Thanks for your input, Tim.

You are correct that I have not taken into account the IPs which are not in
the consensus.

My exit nodes are regularly attacked -- what caught my attention was not
the fact that an extra gigabit of traffic was flowing in, but rather the
way it was (*and still is*, on one node) flowing in.

The patterns of the traffic seem unusual, because they are precisely timed
windows of traffic: 30 seconds of a about gigabit of traffic, 5 minutes
(exactly 302 ± 3 seconds, that is) pause, 15 seconds of a about gigabit of
traffic, 3 minutes (181 ± 1 seconds) pause, 60 seconds of a gigabit of
traffic, 10 minutes (604 ± 2 seconds).

This went on for 8 hours on apx1, apx2 is seeing this still.

I'm very sure that there is a reasonable explanation for this, but I can't
see the reason any client would behave like this.

-- Kenan


> > On 22 Jul 2017, at 08:00, Matt Traudt <sirmatt at ksu.edu> wrote:
> >
> > Now, to my observations and the post that was referred to:
> >
> > /I clearly failed to clarify/ that the "suspicious" traffic which caught
> > my interest was about non-Tor IPs entering the network through my exits.
> How do you work out what a non-Tor IP is?
> > As pastly nicely put it: /> will never be used as a guard by
> > well-behaved tor clients./
> Exits won't be used as long-term Guards, but they will be used as
> Entry nodes (or receive connections that look like client connections)
> from:
> * clients via bridges
> * clients with UseEntryGuards disabled, including:
>   * Single Onion Services (to intro and rend nodes)
>   * Tor2web (to HSDir, intro and rend nodes)
> * clients using them as directory guards or fallback directory mirrors,
> * bandwidth authorities,
> * Tor relays that aren't in the consensus(es) you're using to work out
>   what a "non-Tor IP" is,
> * Tor relays that have an OutboundBindAddress* option, or a route, that
>   binds to an IP address they're not advertising in their descriptor.
> (Some of these categories might be excluded by position weights, I
> haven't checked them all in detail.)
> > My observations were made using a utility I built using nDPI and sysdig
> > (kernel module).
> >
> > That is, I have observed about a gigabit of traffic entering my exit
> > nodes originating /from non-Tor IPs/, causing connections to be
> > initiated to middle nodes.
> The most likely scenarios responsible for this volume of traffic are:
> * clients with UseEntryGuards disabled, including:
>    * Tor2web (to a rend node using Tor2webRendezvousPoints)
> * Tor relays that aren't in the consensus(es) you're using to work out
>   what a "non-Tor IP" is,
> * Tor relays that have an OutboundBindAddress* option, or a route, that
>   binds to an IP address they're not advertising in their descriptor.
> > I have not claimed evidence to "prove" confirmation attacks. I have
> > merely observed nearly a gigabit (on multiple nodes, that is) of inbound
> > traffic entering the network through my exit nodes, which does not seem
> > very reasonable to do unless the goal is attack hidden services.
> Proving an attack would be hard: we'd have to rule out all the
> exceptional cases I listed above one-by-one. And check the process used
> to identify Tor and non-Tor IPs.
> T
> --
> Tim Wilson-Brown (teor)
> teor2345 at gmail dot com
> PGP C855 6CED 5D90 A0C5 29F6 4D43 450C BA7F 968F 094B
> ricochet:ekmygaiu4rzgsk6n
> xmpp: teor at torproject dot org
> ------------------------------------------------------------------------