[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

Re: [tor-bugs] #12402 [meek]: Meek bundle occasionally makes direct contact to Tor node.



#12402: Meek bundle occasionally makes direct contact to Tor node.
-----------------------------+-------------------------------
     Reporter:  cypherpunks  |      Owner:  dcf
         Type:  defect       |     Status:  needs_information
     Priority:  major        |  Milestone:
    Component:  meek         |    Version:
   Resolution:               |   Keywords:
Actual Points:               |  Parent ID:
       Points:               |
-----------------------------+-------------------------------
Changes (by dcf):

 * status:  new => needs_information
 * version:  Tor: unspecified =>


Comment:

 I'm not able to reproduce this. I've had the 3.6.2-meek-1 bundle running
 in a Debian 7 amd64 VM, capturing all traffic as:
 {{{
 kvm -hda meek-leak.qcow2 -net user -net nic -net dump,file=meek-leak.pcap
 }}}
 I ran [http://www.bro.org/ Bro] over the pcap file to find all the
 addresses contacted:
 {{{
 bro -r ../meek-leak.pcap
 cat conn.log | bro-cut id.resp_h | sort | uniq
 }}}
 Here are all the addresses contacted. Some are just Debian background
 noise.
 {{{
 Debian background noise:
 10.0.2.15       QEMU IP
 10.0.2.2        QEMU gateway
 10.0.2.255      QEMU broadcast
 10.0.2.3        QEMU DNS server
 149.20.20.135   mirrors1.kernel.org
 224.0.0.251     mDNS
 255.255.255.255 broadcast
 ff02::16        IPv6 multicast
 ff02::1:ff12:3456       IPv6 multicast
 ff02::2         IPv6 multicast
 ff02::fb        IPv6 multicast

 Connections resulting from the meek bundle:
 199.7.51.72     ocsp.mia1.verisign.com (OCSP server)
 199.7.52.72     ocsp.lax2.verisign.com (OCSP server)
 199.7.54.72     ocsp.sfo1.verisign.com (OCSP server)
 206.111.16.22   206.111.16.22.ptr.us.xo.net (www.google.com)
 206.111.16.27   206.111.16.27.ptr.us.xo.net (www.google.com)
 206.111.16.53   206.111.16.53.ptr.us.xo.net (www.google.com)
 74.125.239.110  nuq05s01-in-f14.1e100.net (www.google.com)
 74.125.239.112  nuq05s01-in-f16.1e100.net (www.google.com)
 74.125.239.114  nuq05s01-in-f18.1e100.net (www.google.com)
 74.125.239.115  nuq05s01-in-f19.1e100.net (www.google.com)
 74.125.239.132  nuq05s02-in-f4.1e100.net (www.google.com)
 74.125.239.137  nuq05s02-in-f9.1e100.net (www.google.com)
 74.125.239.144  nuq05s02-in-f16.1e100.net (www.google.com)
 74.125.239.146  nuq05s02-in-f18.1e100.net (www.google.com)
 74.125.239.147  nuq05s02-in-f19.1e100.net (www.google.com)
 74.125.239.148  nuq05s02-in-f20.1e100.net (www.google.com)
 }}}

 And here are all the DNS queries made:
 {{{
 cat dns.log | bro-cut query qtype_name rcode_name | sort | uniq
 15.2.0.10.in-addr.arpa  *       NOERROR
 cdn.debian.net  AAAA    NOERROR
 cdn.debian.net  A       NOERROR
 clients1.google.com     AAAA    NOERROR
 clients1.google.com     A       NOERROR
 debian.local    *       NOERROR
 debian._udisks-ssh._tcp.local   *       NOERROR
 gtglobal-ocsp.geotrust.com      AAAA    NOERROR
 gtglobal-ocsp.geotrust.com      A       NOERROR
 local   SOA     NXDOMAIN
 _sane-port._tcp.local   PTR     -
 www.google.com  AAAA    NOERROR
 www.google.com  A       NOERROR
 }}}

 Do you remember what was the nature of the packet received from
 5.135.59.74? What port was it on? Do you remember what the data payload
 was?

--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/12402#comment:5>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online
_______________________________________________
tor-bugs mailing list
tor-bugs@xxxxxxxxxxxxxxxxxxxx
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-bugs