[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

Re: [tor-dev] Do Tor relays rely on ICMP type 11 (time exceeded / timeout in transit)?

To: tor-dev@xxxxxxxxxxxxxxxxxxxx
Subject: Re: [tor-dev] Do Tor relays rely on ICMP type 11 (time exceeded / timeout in transit)?
From: teor <teor2345@xxxxxxxxx>
Date: Mon, 23 Oct 2017 07:55:28 +1100
Delivered-to: archiver@xxxxxxxx
Delivery-date: Sun, 22 Oct 2017 16:56:03 -0400
Dkim-signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=from:content-transfer-encoding:mime-version:date:subject:message-id :references:in-reply-to:to; bh=Wy2og3NgebqERKM7QrflgjNjPiCxiKUeQChesB/vsbI=; b=QUiD6eMM60fcm+ZmUTgJRta/7fbXRwEapVdAGM+HdjVP9L6XAl+R+CQ33sZcejJlfQ ekGM6wKPT6rsrA2dLOzkrDEw3UqUykh6XLVAGukWvFwBIR2VD74YfN5qoxrupbMqtIpJ PwybsYh6nTtZ3smBIgRpSF5cMxqUeC3Awl0kxsKb/+ULoFw4ZZKS6NaLq1KPOp/Z9fSI pQCvZW6XU3bO3sbRs2P3HX6tM7khX4/lr13i57TT12qU9XozAW5sdiPiQvqqg9rySz+X W7BXwBg/Q12UY52Qd17bnNQEO9G2U0PvTzrSUUIkR1RyrHg8TwcTQ01FI/gVKx5Cfueh LDGw==
In-reply-to: <CA+r81TDUcapJBp64APtHkWAQPyFzVHhxi+v=Tfk8NkduY-hY5A@mail.gmail.com>
List-archive: <http://lists.torproject.org/pipermail/tor-dev/>
List-help: <mailto:tor-dev-request@lists.torproject.org?subject=help>
List-id: discussion regarding Tor development <tor-dev.lists.torproject.org>
List-post: <mailto:tor-dev@lists.torproject.org>
List-subscribe: <https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-dev>, <mailto:tor-dev-request@lists.torproject.org?subject=subscribe>
List-unsubscribe: <https://lists.torproject.org/cgi-bin/mailman/options/tor-dev>, <mailto:tor-dev-request@lists.torproject.org?subject=unsubscribe>
References: <CA+r81TDUcapJBp64APtHkWAQPyFzVHhxi+v=Tfk8NkduY-hY5A@mail.gmail.com>
Reply-to: tor-dev@xxxxxxxxxxxxxxxxxxxx
Sender: "tor-dev" <tor-dev-bounces@xxxxxxxxxxxxxxxxxxxx>

> On 23 Oct 2017, at 05:14, Igor Mitrofanov <igor.n.mitrofanov@xxxxxxxxx> wrote:
> 
> On my relays I am dropping any traffic that Tor itself does not rely on.
> I wonder if I should allow or block incoming and/outgoing ICMP type 11
> (time exceeded / timeout in transit)?

Try it and see?

> My host does receive some ICMP type 11 packets, and does seem to send
> some out, but I am not sure if Tor is the source or destination.
> Do Tor relays use some 'traceroute'-like mechanism to detect unreachable relays?

Not as far as I am aware.

> "netstat -s:
>    ...
>    ICMP input histogram:
>        ...
>        timeout in transit: 1923
>    ...
>    ICMP output histogram:
>        ...
>        timeout in transit: 1277
> "
> I remember seeing outgoing TCP packets with TTL set to 1 - those were
> the ones triggering incoming ICMP type 11 packets.

Are you running an exit?
Do you have multiple IP addresses?
Using OutboundBindAddressExit can help you to find out if it's tor relaying
traffic, or tor exit traffic from clients that are doing TCP traceroutes.

T
_______________________________________________
tor-dev mailing list
tor-dev@xxxxxxxxxxxxxxxxxxxx
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-dev

Follow-Ups:
- Re: [tor-dev] Do Tor relays rely on ICMP type 11 (time exceeded / timeout in transit)?
  - From: Igor Mitrofanov

References:
- [tor-dev] Do Tor relays rely on ICMP type 11 (time exceeded / timeout in transit)?
  - From: Igor Mitrofanov

Prev by Author: Re: [tor-dev] A ContactInfo specification
Next by Author: Re: [tor-dev] metrics: collecting circuit build failures from relays to detect network reachability issues and broken relays
Previous by thread: [tor-dev] Do Tor relays rely on ICMP type 11 (time exceeded / timeout in transit)?
Next by thread: Re: [tor-dev] Do Tor relays rely on ICMP type 11 (time exceeded / timeout in transit)?
Index(es):
- Author
- Thread