<html>
<head>
<meta http-equiv="content-type" content="text/html; charset=UTF-8">
</head>
<body>
Hello. <br /><br />I apologize for leaving some of the relevant information out on the 1st email. The relay operator did contact me but im not him. <br /><br />Ive seen it from the client side, where all my relays starting with a US bridge automatically connects to 1 or both other nodes which are also in the US. Ive had all 3 of them, Guard Middle and Exit All US Ips over and over and over again.<br /><br />Changing bridges only works if the bridge is changed to a non-US IP. As soon as i change the bridge to 1 that hits a US Ip it automatically gives me a middle or exit or both in the US. <br /><br />Later in the day i was contacted by a HS operator who said they had also witness strange relay behavior in the last 2 or 3 days. He subsequently has shut down his HS.<br /><br />Ive studied Tor for the last 5 years and have been an active penetration tester in the community for the last 2 years. Something feels wrong but i just cant put my finger on it. <br /><br />Thank You For Your Time<br />0Day<br /><br />
--
<br />
Securely sent with Tutanota. Claim your encrypted mailbox today!
<br />
<a href="https://tutanota.com" target="_blank" rel="noopener noreferrer">https://tutanota.com</a><br /><br />21. Jul 2017 18:00 by <a href="mailto:tor-relays-request@lists.torproject.org" target="_blank" rel="noopener noreferrer">tor-relays-request@lists.torproject.org</a>:<br /><br /><blockquote class="tutanota_quote" style="border-left: 1px solid #93A3B8; padding-left: 10px; margin-left: 5px;">Send tor-relays mailing list submissions to<br /> <a href="mailto:tor-relays@lists.torproject.org" target="_blank" rel="noopener noreferrer">tor-relays@lists.torproject.org</a><br /><br />To subscribe or unsubscribe via the World Wide Web, visit<br /> <a href="https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays" target="_blank" rel="noopener noreferrer">https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays</a><br />or, via email, send a message with subject or body 'help' to<br /> <a href="mailto:tor-relays-request@lists.torproject.org" target="_blank" rel="noopener noreferrer">tor-relays-request@lists.torproject.org</a><br /><br />You can reach the person managing the list at<br /> <a href="mailto:tor-relays-owner@lists.torproject.org" target="_blank" rel="noopener noreferrer">tor-relays-owner@lists.torproject.org</a><br /><br />When replying, please edit your Subject line so it is more specific<br />than "Re: Contents of tor-relays digest..."<br /><br /><br />Today's Topics:<br /><br /> 1. Traffic Confimration Attacks/ Bad Relays<br /> (<a href="mailto:0dayshoppingspree@tutanota.com" target="_blank" rel="noopener noreferrer">0dayshoppingspree@tutanota.com</a>)<br /> 2. Re: Traffic Confimration Attacks/ Bad Relays (Matt Traudt)<br /> 3. Re: 100K circuit request per minute for hours killed my relay<br /> (Arisbe)<br /> 4. Re: Traffic Confimration Attacks/ Bad Relays (Matt Traudt)<br /><br /><br />----------------------------------------------------------------------<br /><br />Message: 1<br />Date: Fri, 21 Jul 2017 18:12:25 +0200 (CEST)<br />From: <<a href="mailto:0dayshoppingspree@tutanota.com" target="_blank" rel="noopener noreferrer">0dayshoppingspree@tutanota.com</a>><br />To: <<a href="mailto:tor-relays@lists.torproject.org" target="_blank" rel="noopener noreferrer">tor-relays@lists.torproject.org</a>><br />Subject: [tor-relays] Traffic Confimration Attacks/ Bad Relays<br />Message-ID: <<a href="mailto:Kp_uyMv--3-0@tutanota.com" target="_blank" rel="noopener noreferrer">Kp_uyMv--3-0@tutanota.com</a>><br />Content-Type: text/plain; charset="utf-8"<br /><br />Hello<br /><br />A few users have detected suspicious activity around certain Relays in the network. There could be Time Confirmation Attacks happening currently on the Live Tor Network.<br /><br />If any Tor dev see this, Please Start Checking The US Relays in the network. <br />--<br />Securely sent with Tutanota. Claim your encrypted mailbox today!<br /><a href="https://tutanota.com" target="_blank" rel="noopener noreferrer">https://tutanota.com</a><br />-------------- next part --------------<br />An HTML attachment was scrubbed...<br />URL: <<a href="http://lists.torproject.org/pipermail/tor-relays/attachments/20170721/d314290f/attachment-0001.html" target="_blank" rel="noopener noreferrer">http://lists.torproject.org/pipermail/tor-relays/attachments/20170721/d314290f/attachment-0001.html</a>><br /><br />------------------------------<br /><br />Message: 2<br />Date: Fri, 21 Jul 2017 12:56:02 -0400<br />From: Matt Traudt <<a href="mailto:sirmatt@ksu.edu" target="_blank" rel="noopener noreferrer">sirmatt@ksu.edu</a>><br />To: <a href="mailto:tor-relays@lists.torproject.org" target="_blank" rel="noopener noreferrer">tor-relays@lists.torproject.org</a><br />Subject: Re: [tor-relays] Traffic Confimration Attacks/ Bad Relays<br />Message-ID: <<a href="mailto:a80a4261-f0d5-6a10-cf50-144ce348a12b@ksu.edu" target="_blank" rel="noopener noreferrer">a80a4261-f0d5-6a10-cf50-144ce348a12b@ksu.edu</a>><br />Content-Type: text/plain; charset=utf-8<br /><br /><br /><br />On 7/21/17 12:12, <a href="mailto:0dayshoppingspree@tutanota.com" target="_blank" rel="noopener noreferrer">0dayshoppingspree@tutanota.com</a> wrote:<blockquote>Hello<br /><br />A few users have detected suspicious activity around certain Relays in<br />the network. There could be Time Confirmation Attacks happening<br />currently on the Live Tor Network.<br /><br />If any Tor dev see this, Please Start Checking The US Relays in the<br />network.<br />-- <br />Securely sent with Tutanota. Claim your encrypted mailbox today!<br /><a href="https://tutanota.com" target="_blank" rel="noopener noreferrer">https://tutanota.com</a><br /></blockquote><br />Since this person has yet again left out all the important information,<br />here's what this person has to say. I'm quoting this Reddit comment:<br /><a href="https://www.reddit.com/r/TOR/comments/6oor5n/confirmation_attacks_and_bad_relays/dkizo2o/" target="_blank" rel="noopener noreferrer">https://www.reddit.com/r/TOR/comments/6oor5n/confirmation_attacks_and_bad_relays/dkizo2o</a><br /><br />"""<br /><br />Ive noticed every single node in the circuits i start building all<br />connect to 3 Relays in the US.<br /><br />Then today a relay operator notices this:<br /><br />I operate the apx family of exit nodes. [1]<br /><br />It may be valuable to know that traffic confirmation attacks [2] are<br />seemingly taking place. [3]<br /><br />[1] apx1 apx2 apx3<br /><br />[2] <a href="http://www.ohmygodel.com/publications/usersrouted-ccs13.pdf" target="_blank" rel="noopener noreferrer">http://www.ohmygodel.com/publications/usersrouted-ccs13.pdf</a><br /><br /><br />EDIT> See<br /><br /><a href="https://www.reddit.com/r/DarkNetMarkets/comments/6oocii/tor_traffic_confirmation_attacks/" target="_blank" rel="noopener noreferrer">https://www.reddit.com/r/DarkNetMarkets/comments/6oocii/tor_traffic_confirmation_attacks</a><br /><br />[3] Regular 30 second windows with around 1.8 Gbit/s - 2.1 Gbit/s of<br />traffic on each of the exits which are also guards (apx1, apx2) while<br />the exit which isn't a guard sees stable traffic of only ~ 1 Gbit/s<br />(apx3). Circuits to hidden services include guards and middle nodes<br />(rendevouz point). DDoS attacks against hidden services do not affect<br />exit nodes unless they are also guard nodes.<br /><br />"""<br /><br />I now ask:<br /><br />1. Please provide proof that all your circuits always contain 3 relays<br />in the US. If you didn't actually mean that all circuits always have all<br />3 relays in the US, then please explain why you think sometimes having<br />all 3 in the same country is bad. Keep in mind that guard nodes are a<br />thing and it isn't weird to have the same 1st hop in every circuit. Also<br />keep in mind that (i) there are a large number of relays in a small<br />number of countries, (ii) a relay existing in country X does not<br />necessarily mean they are dangerous relays, (iii) you should assume<br />large adversaries would geo-diversify.<br /><br />2. What is the point of bringing up the traffic you see on your relays?<br />It isn't obvious to me. Keep in mind that relays aren't always assigned<br />weights in a predictable or perfectly fair manner. I run multiple relays<br />on a single machine and they get weighted very differently.<br /><br />Matt<br /><br /><br />------------------------------<br /><br />Message: 3<br />Date: Fri, 21 Jul 2017 12:30:20 -0700<br />From: Arisbe <<a href="mailto:arisbe@cni.net" target="_blank" rel="noopener noreferrer">arisbe@cni.net</a>><br />To: <a href="mailto:tor-relays@lists.torproject.org" target="_blank" rel="noopener noreferrer">tor-relays@lists.torproject.org</a><br />Subject: Re: [tor-relays] 100K circuit request per minute for hours<br /> killed my relay<br />Message-ID: <<a href="mailto:5813eac4-3000-c300-08aa-2718347b8bc1@cni.net" target="_blank" rel="noopener noreferrer">5813eac4-3000-c300-08aa-2718347b8bc1@cni.net</a>><br />Content-Type: text/plain; charset=utf-8; format=flowed<br /><br />I was under the impression that HidServDirectoryV2 was an obsolete <br />config option. I run 0.2.9.11<br /><br /><br />On 7/21/2017 3:42 AM, Scott Bennett wrote:<blockquote>Vort <<a href="mailto:vvort@yandex.ru" target="_blank" rel="noopener noreferrer">vvort@yandex.ru</a>> wrote:<br /><blockquote><blockquote>Your message prompted me to check logs, and on one relay I see the following:</blockquote>Similar thing for me:<br /><br />Jul 19 00:08:27.000 [notice] Circuit handshake stats since last time: 3571/3571 TAP, 41180/41180 NTor.<br />Jul 19 06:08:27.000 [notice] Circuit handshake stats since last time: 2054/2054 TAP, 29181/29181 NTor.<br />Jul 19 12:08:28.000 [notice] Circuit handshake stats since last time: 2773/2773 TAP, 26497/26497 NTor.<br />Jul 19 18:08:28.000 [notice] Circuit handshake stats since last time: 3970/3970 TAP, 31344/31344 NTor.<br />Jul 20 00:08:28.000 [notice] Circuit handshake stats since last time: 4096/4096 TAP, 41730/41730 NTor.<br />Jul 20 06:08:28.000 [notice] Circuit handshake stats since last time: 18285/18285 TAP, 54102/54102 NTor.<br />Jul 20 12:08:28.000 [notice] Circuit handshake stats since last time: 61136/61386 TAP, 378196/378339 NTor.<br />Jul 20 18:08:29.000 [notice] Circuit handshake stats since last time: 73297/73688 TAP, 566708/566892 NTor.<br />Jul 21 00:08:29.000 [notice] Circuit handshake stats since last time: 67165/67830 TAP, 572685/572851 NTor.<br />Jul 21 06:08:29.000 [notice] Circuit handshake stats since last time: 31988/32138 TAP, 521455/521536 NTor.<br />Jul 21 12:08:29.000 [notice] Circuit handshake stats since last time: 5523/5523 TAP, 222378/222432 NTor.<br /><br />Also there are too much "[warn] assign_to_cpuworker failed. Ignoring." lines in the logs.<br /></blockquote> This sort of thing has been going on for many years. I used to refer<br />to it as "mobbing". As nearly as I was ever able to determine, the behavior<br />is an unintended consequence of hidden services. I found that I could greatly<br />reduce the frequency of occurrence, but *not* to zero, by setting<br /><br />HidServDirectoryV2 0<br /><br />in my torrc file. My tentative conclusion was that the majority of these<br />events are cases in which a relay has been selected as an HSDir to which<br />a hidden service descriptor has been posted for a very popular hidden service,<br />so by refusing to be a hidden service directory mirror, those cases can be<br />eliminated. I never had a very satisfying hypothesis to explain the remaining<br />minority of cases.<br /><br /><br /> Scott Bennett, Comm. ASMELG, CFIAG<br />**********************************************************************<br />* Internet: bennett at sdf.org *xor* bennett at freeshell.org *<br />*--------------------------------------------------------------------*<br />* "A well regulated and disciplined militia, is at all times a good *<br />* objection to the introduction of that bane of all free governments *<br />* -- a standing army." *<br />* -- Gov. John Hancock, New York Journal, 28 January 1790 *<br />**********************************************************************<br />_______________________________________________<br />tor-relays mailing list<br /><a href="mailto:tor-relays@lists.torproject.org" target="_blank" rel="noopener noreferrer">tor-relays@lists.torproject.org</a><br /><a href="https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays" target="_blank" rel="noopener noreferrer">https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays</a></blockquote><br /><br /><br />------------------------------<br /><br />Message: 4<br />Date: Fri, 21 Jul 2017 18:00:06 -0400<br />From: Matt Traudt <<a href="mailto:sirmatt@ksu.edu" target="_blank" rel="noopener noreferrer">sirmatt@ksu.edu</a>><br />To: <a href="mailto:tor-relays@lists.torproject.org" target="_blank" rel="noopener noreferrer">tor-relays@lists.torproject.org</a><br />Subject: Re: [tor-relays] Traffic Confimration Attacks/ Bad Relays<br />Message-ID: <<a href="mailto:7cde3ca0-d263-41a4-a987-52d67cfb2bb2@ksu.edu" target="_blank" rel="noopener noreferrer">7cde3ca0-d263-41a4-a987-52d67cfb2bb2@ksu.edu</a>><br />Content-Type: text/plain; charset=utf-8<br /><br /><br /><br />On 7/21/17 12:56, Matt Traudt wrote:<blockquote>[This sender failed our fraud detection checks and may not be who they appear to be. Learn about spoofing at <a href="http://aka.ms/LearnAboutSpoofing]" target="_blank" rel="noopener noreferrer">http://aka.ms/LearnAboutSpoofing]</a><br /><br />On 7/21/17 12:12, <a href="mailto:0dayshoppingspree@tutanota.com" target="_blank" rel="noopener noreferrer">0dayshoppingspree@tutanota.com</a> wrote:<blockquote>Hello<br /><br />A few users have detected suspicious activity around certain Relays in<br />the network. There could be Time Confirmation Attacks happening<br />currently on the Live Tor Network.<br /><br />If any Tor dev see this, Please Start Checking The US Relays in the<br />network.<br />--<br />Securely sent with Tutanota. Claim your encrypted mailbox today!<br /><a href="https://tutanota.com" target="_blank" rel="noopener noreferrer">https://tutanota.com</a><br /></blockquote><br />Since this person has yet again left out all the important information,<br />here's what this person has to say. I'm quoting this Reddit comment:<br /><a href="https://www.reddit.com/r/TOR/comments/6oor5n/confirmation_attacks_and_bad_relays/dkizo2o/" target="_blank" rel="noopener noreferrer">https://www.reddit.com/r/TOR/comments/6oor5n/confirmation_attacks_and_bad_relays/dkizo2o</a><br /><br />"""<br /><br />Ive noticed every single node in the circuits i start building all<br />connect to 3 Relays in the US.<br /><br />Then today a relay operator notices this:<br /><br />I operate the apx family of exit nodes. [1]<br /><br />It may be valuable to know that traffic confirmation attacks [2] are<br />seemingly taking place. [3]<br /><br />[1] apx1 apx2 apx3<br /><br />[2] <a href="http://www.ohmygodel.com/publications/usersrouted-ccs13.pdf" target="_blank" rel="noopener noreferrer">http://www.ohmygodel.com/publications/usersrouted-ccs13.pdf</a><br /><br /><br />EDIT> See<br /><br /><a href="https://www.reddit.com/r/DarkNetMarkets/comments/6oocii/tor_traffic_confirmation_attacks/" target="_blank" rel="noopener noreferrer">https://www.reddit.com/r/DarkNetMarkets/comments/6oocii/tor_traffic_confirmation_attacks</a><br /><br />[3] Regular 30 second windows with around 1.8 Gbit/s - 2.1 Gbit/s of<br />traffic on each of the exits which are also guards (apx1, apx2) while<br />the exit which isn't a guard sees stable traffic of only ~ 1 Gbit/s<br />(apx3). Circuits to hidden services include guards and middle nodes<br />(rendevouz point). DDoS attacks against hidden services do not affect<br />exit nodes unless they are also guard nodes.<br /><br />"""<br /><br />I now ask:<br /><br />1. Please provide proof that all your circuits always contain 3 relays<br />in the US. If you didn't actually mean that all circuits always have all<br />3 relays in the US, then please explain why you think sometimes having<br />all 3 in the same country is bad. Keep in mind that guard nodes are a<br />thing and it isn't weird to have the same 1st hop in every circuit. Also<br />keep in mind that (i) there are a large number of relays in a small<br />number of countries, (ii) a relay existing in country X does not<br />necessarily mean they are dangerous relays, (iii) you should assume<br />large adversaries would geo-diversify.<br /><br />2. What is the point of bringing up the traffic you see on your relays?<br />It isn't obvious to me. Keep in mind that relays aren't always assigned<br />weights in a predictable or perfectly fair manner. I run multiple relays<br />on a single machine and they get weighted very differently.<br /><br />Matt</blockquote><br />The following is a reply from the person running exit nodes. I<br />originally confused the following person with the one posting the vague<br />"OMG US relays" panic on this list.<br /><br />I'll probably be stepping out of this discussion at this point. I don't<br />think there's more I can contribute.<br /><br />"""<br />Hey,<br /><br />I was made aware of this thread by the user pastly in the #tor IRC<br />channel. I would like to clarify some things.<br /><br />To begin with, I really don't know what the user is referring to. There<br />are currently 149 exit nodes from the US, from a total of 787 exit<br />nodes; that is 81% non-US exit nodes. If the users' client does in fact<br />only connect to US relays, that is likely unrelated to my observations.<br />However, if that happens consistently, I would really appreciate if that<br />would be investigated further.<br /><br />Now, to my observations and the post that was referred to:<br /><br />/I clearly failed to clarify/ that the "suspicious" traffic which caught<br />my interest was about non-Tor IPs entering the network through my exits.<br /><br />As pastly nicely put it: /> will never be used as a guard by<br />well-behaved tor clients./<br /><br />My observations were made using a utility I built using nDPI and sysdig<br />(kernel module).<br /><br />That is, I have observed about a gigabit of traffic entering my exit<br />nodes originating /from non-Tor IPs/, causing connections to be<br />initiated to middle nodes.<br /><br />I have not claimed evidence to "prove" confirmation attacks. I have<br />merely observed nearly a gigabit (on multiple nodes, that is) of inbound<br />traffic entering the network through my exit nodes, which does not seem<br />very reasonable to do unless the goal is attack hidden services.<br /><br />If I can clarify further, please let me know.<br /><br />-- Kenan<br />"""<br /><br /><br />------------------------------<br /><br />Subject: Digest Footer<br /><br />_______________________________________________<br />tor-relays mailing list<br /><a href="mailto:tor-relays@lists.torproject.org" target="_blank" rel="noopener noreferrer">tor-relays@lists.torproject.org</a><br /><a href="https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays" target="_blank" rel="noopener noreferrer">https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays</a><br /><br /><br />------------------------------<br /><br />End of tor-relays Digest, Vol 78, Issue 19<br />******************************************</blockquote> </body>
</html>