[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

Re: [tor-talk] I don't understand two things about the node 'freja'.



On Thu, Jul 02, 2020 at 10:12:19AM -0000, sean_sullivan@xxxxxxxxxxxxx wrote:
> The only reason I'm interested in "freja" is because I saw it's IP was the
> last login to one of my accounts. I checked the IP with WHOIS and got
> concerned. Then I checked "torstatus" and was relived that it was a Tor
> node. Then I got confused because it wasn't an exit node.

Actually, its exit policy does allow some outgoing ports:
https://metrics.torproject.org/rs.html#details/2096BCFEBB95A1134F39FCF8CEB076FF41A2B48B

So, it is missing the Exit flag, because its exit policy doesn't include
both ports 80 and 443.

I guess the follow-up question would be: when you say "one of my
accounts", perhaps this is an account that is reachable on a port
other than 80 and 443? For example, an irc account?

(When a relay is missing the Exit flag, Tor clients (a) won't use it when
preemptively making circuits, before new connections come in, because
it's too likely that the new connection will be for a destination that
the relay can't handle, and (b) won't apply the load balancing weights
that make them avoid using exit relays in non-exit positions in the
circuit. But if a connection request comes in when there aren't any
preemptive circuits already built, then the client will pick among
any relays whose exit policies allow that destination. So yes, it is
possible to use relays for exiting even when they don't have the Exit
flag, but they will get used less often.)
destination port k
use when new connections come in

> My point is that the IP of "freja" was the last login. So, unless there's
> a scenario I haven't thought of, surely it must at some point on Tuesday
> have been an exit node? Is there a way to check this?

Exonerator is the right tool for asking historical questions like this:
https://metrics.torproject.org/exonerator.html?ip=194.88.143.66&timestamp=2020-06-30&lang=en

and it looks like the Exonerator folks have opted to say "yes" on whether
it counted as an exit relay, probably because its exit policy allowed
some connections, even if it didn't allow enough that it qualified for
the Exit flag.

All of this said, there is another possible explanation for your
scenario, though I don't think it happened here: sometimes relays exit
from a different IP address than they advertise in their descriptor. And
sometimes if there are several relays run by one person or organization,
one of the exit addresses overlaps with another relay. So it is possible
to receive a connection from the Tor side from an address that is a
non-exit relay, if there is an exit relay running nearby to it. But I
don't think that happened here.

Hope this helps,
--Roger

-- 
tor-talk mailing list - tor-talk@xxxxxxxxxxxxxxxxxxxx
To unsubscribe or change other settings go to
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk