Mitigating IP spoofing against Tor

(blog.torproject.org)

49 points by 0xggus 3 days ago | 6 comments

gtech1 3 days ago | next |

I'm curious how they were able to locate the origin of the spoofed packets (?)

toast0 3 days ago | root | parent |

The basic idea is:

a) find a cooperative receiver of the spoofed packets

b) log/mirror packets on inbound packets at their border routers to determine which peer the packets are coming from

c) ask that peer to do the same thing etc.

You can speed things up if the destination address of the spoofed packets is in a /24 that you can afford to do disruptive experiments with; and you have a wide network with extensive peering. In that case, advertise that /24 at all your locations and to all your peers. When you get traffic, if it's from a single source, you may only need to work with one peer to find the true origin.

3 days ago | prev | next |

[deleted]

ufmace 3 days ago | prev |

The article here is basically PR from the Tor project. I suspect most reader here would find this relatively high-level technical analysis of the attack more interesting:

https://delroth.net/posts/spoofed-mass-scan-abuse/

elashri 3 days ago | root | parent | next |

Discussed on HN when it came out.

https://news.ycombinator.com/item?id=41982698

oomem 3 days ago | root | parent | prev |

This analysis is discussed and linked in the article.