diff --git a/changes/bug13667 b/changes/bug13667 new file mode 100644 index 0000000000..3714753df4 --- /dev/null +++ b/changes/bug13667 @@ -0,0 +1,5 @@ + o Major bugfixes: + - Make HS port scanning more difficult by sending back REASON_DONE if the + exit policy didn't match. Furthermore, immediately close the circuit to + avoid other connection attempts on it from the possible attacker trying + multiple ports on that same circuit. diff --git a/src/or/connection_edge.c b/src/or/connection_edge.c index 6c872852b3..a691239b6e 100644 --- a/src/or/connection_edge.c +++ b/src/or/connection_edge.c @@ -2613,12 +2613,23 @@ connection_exit_begin_conn(cell_t *cell, circuit_t *circ) if (rend_service_set_connection_addr_port(n_stream, origin_circ) < 0) { log_info(LD_REND,"Didn't find rendezvous service (port %d)", n_stream->base_.port); + /* Send back reason DONE because we want to make hidden service port + * scanning harder thus instead of returning that the exit policy + * didn't match, which makes it obvious that the port is closed, + * return DONE and kill the circuit. That way, a user (malicious or + * not) needs one circuit per bad port unless it matches the policy of + * the hidden service. */ relay_send_end_cell_from_edge(rh.stream_id, circ, - END_STREAM_REASON_EXITPOLICY, + END_STREAM_REASON_DONE, origin_circ->cpath->prev); connection_free(TO_CONN(n_stream)); tor_free(address); - return 0; + + /* Drop the circuit here since it might be someone deliberately + * scanning the hidden service ports. Note that this mitigates port + * scanning by adding more work on the attacker side to successfully + * scan but does not fully solve it. */ + return END_CIRC_AT_ORIGIN; } assert_circuit_ok(circ); log_debug(LD_REND,"Finished assigning addr/port");