Opened 13 years ago

Last modified 7 years ago

#304 closed defect (Not a bug)

Circuits being hijacked?

Reported by: anm_3418 Owned by:
Priority: Low Milestone:
Component: Core Tor/Tor Version:
Severity: Keywords:
Cc: anm_3418 Actual Points:
Parent ID: Points:
Reviewer: Sponsor:

Description

For all I know, this condition may be normal, but it seems odd to me and causes
me to wonder if some routers have been compromised or if circuits are being
hijacked.

First, I noticed that the Tor Detector sometimes reported that I was connecting
from aala.MyLittleCorner.org (not sure if I remember the caps right), ip
149.9.0.25 -- which the detector said was _not_ a valid Tor router. To add to
the mystery, that router was supposedly configured as a middle-man only (reject
*:*) in the cached-routers file.

Alarmed, I added the fingerprint for that router to the ExcludeNodes in my torrc
file, cleared all the cache and state files, closed Tor, and re-started.
Surprise, that router was still sometimes being reported as my exit node by the
Tor detector and irc servers. Irc connections were extremely hard to come by
and short-lived.

The Tor Detector page mentioned the possibility of a "multi-homed" router.
Unable to find that term in the documentation, I decided to search the cache
files for similar ip addresses. I found a total of five routers for ip
149.9.*.* -- all of them running FreeBSD i386 and Tor 0.1.0.16:

router mauger 149.9.137.153 9001 0 9030
platform Tor 0.1.0.16 on FreeBSD i386

router donk3ypunch 149.9.25.222 9001 0 9030
platform Tor 0.1.0.16 on FreeBSD i386

router TheGreatSantini 149.9.92.194 9001 0 9030
platform Tor 0.1.0.16 on FreeBSD i38

router aala 149.9.0.25 9001 0 9030
platform Tor 0.1.0.16 on FreeBSD i386

router paxprivoso 149.9.205.73 9001 0 9030
platform Tor 0.1.0.16 on FreeBSD i386

I put *all* their fingerprints in the ExcludeNodes setting, and since then I
have not noticed the anomaly with Tor Detector, nor the unusual irc behavior.

I was using Tor 0.1.1.21 when I noticed phenomenon. It also occurred when I
experimented with 0.1.1.20 and 0.1.0.17.

Is this a problem or expected behavior?

[Automatically added by flyspray2trac: Operating System: All]

Child Tickets

Change History (3)

comment:1 Changed 13 years ago by arma

This is not a Tor bug.

The Tor nodes in question advertise (receive connections at) one IP address, and then
make their outbound connections via a different IP address.

It is a mild problem in that we don't know who is running these five servers, and it's
pretty obviously the same person, but I haven't done anything about that.

comment:2 Changed 13 years ago by arma

flyspray2trac: bug closed.

comment:3 Changed 7 years ago by nickm

Component: Tor ClientTor
Note: See TracTickets for help on using tickets.