[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]
Re: [tor-relays] tor-relays Digest, Vol 78, Issue 19
Hello.
I apologize for leaving some of the relevant information out on the 1st email. The relay operator did contact me but im not him.
Ive seen it from the client side, where all my relays starting with a US bridge automatically connects to 1 or both other nodes which are also in the US. Ive had all 3 of them, Guard Middle and Exit All US Ips over and over and over again.
Changing bridges only works if the bridge is changed to a non-US IP. As soon as i change the bridge to 1 that hits a US Ip it automatically gives me a middle or exit or both in the US.
Later in the day i was contacted by a HS operator who said they had also witness strange relay behavior in the last 2 or 3 days. He subsequently has shut down his HS.
Ive studied Tor for the last 5 years and have been an active penetration tester in the community for the last 2 years. Something feels wrong but i just cant put my finger on it.
Thank You For Your Time
0Day
--
Securely sent with Tutanota. Claim your encrypted mailbox today!
https://tutanota.com
21. Jul 2017 18:00 by tor-relays-request@xxxxxxxxxxxxxxxxxxxx:
Send tor-relays mailing list submissions to
tor-relays@xxxxxxxxxxxxxxxxxxxx
To subscribe or unsubscribe via the World Wide Web, visit
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
or, via email, send a message with subject or body 'help' to
tor-relays-request@xxxxxxxxxxxxxxxxxxxx
You can reach the person managing the list at
tor-relays-owner@xxxxxxxxxxxxxxxxxxxx
When replying, please edit your Subject line so it is more specific
than "Re: Contents of tor-relays digest..."
Today's Topics:
1. Traffic Confimration Attacks/ Bad Relays
(0dayshoppingspree@xxxxxxxxxxxx)
2. Re: Traffic Confimration Attacks/ Bad Relays (Matt Traudt)
3. Re: 100K circuit request per minute for hours killed my relay
(Arisbe)
4. Re: Traffic Confimration Attacks/ Bad Relays (Matt Traudt)
----------------------------------------------------------------------
Message: 1
Date: Fri, 21 Jul 2017 18:12:25 +0200 (CEST)
From: <0dayshoppingspree@xxxxxxxxxxxx>
To: <tor-relays@xxxxxxxxxxxxxxxxxxxx>
Subject: [tor-relays] Traffic Confimration Attacks/ Bad Relays
Message-ID: <Kp_uyMv--3-0@xxxxxxxxxxxx>
Content-Type: text/plain; charset="utf-8"
Hello
A few users have detected suspicious activity around certain Relays in the network. There could be Time Confirmation Attacks happening currently on the Live Tor Network.
If any Tor dev see this, Please Start Checking The US Relays in the network.
--
Securely sent with Tutanota. Claim your encrypted mailbox today!
https://tutanota.com
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.torproject.org/pipermail/tor-relays/attachments/20170721/d314290f/attachment-0001.html>
------------------------------
Message: 2
Date: Fri, 21 Jul 2017 12:56:02 -0400
From: Matt Traudt <sirmatt@xxxxxxx>
To: tor-relays@xxxxxxxxxxxxxxxxxxxx
Subject: Re: [tor-relays] Traffic Confimration Attacks/ Bad Relays
Message-ID: <a80a4261-f0d5-6a10-cf50-144ce348a12b@xxxxxxx>
Content-Type: text/plain; charset=utf-8
On 7/21/17 12:12, 0dayshoppingspree@xxxxxxxxxxxx wrote:Hello
A few users have detected suspicious activity around certain Relays in
the network. There could be Time Confirmation Attacks happening
currently on the Live Tor Network.
If any Tor dev see this, Please Start Checking The US Relays in the
network.
--
Securely sent with Tutanota. Claim your encrypted mailbox today!
https://tutanota.com
Since this person has yet again left out all the important information,
here's what this person has to say. I'm quoting this Reddit comment:
https://www.reddit.com/r/TOR/comments/6oor5n/confirmation_attacks_and_bad_relays/dkizo2o
"""
Ive noticed every single node in the circuits i start building all
connect to 3 Relays in the US.
Then today a relay operator notices this:
I operate the apx family of exit nodes. [1]
It may be valuable to know that traffic confirmation attacks [2] are
seemingly taking place. [3]
[1] apx1 apx2 apx3
[2] http://www.ohmygodel.com/publications/usersrouted-ccs13.pdf
EDIT> See
https://www.reddit.com/r/DarkNetMarkets/comments/6oocii/tor_traffic_confirmation_attacks
[3] Regular 30 second windows with around 1.8 Gbit/s - 2.1 Gbit/s of
traffic on each of the exits which are also guards (apx1, apx2) while
the exit which isn't a guard sees stable traffic of only ~ 1 Gbit/s
(apx3). Circuits to hidden services include guards and middle nodes
(rendevouz point). DDoS attacks against hidden services do not affect
exit nodes unless they are also guard nodes.
"""
I now ask:
1. Please provide proof that all your circuits always contain 3 relays
in the US. If you didn't actually mean that all circuits always have all
3 relays in the US, then please explain why you think sometimes having
all 3 in the same country is bad. Keep in mind that guard nodes are a
thing and it isn't weird to have the same 1st hop in every circuit. Also
keep in mind that (i) there are a large number of relays in a small
number of countries, (ii) a relay existing in country X does not
necessarily mean they are dangerous relays, (iii) you should assume
large adversaries would geo-diversify.
2. What is the point of bringing up the traffic you see on your relays?
It isn't obvious to me. Keep in mind that relays aren't always assigned
weights in a predictable or perfectly fair manner. I run multiple relays
on a single machine and they get weighted very differently.
Matt
------------------------------
Message: 3
Date: Fri, 21 Jul 2017 12:30:20 -0700
From: Arisbe <arisbe@xxxxxxx>
To: tor-relays@xxxxxxxxxxxxxxxxxxxx
Subject: Re: [tor-relays] 100K circuit request per minute for hours
killed my relay
Message-ID: <5813eac4-3000-c300-08aa-2718347b8bc1@xxxxxxx>
Content-Type: text/plain; charset=utf-8; format=flowed
I was under the impression that HidServDirectoryV2 was an obsolete
config option. I run 0.2.9.11
On 7/21/2017 3:42 AM, Scott Bennett wrote:Vort <vvort@xxxxxxxxx> wrote:
Your message prompted me to check logs, and on one relay I see the following:
Similar thing for me:
Jul 19 00:08:27.000 [notice] Circuit handshake stats since last time: 3571/3571 TAP, 41180/41180 NTor.
Jul 19 06:08:27.000 [notice] Circuit handshake stats since last time: 2054/2054 TAP, 29181/29181 NTor.
Jul 19 12:08:28.000 [notice] Circuit handshake stats since last time: 2773/2773 TAP, 26497/26497 NTor.
Jul 19 18:08:28.000 [notice] Circuit handshake stats since last time: 3970/3970 TAP, 31344/31344 NTor.
Jul 20 00:08:28.000 [notice] Circuit handshake stats since last time: 4096/4096 TAP, 41730/41730 NTor.
Jul 20 06:08:28.000 [notice] Circuit handshake stats since last time: 18285/18285 TAP, 54102/54102 NTor.
Jul 20 12:08:28.000 [notice] Circuit handshake stats since last time: 61136/61386 TAP, 378196/378339 NTor.
Jul 20 18:08:29.000 [notice] Circuit handshake stats since last time: 73297/73688 TAP, 566708/566892 NTor.
Jul 21 00:08:29.000 [notice] Circuit handshake stats since last time: 67165/67830 TAP, 572685/572851 NTor.
Jul 21 06:08:29.000 [notice] Circuit handshake stats since last time: 31988/32138 TAP, 521455/521536 NTor.
Jul 21 12:08:29.000 [notice] Circuit handshake stats since last time: 5523/5523 TAP, 222378/222432 NTor.
Also there are too much "[warn] assign_to_cpuworker failed. Ignoring." lines in the logs.
This sort of thing has been going on for many years. I used to refer
to it as "mobbing". As nearly as I was ever able to determine, the behavior
is an unintended consequence of hidden services. I found that I could greatly
reduce the frequency of occurrence, but *not* to zero, by setting
HidServDirectoryV2 0
in my torrc file. My tentative conclusion was that the majority of these
events are cases in which a relay has been selected as an HSDir to which
a hidden service descriptor has been posted for a very popular hidden service,
so by refusing to be a hidden service directory mirror, those cases can be
eliminated. I never had a very satisfying hypothesis to explain the remaining
minority of cases.
Scott Bennett, Comm. ASMELG, CFIAG
**********************************************************************
* Internet: bennett at sdf.org *xor* bennett at freeshell.org *
*--------------------------------------------------------------------*
* "A well regulated and disciplined militia, is at all times a good *
* objection to the introduction of that bane of all free governments *
* -- a standing army." *
* -- Gov. John Hancock, New York Journal, 28 January 1790 *
**********************************************************************
_______________________________________________
tor-relays mailing list
tor-relays@xxxxxxxxxxxxxxxxxxxx
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
------------------------------
Message: 4
Date: Fri, 21 Jul 2017 18:00:06 -0400
From: Matt Traudt <sirmatt@xxxxxxx>
To: tor-relays@xxxxxxxxxxxxxxxxxxxx
Subject: Re: [tor-relays] Traffic Confimration Attacks/ Bad Relays
Message-ID: <7cde3ca0-d263-41a4-a987-52d67cfb2bb2@xxxxxxx>
Content-Type: text/plain; charset=utf-8
On 7/21/17 12:56, Matt Traudt wrote:[This sender failed our fraud detection checks and may not be who they appear to be. Learn about spoofing at http://aka.ms/LearnAboutSpoofing]
On 7/21/17 12:12, 0dayshoppingspree@xxxxxxxxxxxx wrote:Hello
A few users have detected suspicious activity around certain Relays in
the network. There could be Time Confirmation Attacks happening
currently on the Live Tor Network.
If any Tor dev see this, Please Start Checking The US Relays in the
network.
--
Securely sent with Tutanota. Claim your encrypted mailbox today!
https://tutanota.com
Since this person has yet again left out all the important information,
here's what this person has to say. I'm quoting this Reddit comment:
https://www.reddit.com/r/TOR/comments/6oor5n/confirmation_attacks_and_bad_relays/dkizo2o
"""
Ive noticed every single node in the circuits i start building all
connect to 3 Relays in the US.
Then today a relay operator notices this:
I operate the apx family of exit nodes. [1]
It may be valuable to know that traffic confirmation attacks [2] are
seemingly taking place. [3]
[1] apx1 apx2 apx3
[2] http://www.ohmygodel.com/publications/usersrouted-ccs13.pdf
EDIT> See
https://www.reddit.com/r/DarkNetMarkets/comments/6oocii/tor_traffic_confirmation_attacks
[3] Regular 30 second windows with around 1.8 Gbit/s - 2.1 Gbit/s of
traffic on each of the exits which are also guards (apx1, apx2) while
the exit which isn't a guard sees stable traffic of only ~ 1 Gbit/s
(apx3). Circuits to hidden services include guards and middle nodes
(rendevouz point). DDoS attacks against hidden services do not affect
exit nodes unless they are also guard nodes.
"""
I now ask:
1. Please provide proof that all your circuits always contain 3 relays
in the US. If you didn't actually mean that all circuits always have all
3 relays in the US, then please explain why you think sometimes having
all 3 in the same country is bad. Keep in mind that guard nodes are a
thing and it isn't weird to have the same 1st hop in every circuit. Also
keep in mind that (i) there are a large number of relays in a small
number of countries, (ii) a relay existing in country X does not
necessarily mean they are dangerous relays, (iii) you should assume
large adversaries would geo-diversify.
2. What is the point of bringing up the traffic you see on your relays?
It isn't obvious to me. Keep in mind that relays aren't always assigned
weights in a predictable or perfectly fair manner. I run multiple relays
on a single machine and they get weighted very differently.
Matt
The following is a reply from the person running exit nodes. I
originally confused the following person with the one posting the vague
"OMG US relays" panic on this list.
I'll probably be stepping out of this discussion at this point. I don't
think there's more I can contribute.
"""
Hey,
I was made aware of this thread by the user pastly in the #tor IRC
channel. I would like to clarify some things.
To begin with, I really don't know what the user is referring to. There
are currently 149 exit nodes from the US, from a total of 787 exit
nodes; that is 81% non-US exit nodes. If the users' client does in fact
only connect to US relays, that is likely unrelated to my observations.
However, if that happens consistently, I would really appreciate if that
would be investigated further.
Now, to my observations and the post that was referred to:
/I clearly failed to clarify/ that the "suspicious" traffic which caught
my interest was about non-Tor IPs entering the network through my exits.
As pastly nicely put it: /> will never be used as a guard by
well-behaved tor clients./
My observations were made using a utility I built using nDPI and sysdig
(kernel module).
That is, I have observed about a gigabit of traffic entering my exit
nodes originating /from non-Tor IPs/, causing connections to be
initiated to middle nodes.
I have not claimed evidence to "prove" confirmation attacks. I have
merely observed nearly a gigabit (on multiple nodes, that is) of inbound
traffic entering the network through my exit nodes, which does not seem
very reasonable to do unless the goal is attack hidden services.
If I can clarify further, please let me know.
-- Kenan
"""
------------------------------
Subject: Digest Footer
_______________________________________________
tor-relays mailing list
tor-relays@xxxxxxxxxxxxxxxxxxxx
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
------------------------------
End of tor-relays Digest, Vol 78, Issue 19
******************************************
_______________________________________________
tor-relays mailing list
tor-relays@xxxxxxxxxxxxxxxxxxxx
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays