exit: Deny re-entry into the network (632688c7) · Commits · The Tor Project / Core / Tor

changes/ticket2667

0 → 100644

+4 −0

Original line number	Diff line number	Diff line
		o Major feature (exit):
		- Re-entry into the network is now denied at the Exit level to all relays'
		ORPort and authorities' ORPort+DirPort. This is to help mitigate a series
		of attacks. See ticket for more information. Closes ticket 2667.

+24 −0

Original line number	Diff line number	Diff line
		@@ -4263,6 +4263,30 @@ connection_exit_connect(edge_connection_t *edge_conn)
		return;
		}

		/* Next, check for attempts to connect back into the Tor network. We don't
		* want to allow these for the same reason we don't want to allow
		* infinite-length circuits (see "A Practical Congestion Attack on Tor Using
		* Long Paths", Usenix Security 2009). See also ticket 2667.
		*
		* The TORPROTOCOL reason is used instead of EXITPOLICY so client do NOT
		* attempt to retry connecting onto another circuit that will also fail
		* bringing considerable more load on the network if so.
		*
		* Since the address+port set here is a bloomfilter, in very rare cases, the
		* check will create a false positive meaning that the destination could
		* actually be legit and thus being denied exit. However, sending back a
		* reason that makes the client retry results in much worst consequences in
		* case of an attack so this is a small price to pay. */
		if (!connection_edge_is_rendezvous_stream(edge_conn) &&
		nodelist_reentry_probably_contains(&conn->addr, conn->port)) {
		log_info(LD_EXIT, "%s tried to connect back to a known relay address. "
		"Closing.", connection_describe(conn));
		connection_edge_end(edge_conn, END_STREAM_REASON_TORPROTOCOL);
		circuit_detach_stream(circuit_get_by_edge_conn(edge_conn), edge_conn);
		connection_free(conn);
		return;
		}

		#ifdef HAVE_SYS_UN_H
		if (conn->socket_family != AF_UNIX) {
		#else