4 server rebooted, thank you very much. markus
> On 9 Dec 2016, at 06:31, Ivan Markin <t...@riseup.net> wrote: > > Hi tor-relays@, > > Getting back with more results on this. > I've implemented CVE-2016-5696 scanner in Go [1] and scanned the Tor > network several times [2]. > First results I've got using technique similar to David's (sending 500 > RSTs in one burst), second ones are got via another method (send 111 > RSTs in burst and then 111 RSTs 1 second later*). > > Current statistics: > 32% of Linux relays are vulnerable. That is 23% of Tor network. > > -- > > Now some magic! Those 3 NetBSD relays from before still behave like they > are vulnerable Linuxes (as they did in David's scanner, and two of mine): > > $ cat grill-tor-2016-12-09 | grep -v Linux | grep vulnerable > 78.47.45.36:9001,3F5440FF003DFF8A12AA308CFD4087FBC157ABE0,Tor 0.2.8.9 on > NetBSD,200,1.847787ms,1.834238ms,vulnerable > 86.62.117.171:63500,508004552343E5374B6570C76E9239AA23310684,Tor > 0.2.5.10 on NetBSD,200,1.999138ms,1.839057ms,vulnerable > 139.18.25.35:9001,8806C3E6FA42B07113F3A1553DE70C0A30101201,Tor 0.2.8.9 > on NetBSD,200,3.936046ms,3.777501ms,vulnerable > > Yes, nmap -O reports them to be NetBSD hosts. > > Actually I don't know what's going on here. Thoughts: > * relays are behind vulnerable Linux middleboxes > * RFC 5961 got implemented partly in NetBSD and it is actually vulnerable > * ??? > > Okay then. I've brought up NetBSD 7.0.2 VM and scanned it locally. 0 > challenge ACKs. Fine. I've put it under vulnerable Linux DNAT and it was > 'kinda' vulnerable (some small random amount of ChACKs). Probably I did > something wrong here. > I headed out and scanned netbsd.org (self-hosted?) and it's vulnerable also. > > I've lurked through NetBSD's src code and found some bits of RFC5961. > But I was unable to see anything offensive. > > If someone have some insight on this dark magic, that would be awesome! > > --- > > Thanks for bringing up the diversity issue in light of this CVE, Alex! > Just to make everyone feel sad today: > > $ cat grill-tor-2016-12-09 | grep -v offline | grep Linux | wc -l > 6435 > $ cat grill-tor-2016-12-09 | grep -v offline | grep -v Linux | wc -l > 550 > > Sadly, Linuxes are typical ~2σ of the network. ;( > Please run more different (e.g. BSD) relays! > > [*] I think it should be more accurate. > [1] https://github.com/nogoegst/grill > [2] https://gist.github.com/nogoegst/d2de330b794b47158b4cfbed0987b4de > > -- > Happy life without suffering, > Ivan Markin > _______________________________________________ > tor-relays mailing list > tor-relays@lists.torproject.org > https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays _______________________________________________ tor-relays mailing list tor-relays@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
