On Wed, May 9, 2018 at 2:06 PM, Trevor Ellermann trevor@ellermann.net wrote:
I just a notification from my data center that someone is trying to hijack the IP of my exit node. Seems like the sort of thing someone might do when trying to attack Tor. I'm in a very remote area with limited access but any suggestions on actions I should take?
Make sure your box and keys aren't compromised. If that's ok, best they can do if the announcements are listened to is camp on the ip for a while using their own keys, (there might be some identification attacks made possible with such a transient reroute,) circuits would fail till the consensus updated to them, but there could be some duplicate ip split horizon issues involved due to filtering. If they hacked the boxes there's hardly need to expend noisy reroutes when they can do most attacks using the box itself.
Hop on the route servers or your other favorite interfaces to the net and analyze who all is announcing /32's trying to cover any other tor nodes.
Sane isp's will filter such things without prior coordination. It's fairly rare, and for them to bother giving customers courtesy reports. Though depending on nature of ticket / relationship with GBLX, you might want to reply saying you've never worked with Asavie and don't approve of the action regarding your IP.
You can also search AS200005 to see what kind of heat they catch from other operators / internet analysis tools.
==================================================================== Possible Prefix Hijack (Code: 10) ==================================================================== Your prefix: 204.17.32.0/19: Prefix Description: GBLX-US-BGP Update time: 2018-05-09 12:11 (UTC) Detected by #peers: 1 Detected prefix: 204.17.56.42/32 Announced by: AS200005 (Asavie Technologies Limited) Upstream AS: AS200005 (Asavie Technologies Limited) ASpath: 200005
https://torstatus.blutmagie.de/router_detail.php?FP=383d6e34d9bea92e97092b13...