Opened 14 years ago

Last modified 8 years ago

#304 closed defect (Not a bug)

Circuits being hijacked?

Reported by: anm_3418 Owned by:
Priority: Low Milestone:
Component: Core Tor/Tor Version:
Severity: Keywords:
Cc: anm_3418 Actual Points:
Parent ID: Points:
Reviewer: Sponsor:


For all I know, this condition may be normal, but it seems odd to me and causes
me to wonder if some routers have been compromised or if circuits are being

First, I noticed that the Tor Detector sometimes reported that I was connecting
from (not sure if I remember the caps right), ip -- which the detector said was _not_ a valid Tor router. To add to
the mystery, that router was supposedly configured as a middle-man only (reject
*:*) in the cached-routers file.

Alarmed, I added the fingerprint for that router to the ExcludeNodes in my torrc
file, cleared all the cache and state files, closed Tor, and re-started.
Surprise, that router was still sometimes being reported as my exit node by the
Tor detector and irc servers. Irc connections were extremely hard to come by
and short-lived.

The Tor Detector page mentioned the possibility of a "multi-homed" router.
Unable to find that term in the documentation, I decided to search the cache
files for similar ip addresses. I found a total of five routers for ip
149.9.*.* -- all of them running FreeBSD i386 and Tor

router mauger 9001 0 9030
platform Tor on FreeBSD i386

router donk3ypunch 9001 0 9030
platform Tor on FreeBSD i386

router TheGreatSantini 9001 0 9030
platform Tor on FreeBSD i38

router aala 9001 0 9030
platform Tor on FreeBSD i386

router paxprivoso 9001 0 9030
platform Tor on FreeBSD i386

I put *all* their fingerprints in the ExcludeNodes setting, and since then I
have not noticed the anomaly with Tor Detector, nor the unusual irc behavior.

I was using Tor when I noticed phenomenon. It also occurred when I
experimented with and

Is this a problem or expected behavior?

[Automatically added by flyspray2trac: Operating System: All]

Child Tickets

Change History (3)

comment:1 Changed 14 years ago by arma

This is not a Tor bug.

The Tor nodes in question advertise (receive connections at) one IP address, and then
make their outbound connections via a different IP address.

It is a mild problem in that we don't know who is running these five servers, and it's
pretty obviously the same person, but I haven't done anything about that.

comment:2 Changed 14 years ago by arma

flyspray2trac: bug closed.

comment:3 Changed 8 years ago by nickm

Component: Tor ClientTor
Note: See TracTickets for help on using tickets.