Mitigating IP spoofing against Tor(blog.torproject.org)
blog.torproject.org
Mitigating IP spoofing against Tor
https://blog.torproject.org/defending-tor-mitigating-IP-spoofing/
6 comments
I'm curious how they were able to locate the origin of the spoofed packets (?)
The basic idea is:
a) find a cooperative receiver of the spoofed packets
b) log/mirror packets on inbound packets at their border routers to determine which peer the packets are coming from
c) ask that peer to do the same thing etc.
You can speed things up if the destination address of the spoofed packets is in a /24 that you can afford to do disruptive experiments with; and you have a wide network with extensive peering. In that case, advertise that /24 at all your locations and to all your peers. When you get traffic, if it's from a single source, you may only need to work with one peer to find the true origin.
a) find a cooperative receiver of the spoofed packets
b) log/mirror packets on inbound packets at their border routers to determine which peer the packets are coming from
c) ask that peer to do the same thing etc.
You can speed things up if the destination address of the spoofed packets is in a /24 that you can afford to do disruptive experiments with; and you have a wide network with extensive peering. In that case, advertise that /24 at all your locations and to all your peers. When you get traffic, if it's from a single source, you may only need to work with one peer to find the true origin.
[deleted]
The article here is basically PR from the Tor project. I suspect most reader here would find this relatively high-level technical analysis of the attack more interesting:
https://delroth.net/posts/spoofed-mass-scan-abuse/
https://delroth.net/posts/spoofed-mass-scan-abuse/
Discussed on HN when it came out.
https://news.ycombinator.com/item?id=41982698
https://news.ycombinator.com/item?id=41982698
This analysis is discussed and linked in the article.