[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

Re: bizarre connection list to tor's DirPort



sounds strange

If it was my connection, I would fire up a network sniffer and see what's in those requests.
If it continues and you don't feel comfortable with it, filter out that IP on your firewall.

If you do see something unusual in those request, could you be so kind to post a dump file (pcap format) of the traffic (filtered by that IP of course) so the rest of us can take a look? :)



On 8/31/07, Scott Bennett <bennett@xxxxxxxxxx> wrote:
     Using netstat or lsof, there are sometimes over 50 ESTABLISHED connections
to my tor server's DirPort from a single IP source address, which resolves to

         ignfwdnoi-nat.asia.csc.com

Each such connection is usually displayed by netstat to have at least 32500
bytes in the send queue.
     I've checked the current cached-routers and cached-routers.new files and
have found no sign of either ignfwdnoi-nat.asia.csc.com or its IP address
(20.139.66.64) in either file, so it doesn't appear to be a valid exit server,
from which directory fetch requests might be appearing.
     Does anyone have an idea what might be going on?  I.e., is it something
legitimate?  Or should I treat it as an attack of some sort and respond by
blocking packets from that system at my router?


                                  Scott Bennett, Comm. ASMELG, CFIAG
**********************************************************************
* Internet:       bennett at cs.niu.edu                              *
*--------------------------------------------------------------------*
* "A well regulated and disciplined militia, is at all times a good  *
* objection to the introduction of that bane of all free governments *
* -- a standing army."                                               *
*    -- Gov. John Hancock, New York Journal, 28 January 1790         *
**********************************************************************