| commit | 88901c39673aade6eecbf0b5a11a0b5c9acfd9f7 | |
| author | David Goulet <dgoulet@ev0ke.net> | |
| Tue, 25 Nov 2014 15:37:55 +0000 (25 10:37 -0500) | ||
| committer | David Goulet <dgoulet@ev0ke.net> | |
| Mon, 29 Dec 2014 21:29:09 +0000 (29 16:29 -0500) | ||
| tree | 4854e1b9e9dde73ca6030ab10daa112ed4c7c30a | treesnapshot (tar.gz zip) |
| parent | 184a2dbbdd27f958f5ac290fe030d1fac2959157 | commitdiff |
Fix: mitigate as much as we can HS port scanning
Make hidden service port scanning harder by sending back REASON_DONE which
does not disclose that it was in fact an exit policy issue. After that, kill
the circuit immediately to avoid more bad requests on it.
This means that everytime an hidden service exit policy does match, the user
(malicious or not) needs to build a new circuit.
Fixes #13667.
Signed-off-by: David Goulet <dgoulet@ev0ke.net>
Make hidden service port scanning harder by sending back REASON_DONE which
does not disclose that it was in fact an exit policy issue. After that, kill
the circuit immediately to avoid more bad requests on it.
This means that everytime an hidden service exit policy does match, the user
(malicious or not) needs to build a new circuit.
Fixes #13667.
Signed-off-by: David Goulet <dgoulet@ev0ke.net>
| changes/bug13667 | [new file with mode: 0644] | blob |
| src/or/connection_edge.c | diffblobblamehistory |