it may be fairly new to witness a
stitch-up at the TCP/IP level in incomplete connections that don't even complete their
TCP handshakes.
Btw., "port 22 SYN packets" is ambiguous, in this context. Normally, a port
22 SYN packet would be a SYN packet with a destination port of 22. In this context,
Delroth observed packets that were out-of-phase with this usual relationship, implying
that in fact the SYN packets in this case actually had a source port of 22 -- as far as I
understand. These are 2 very different things, even though informatically, this can be
reduced to being different by only a single bit of information. This single bit of
information may be key to distinguishing the spoofed packets and blocking them before any
backscatter occurs.
[...]
Okay, yes. But in this case the only link between Tor and SSH is that some miscreant has
apparently decided to harass operators of known Tor nodes by means of attacking servers
known to run SSH. Tor is really incidental here and the attacker could just as well have
decided to target IP addresses thought to be in Spain, or IP address that are prime
numbers or something.
Yep.
When the forged traffic hits the TARGET, it has not
been anywhere near the VICTIM yet, so whatever software the VICTIM is running is not
relevant.
I never suggested it was. It is TARGET that represents the Tor relay. And as Delroth
and we have established and seconded, the software on TARGET such as Tor is not
particularly relevant either, except in being the reason selected as the target of this
attack.
[...]
So what I mean is that it wouldn't matter if VICTIM is a Tor exit node or relay node
or not a Tor node at all, it could even be a networked coffee machine. It was a human
attacker who seems to have chosen to harass people operating Tor nodes.
Agreed, but VICTIM? Have I misinterpreted the orientation of VICTIM and TARGET in
your diagram? Are you implying that Delroth's 195.201.9.37:xxxxx is an example of
VICTIM in your diagram, rather than TARGET? This would be an alternative explanation for
the srcport/dstport phase mismatch that I see, but I don't see how that would match
Delroth's logs that he quoted in his article. I may be mistaken but it is worth
checking this phase mismatch idea because I think that it could be very helpful if it
turns-out to be an easy identifier.
[...]
That is correct. It seems that some setups require only to see TCP SYN packets and
consider that an attack. Over-sensitive intrusion detection systems have been a thing for
as long as there have been networks and ways to report abuse.
Even predates computer networks -- you can generalise it with witch-hunts, for
example. (Lol, to be making this comment by-chance on 31st October! :-P No pun was
intended.)
[...]
It is in some ways a pity that there is a public directory of all Tor nodes which makes
it easier for people to harass them, but it's an open decentralised network so these
things need ways to find each other. Also a lot of site operators demand a way to know all
Tor exit node IPs so they can pre-emptively block them.
Probably there are multiple other things like Tor but with more secretive node
directories.
If "like Tor" means "anonymising network", then I think that this
might actually be an impossible problem to solve. To anonymise requires that multiple
users (preferably a very large number) use the network and their identities are shuffled.
Anyone who uses the network will come into direct contact with nodes on the network, and
thus have access to attack them.
If the node-directories were somehow made secret, then this would not be an
open-access network. The entire network being closed-access, implies a central control,
and this central authority would operate more like an individual. E.g., if a government
agency operated its own, in-house anonymising network -- whatever goes in or out of it is
connected with that government agency, and so it is not really anonymising that agency in
any useful way. I gather that Tor itself was born out of a USA governmental/military
agency desire to anonymise, and had to make it open-access and gather enough civilian
support in order to hide the military activity. So Tor's own foundings kind of imply
that an anonymising network has to be open-access and thus will always be very easy to see
some or all of the participating nodes.
[...]
I think so yes. I cannot really think of any other service where people are so twitchy
about looking at multiple "strange" connections attempts to it.
I see.
You would not even notice if this were port 80/443 for
example because you do expect the world to visit a public web site and the web server
would log nothing as none of those connections ever get established far enough for user
space to see them.
Yep.
Kind regards,
James.
--
Wealth doesn't bring happiness, but poverty brings sadness.
Sent from Debian with Claws Mail, using email subaddressing as an alternative to
error-prone heuristical spam filtering.
51
days inactive
53
days old
5 comments
2 participants
participants (2)
-
Andy Smith -
James R. Haigh (+BitFolk subaddress)