aboutsummaryrefslogtreecommitdiff
path: root/changes
diff options
context:
space:
mode:
authorDavid Goulet <dgoulet@ev0ke.net>2014-11-25 10:37:55 -0500
committerDavid Goulet <dgoulet@ev0ke.net>2014-12-29 16:29:09 -0500
commit88901c39673aade6eecbf0b5a11a0b5c9acfd9f7 (patch)
tree4854e1b9e9dde73ca6030ab10daa112ed4c7c30a /changes
parent184a2dbbdd27f958f5ac290fe030d1fac2959157 (diff)
downloadtor-88901c39673aade6eecbf0b5a11a0b5c9acfd9f7.tar.gz
tor-88901c39673aade6eecbf0b5a11a0b5c9acfd9f7.zip
Fix: mitigate as much as we can HS port scanning
Make hidden service port scanning harder by sending back REASON_DONE which does not disclose that it was in fact an exit policy issue. After that, kill the circuit immediately to avoid more bad requests on it. This means that everytime an hidden service exit policy does match, the user (malicious or not) needs to build a new circuit. Fixes #13667. Signed-off-by: David Goulet <dgoulet@ev0ke.net>
Diffstat (limited to 'changes')
-rw-r--r--changes/bug136675
1 files changed, 5 insertions, 0 deletions
diff --git a/changes/bug13667 b/changes/bug13667
new file mode 100644
index 0000000000..3714753df4
--- /dev/null
+++ b/changes/bug13667
@@ -0,0 +1,5 @@
+ o Major bugfixes:
+ - Make HS port scanning more difficult by sending back REASON_DONE if the
+ exit policy didn't match. Furthermore, immediately close the circuit to
+ avoid other connection attempts on it from the possible attacker trying
+ multiple ports on that same circuit.