Faravahar messing with my IP address
I run the relay Logforme (855BC2DABE24C861CD887DB9B2E950424B49FC34) Saw this in yesterday's log file: Oct 22 03:17:55.000 [notice] Our IP Address has changed from 84.219.173.60 to 154.35.32.5; rebuilding descriptor (source: 154.35.175.225). Oct 22 03:17:55.000 [notice] Self-testing indicates your ORPort is reachable from the outside. Excellent. Publishing server descriptor. Oct 22 03:17:56.000 [notice] Performing bandwidth self-test...done. Oct 22 03:26:55.000 [notice] Our IP Address has changed from 154.35.32.5 to 84.219.173.60; rebuilding descriptor (source: 194.109.206.212). 84.219.173.60: <- My real IP address 154.35.32.5: faravahar.rabbani.jp <- No idea 154.35.175.225: faravahar.redteam.net <- Authority server 194.109.206.212: tor.dizum.com <- Better authority server So if I read it right my relay asked the authority server Faravahar what my IP address is and got the wrong answer. 9 minutes later my relay asked another authority server and got the right answer. My relay show an uptime starting from this time and if the relay did a full restart it meant all the circuits got dropped? Inconvenient for users. My relay have "restarted" like this a few times the last weeks (only Tor daemon "restarting", not the machine). Don't know if Faravahar is behind the other "restarts". This time I just caught it in the log file before it got archived. Is this a know issue with Faravahar? If so, should it be fixed?
On 22 October 2015 at 19:22, Logforme <m7527@abc.se> wrote:
I run the relay Logforme (855BC2DABE24C861CD887DB9B2E950424B49FC34)
Saw this in yesterday's log file: Oct 22 03:17:55.000 [notice] Our IP Address has changed from 84.219.173.60 to 154.35.32.5; rebuilding descriptor (source: 154.35.175.225). Oct 22 03:17:55.000 [notice] Self-testing indicates your ORPort is reachable from the outside. Excellent. Publishing server descriptor. Oct 22 03:17:56.000 [notice] Performing bandwidth self-test...done. Oct 22 03:26:55.000 [notice] Our IP Address has changed from 154.35.32.5 to 84.219.173.60; rebuilding descriptor (source: 194.109.206.212).
84.219.173.60: <- My real IP address 154.35.32.5: faravahar.rabbani.jp <- No idea 154.35.175.225: faravahar.redteam.net <- Authority server 194.109.206.212: tor.dizum.com <- Better authority server
I just got something strange too: Oct 22 20:42:24.000 [notice] Guessed our IP address as 77.206.60.235 (source: 154.35.175.225). Oct 22 20:42:25.000 [notice] Our IP Address has changed from 77.206.60.235 to 149.18.2.82; rebuilding descriptor (source: 199.254.238.52). faravahar guess my ip wrongly to be 77.206.60.235 which is a French IP totally unrelated to my connection
So if I read it right my relay asked the authority server Faravahar what my IP address is and got the wrong answer. 9 minutes later my relay asked another authority server and got the right answer. My relay show an uptime starting from this time and if the relay did a full restart it meant all the circuits got dropped? Inconvenient for users.
My relay have "restarted" like this a few times the last weeks (only Tor daemon "restarting", not the machine). Don't know if Faravahar is behind the other "restarts". This time I just caught it in the log file before it got archived.
Is this a know issue with Faravahar? If so, should it be fixed? _______________________________________________ tor-relays mailing list tor-relays@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
I see this from time to time as well. Here's another example: Oct 17 23:02:44.000 [notice] Our IP Address has changed from 52.64.142.121 to [CORRECT IP]; rebuilding descriptor (source: 86.59.21.38). 52.64.142.121 appears to be an instance on Amazon's EC2. I don't run any nodes on EC2. 86.59.21.38 resolves to tor.noreply.org. I'm unable to find any occurrences of this happening from Faravahar, however the issue seems to be fairly common. What's going on? On Thu, Oct 22, 2015 at 1:48 PM, Pascal Terjan <pterjan@gmail.com> wrote:
On 22 October 2015 at 19:22, Logforme <m7527@abc.se> wrote:
I run the relay Logforme (855BC2DABE24C861CD887DB9B2E950424B49FC34)
Saw this in yesterday's log file: Oct 22 03:17:55.000 [notice] Our IP Address has changed from 84.219.173.60 to 154.35.32.5; rebuilding descriptor (source: 154.35.175.225). Oct 22 03:17:55.000 [notice] Self-testing indicates your ORPort is reachable from the outside. Excellent. Publishing server descriptor. Oct 22 03:17:56.000 [notice] Performing bandwidth self-test...done. Oct 22 03:26:55.000 [notice] Our IP Address has changed from 154.35.32.5 to 84.219.173.60; rebuilding descriptor (source: 194.109.206.212).
84.219.173.60: <- My real IP address 154.35.32.5: faravahar.rabbani.jp <- No idea 154.35.175.225: faravahar.redteam.net <- Authority server 194.109.206.212: tor.dizum.com <- Better authority server
I just got something strange too:
Oct 22 20:42:24.000 [notice] Guessed our IP address as 77.206.60.235 (source: 154.35.175.225). Oct 22 20:42:25.000 [notice] Our IP Address has changed from 77.206.60.235 to 149.18.2.82; rebuilding descriptor (source: 199.254.238.52).
faravahar guess my ip wrongly to be 77.206.60.235 which is a French IP totally unrelated to my connection
So if I read it right my relay asked the authority server Faravahar what my IP address is and got the wrong answer. 9 minutes later my relay asked another authority server and got the right answer. My relay show an uptime starting from this time and if the relay did a full restart it meant all the circuits got dropped? Inconvenient for users.
My relay have "restarted" like this a few times the last weeks (only Tor daemon "restarting", not the machine). Don't know if Faravahar is behind the other "restarts". This time I just caught it in the log file before it got archived.
Is this a know issue with Faravahar? If so, should it be fixed? _______________________________________________ tor-relays mailing list tor-relays@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
tor-relays mailing list tor-relays@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
On 23 Oct 2015, at 09:30, Green Dream <greendream848@gmail.com> wrote:
I see this from time to time as well. Here's another example:
Oct 17 23:02:44.000 [notice] Our IP Address has changed from 52.64.142.121 to [CORRECT IP]; rebuilding descriptor (source: 86.59.21.38).
52.64.142.121 appears to be an instance on Amazon's EC2. I don't run any nodes on EC2. 86.59.21.38 resolves to tor.noreply.org.
I'm unable to find any occurrences of this happening from Faravahar, however the issue seems to be fairly common. What's going on?
We've had one suggestion so far: That the iptables forwarding rule from Faravahar's old address might not be preserving the original source address. Another possibility is that authorities running directory caching proxies are re-using the X-Your-IP-Address-Is header meant for other clients, rather than generating it fresh for every client. A third possibility is a bug in the tor authority code, which sets X-Your-IP-Address-Is to the wrong IP. Tim
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Hello, Unfortunately this is not the first time we see this, and it did happen before Faravahar IP address change and before it was experiencing very high latency ( https://trac.torproject.org/projects/tor/ticket/17338 ). See: https://trac.torproject.org/projects/tor/ticket/16205#comment:3 ~5 months ago Maybe the bogus discovery of IP address change explains this also: https://trac.torproject.org/projects/tor/ticket/15500 There is obviously something strange going on. In addition to what teor said, the operator should also find out exactly what kind of anti-DoS protection system is used in that datacenter. Maybe something upstream feels attacked when Faravahar is receiving a lot of incoming connections and behaves in a way that is incompatible with Tor. On 10/23/2015 1:55 PM, teor wrote:
On 23 Oct 2015, at 09:30, Green Dream <greendream848@gmail.com <mailto:greendream848@gmail.com>> wrote:
I see this from time to time as well. Here's another example:
Oct 17 23:02:44.000 [notice] Our IP Address has changed from 52.64.142.121 to [CORRECT IP]; rebuilding descriptor (source: 86.59.21.38).
52.64.142.121 appears to be an instance on Amazon's EC2. I don't run any nodes on EC2. 86.59.21.38 resolves to tor.noreply.org <http://tor.noreply.org>.
I'm unable to find any occurrences of this happening from Faravahar, however the issue seems to be fairly common. What's going on?
We've had one suggestion so far: That the iptables forwarding rule from Faravahar's old address might not be preserving the original source address.
Another possibility is that authorities running directory caching proxies are re-using the X-Your-IP-Address-Is header meant for other clients, rather than generating it fresh for every client.
A third possibility is a bug in the tor authority code, which sets X-Your-IP-Address-Is to the wrong IP.
Tim
-----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.22 (MingW32) iQEcBAEBCAAGBQJWKswcAAoJEIN/pSyBJlsRH84IANXDcPlIfikR4IF1QWf/fXcU YhESUQmI6CoD1Ik3Bbcfx0OA4UWZe+HsUXJlz0X8rqRPm7sQNLge5OaMVxGNMnsx Sy4nxIpfA3Q6hA30bqTXFvEBsUCYRAaa/etw/skNIoa8XbrXvXN5+7mIBg3Ljnf3 6PfzuNYNvcllYF2iqYP42pnI9V5SzAHZCUSqVNdWiaEt/vgR6JDRiT8IoHibg7pC SZPvltqUOjNbczIfBmlSUvTbXD6yxvH4Ewf8WF6z9QstymSjHimu6br0ev8Cs1rR xo/e278AT4sx+fPeVme1OjcMYfYavwMl8r4/tkq9DQYLExI/byovoBcN4qO9Jks= =3EuD -----END PGP SIGNATURE-----
Sina, the ticket 16205 regarding incorrect IPs coming from Faravahar is 5 months old [1]. Have you had a chance to look into the possible explanation Nick Suan mentioned earlier in the thread? It's not exactly confidence-inspiring to see multiple unresolved tickets about Faravahar going back several months. 1) https://trac.torproject.org/projects/tor/ticket/16205#comment:3
On Sat, Oct 24, 2015 at 03:09:00AM +0300, s7r wrote:
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256
Hello,
Unfortunately this is not the first time we see this, and it did happen before Faravahar IP address change and before it was experiencing very high latency ( https://trac.torproject.org/projects/tor/ticket/17338 ).
See: https://trac.torproject.org/projects/tor/ticket/16205#comment:3 ~5 months ago
See another recent instance [0]. This one is interesting, though, because it's actually Faravahar's old IP address. For those who see this happening, do you only see these log entries for a short time after starting the relay or do you see it at arbitrary times, after the relay has run for days? Thanks, Matt [0] https://lists.torproject.org/pipermail/tor-relays/2015-November/008128.html
I just got something strange too:
Oct 22 20:42:24.000 [notice] Guessed our IP address as 77.206.60.235 (source: 154.35.175.225). Oct 22 20:42:25.000 [notice] Our IP Address has changed from 77.206.60.235 to 149.18.2.82; rebuilding descriptor (source: 199.254.238.52).
Hello guys, Same trouble on my node : Oct 24 11:21:20.000 [notice] Our IP Address has changed from 62.210.124.124 to 18.82.0.94; rebuilding descriptor (source: 154.35.175.225). Oct 24 11:29:58.000 [notice] Our IP Address has changed from 18.82.0.94 to 62.210.124.124; rebuilding descriptor (source: 131.188.40.189). Contact with another French Tor node operator, impacted too the same day : Oct 24 20:57:10.000 [notice] Our IP Address has changed from 81.57.127.22 to 212.27.38.252; rebuilding descriptor (source: METHOD=RESOLVED HOSTNAME=ecuri.es). Oct 24 21:00:13.000 [notice] Our IP Address has changed from 212.27.38.252 to 81.57.127.22; rebuilding descriptor (source: METHOD=RESOLVED HOSTNAME=ecuri.es). Possible there is some kind of attack on the network ? Seems most of trouble reported on this thread imply French IP or French Tor node. My country recently pass a law about state mass surveillance, with deployment of « black box » for security interception. Could it be related ? Regards, -- Aeris Individual crypto-terrorist group self-radicalized on the digital Internet https://imirhil.fr/ Protect your privacy, encrypt your communications GPG : EFB74277 ECE4E222 OTR : 5769616D 2D3DAC72 https://café-vie-privée.fr/
participants (7)
-
Aeris -
Green Dream -
Logforme -
Matthew Finkel -
Pascal Terjan -
s7r -
teor