Hi!
Yesterday I encountered a strange IP address update via DynDNS:
Dec 19 23:00:32.000 [notice] Your IP address seems to have changed to 176.10.104.240 (METHOD=RESOLVED HOSTNAME=my.dyndns.cc). Updating. Dec 19 23:00:32.000 [notice] Our IP Address has changed from xx.xx.xx.xx to 176.10.104.240; rebuilding descriptor (source: METHOD=RESOLVED HOSTNAME=my.dyndns.cc). Dec 19 23:00:36.000 [notice] Self-testing indicates your ORPort is reachable from the outside. Excellent. Dec 19 23:04:32.000 [notice] Your IP address seems to have changed to xx.xx.xx.xx (METHOD=RESOLVED HOSTNAME=my.dyndns.cc). Updating. Dec 19 23:04:32.000 [notice] Our IP Address has changed from 176.10.104.240 to xx.xx.xx.xx ; rebuilding descriptor (source: METHOD=RESOLVED HOSTNAME=my.dyndns.cc). Dec 19 23:04:34.000 [notice] Self-testing indicates your ORPort is reachable from the outside. Excellent. Dec 19 23:08:32.000 [notice] Your IP address seems to have changed to 176.10.104.240 (METHOD=RESOLVED HOSTNAME=my.dyndns.cc). Updating. Dec 19 23:08:32.000 [notice] Our IP Address has changed from xx.xx.xx.xx to 176.10.104.240; rebuilding descriptor (source: METHOD=RESOLVED HOSTNAME=my.dyndns.cc). Dec 19 23:08:34.000 [notice] Self-testing indicates your ORPort is reachable from the outside. Excellent. Dec 19 23:13:32.000 [notice] Your IP address seems to have changed to xx.xx.xx.xx (METHOD=RESOLVED HOSTNAME=my.dyndns.cc). Updating. Dec 19 23:13:32.000 [notice] Our IP Address has changed from 176.10.104.240 to xx.xx.xx.xx; rebuilding descriptor (source: METHOD=RESOLVED HOSTNAME=my.dyndns.cc). Dec 19 23:13:36.000 [notice] Self-testing indicates your ORPort is reachable from the outside. Excellent. Dec 19 23:22:38.000 [notice] Self-testing indicates your DirPort is reachable from the outside. Excellent. Publishing server descriptor
The DynDNS client updates the IP every five minutes. It looks like somebody has tried to changed / update the IP manually or via spoofed update (DNS) entry. I also recognized the change at the WebGUI of the DynDNS Provider. The changed IP address is an exit node (0111BA9B604669E636FFD5B503F382A4B7AD6E80) in Switzerland.
I don't think, that this is a bug in Tor 0.2.9.7-rc. Are there any possible attacks to Tor relays, if they are using a faked IP address? Normally this shouldn't work. Even if the traffic is redirected to an exit node, but I am not sure.
Well, it should be safer to use autodetection of the IP though Tor.
Regards,