[metrics-team] onionoo exit_addresses semantics

Karsten Loesing karsten at torproject.org
Fri Feb 16 20:15:39 UTC 2018 

On 2018-02-09 16:32, nusenu wrote:
> Hi,

Hi nusenu,

I just found this thread in my inbox and hope/assume it's still relevant.

> due to dcf's idea I'm using onionoo data to detect rerouting exit relays 
> (exits that do not really exit).
> 
> example (non-false positive):
> https://lists.riseup.net/www/arc/ornetradar/2018-02/msg00056.html

Fun!

> I assume I stumbled on an issue with the exit_addresses data and would like
> to hear your opinion. This is my assumption:
> 
> If an exit that does not actually have different inbout and output IPs,
> but changes its ORPort IP address (example: dynamic IP), it will list its old IP as an exit_addresses after changing to a
> new ORPort IP. Is that the case and if yes is that intended? 

Yes, it is the case, but only if the relay has been scanned by the exit
scanner and found to be exiting on its former OR port IP address.

> Example:
> D076C67EA072452C8F9A5C270224BDEFD910FAFD
> 
> OR IP address: 27.49.9.186 (relays_published: 2018-02-09 13:00)
> Exit addresses lists the old IP:
> **27.49.8.36** [...]
> 
> Descriptor published, OR IP, FP:
> 
> 2018-02-08 18:40:13 27.49.8.36 D076C67EA072452C8F9A5C270224BDEFD910FAFD
> 
> Strictly speaking you could say that this does not violate the description of that field:
> 
> https://metrics.torproject.org/onionoo.html#details_relay_exit_addresses
>> Array of IPv4 or IPv6 addresses that the relay used to exit to the
>> Internet in the past 24 hours. IPv6 hex characters are all
>> lower-case. Only those addresses are listed that are different from
>> onion-routing addresses. Omitted if array is empty.
> 
> Depending on the interpretation of
> "Only those addresses are listed that are different from
> onion-routing addresses."
> 
> this is a potential bug or not.

Onionoo takes exit lists and includes all IP addresses that have been
found in scans over the past 24 hours. It does not combine this
information with older consensuses to see if an exit IP address was in
fact a former OR address.

Stated differently, the only reason for excluding exit addresses that
are currently known as OR addresses is deduplication.

I could see us do three things here:

 1. Stop deduplicating exit addresses and just include everything from
exit lists found in the past 24 hours. Would this help?

 2. We clarify the specification by saying that we're not checking
whether an exit IP address was a former OR address, but that we're just
deduplicating.

 3. We do nothing.

Maybe there's a 4 here, or a variant of 1 or 2.

If this turns out to require new code, let's move the discussion to Trac.

Thanks for bringing this up!

All the best,
Karsten

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 528 bytes
Desc: OpenPGP digital signature
URL: <http://lists.torproject.org/pipermail/metrics-team/attachments/20180216/c37c7ad9/attachment.sig>

More information about the metrics-team mailing list