[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]
Re: [tor-bugs] #12402 [meek]: Meek bundle occasionally makes direct contact to Tor node.
#12402: Meek bundle occasionally makes direct contact to Tor node.
-----------------------------+-------------------------------
Reporter: cypherpunks | Owner: dcf
Type: defect | Status: needs_information
Priority: major | Milestone:
Component: meek | Version:
Resolution: | Keywords:
Actual Points: | Parent ID:
Points: |
-----------------------------+-------------------------------
Changes (by dcf):
* status: new => needs_information
* version: Tor: unspecified =>
Comment:
I'm not able to reproduce this. I've had the 3.6.2-meek-1 bundle running
in a Debian 7 amd64 VM, capturing all traffic as:
{{{
kvm -hda meek-leak.qcow2 -net user -net nic -net dump,file=meek-leak.pcap
}}}
I ran [http://www.bro.org/ Bro] over the pcap file to find all the
addresses contacted:
{{{
bro -r ../meek-leak.pcap
cat conn.log | bro-cut id.resp_h | sort | uniq
}}}
Here are all the addresses contacted. Some are just Debian background
noise.
{{{
Debian background noise:
10.0.2.15 QEMU IP
10.0.2.2 QEMU gateway
10.0.2.255 QEMU broadcast
10.0.2.3 QEMU DNS server
149.20.20.135 mirrors1.kernel.org
224.0.0.251 mDNS
255.255.255.255 broadcast
ff02::16 IPv6 multicast
ff02::1:ff12:3456 IPv6 multicast
ff02::2 IPv6 multicast
ff02::fb IPv6 multicast
Connections resulting from the meek bundle:
199.7.51.72 ocsp.mia1.verisign.com (OCSP server)
199.7.52.72 ocsp.lax2.verisign.com (OCSP server)
199.7.54.72 ocsp.sfo1.verisign.com (OCSP server)
206.111.16.22 206.111.16.22.ptr.us.xo.net (www.google.com)
206.111.16.27 206.111.16.27.ptr.us.xo.net (www.google.com)
206.111.16.53 206.111.16.53.ptr.us.xo.net (www.google.com)
74.125.239.110 nuq05s01-in-f14.1e100.net (www.google.com)
74.125.239.112 nuq05s01-in-f16.1e100.net (www.google.com)
74.125.239.114 nuq05s01-in-f18.1e100.net (www.google.com)
74.125.239.115 nuq05s01-in-f19.1e100.net (www.google.com)
74.125.239.132 nuq05s02-in-f4.1e100.net (www.google.com)
74.125.239.137 nuq05s02-in-f9.1e100.net (www.google.com)
74.125.239.144 nuq05s02-in-f16.1e100.net (www.google.com)
74.125.239.146 nuq05s02-in-f18.1e100.net (www.google.com)
74.125.239.147 nuq05s02-in-f19.1e100.net (www.google.com)
74.125.239.148 nuq05s02-in-f20.1e100.net (www.google.com)
}}}
And here are all the DNS queries made:
{{{
cat dns.log | bro-cut query qtype_name rcode_name | sort | uniq
15.2.0.10.in-addr.arpa * NOERROR
cdn.debian.net AAAA NOERROR
cdn.debian.net A NOERROR
clients1.google.com AAAA NOERROR
clients1.google.com A NOERROR
debian.local * NOERROR
debian._udisks-ssh._tcp.local * NOERROR
gtglobal-ocsp.geotrust.com AAAA NOERROR
gtglobal-ocsp.geotrust.com A NOERROR
local SOA NXDOMAIN
_sane-port._tcp.local PTR -
www.google.com AAAA NOERROR
www.google.com A NOERROR
}}}
Do you remember what was the nature of the packet received from
5.135.59.74? What port was it on? Do you remember what the data payload
was?
--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/12402#comment:5>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online
_______________________________________________
tor-bugs mailing list
tor-bugs@xxxxxxxxxxxxxxxxxxxx
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-bugs