Opened 5 years ago

Closed 5 years ago

Last modified 5 years ago

#12808 closed defect (fixed)

RELAY_EARLY warning for the record

Reported by: torland Owned by:
Priority: Medium Milestone: Tor: 0.2.4.x-final
Component: Core Tor/Tor Version:
Severity: Keywords:
Cc: phw Actual Points:
Parent ID: Points:
Reviewer: Sponsor:

Description

Just for the record. One of my relays reported:

Aug 01 20:36:25.000 [warn] Received an inbound RELAY_EARLY cell on circuit 42515. Closing circuit. Please report this event, along with the following message.
Aug 01 20:36:25.000 [warn] upstream=213.246.53.127:8001

Child Tickets

Change History (7)

comment:1 Changed 5 years ago by arma

Cc: phw added
Resolution: fixed
Status: newclosed

Yep! This relay, along with ordb2 and ordb3, are running the "node-Tor" javascript implementation (not ours). They had a bug where they wrapped extended cells in relay_early cells heading client-ward on the circuit. They've fixed the bug I believe, as of August 4.

comment:2 Changed 5 years ago by gntnbn

Just for another record.
[warn] Received an inbound RELAY_EARLY cell on circuit 2147491368. Closing circuit. Please report this event, along with the following message.
[warn] upstream=85.159.214.57:9003

comment:3 Changed 5 years ago by s7r

I get this on 3 of my fst guards:

Sep 18 12:00:33.000 [warn] Received an inbound RELAY_EARLY cell on circuit 2147495598. Closing circuit. Please report this event, along with the following message.
Sep 18 12:00:33.000 [warn] upstream=85.159.214.57:9003
Sep 18 12:34:14.000 [warn] Received an inbound RELAY_EARLY cell on circuit 2147485893. Closing circuit. Please report this event, along with the following message.
Sep 18 12:34:14.000 [warn] upstream=85.159.214.57:9003
Sep 18 13:16:38.000 [warn] Received an inbound RELAY_EARLY cell on circuit 2147484600. Closing circuit. Please report this event, along with the following message.
Sep 18 13:16:38.000 [warn] upstream=85.159.214.57:9003

==

Sep 18 15:36:40.000 [warn] Received an inbound RELAY_EARLY cell on circuit 2147503853. Closing circuit. Please report this event, along with the following message.
Sep 18 15:36:40.000 [warn] upstream=85.159.214.57:9003

comment:4 Changed 5 years ago by torland

Do we have a good explaination for what is happening on 85.159.214.57? According to atlas it showed up recently

06:05:22 [WARN] Received an inbound RELAY_EARLY cell on circuit 2147487849. Closing circuit. Please report this event, along with the following message.
06:05:22 [WARN] upstream=85.159.214.57:9003
09:56:53 [WARN] Received an inbound RELAY_EARLY cell on circuit 2147487553. Closing circuit. Please report this event, along with the following message.
09:56:53 [WARN] upstream=85.159.214.57:9003
12:01:17 [WARN] Received an inbound RELAY_EARLY cell on circuit 2147490118. Closing circuit. Please report this event, along with the following message.
12:01:17 [WARN] upstream=85.159.214.57:9003
13:00:04 [WARN] Received an inbound RELAY_EARLY cell on circuit 2147488928. Closing circuit. Please report this event, along with the following message.
13:00:04 [WARN] upstream=85.159.214.57:9003

comment:5 Changed 5 years ago by arma

router mjolnirexit01 85.159.214.57 9001 0 0
[...]
router exitearly01 85.159.214.57 9003 0 0

It's pretty clear this is somebody trying to reproduce the cert attack.

Bonus points for using a relay nickname out of the nsa intern document.

comment:6 Changed 5 years ago by arma

We have cut these relays out of the network.

Note: See TracTickets for help on using tickets.