[tor-bugs] #17782 [Tor]: Relays may publish descriptors with incorrect IP address
Tor Bug Tracker & Wiki
blackhole at torproject.org
Tue Dec 8 15:42:08 UTC 2015
#17782: Relays may publish descriptors with incorrect IP address
------------------------+-----------------------------
Reporter: fk | Owner:
Type: defect | Status: new
Priority: Medium | Milestone:
Component: Tor | Version: Tor: 0.2.7.4-rc
Severity: Normal | Keywords:
Actual Points: | Parent ID:
Points: | Sponsor:
------------------------+-----------------------------
I suspect that the following bug could be used by malicious directories
to cause relays that rely on directories to get their external IP address
to publish bogus descriptors which should reduce their chances to make
it into the next consensus.
I privately reported the issue yesterday and it has been decided
that there's no need to keep it secret.
The relay elektrobier2 (3D615DEF97F387631F50201FAFA6E7B67FDF3FEF)
is running in an ElectroBSD jail with:
ORPort 9001 NoAdvertise
ORPort 443 NoListen
Tor binds to 127.0.1.1:9001, pf is forwarding incoming traffic
from 95.211.138.7:443 and nat'ing outgoing traffic:
{{{
[fk at elektrobier ~]$ jls | grep elektrobier2
5 127.0.1.1 elektrobier2
/usr/jails/elektrobier2
[fk at elektrobier ~]$ sudo pfctl -sn -P | grep 127.0.1.1
nat on bge0 inet from 127.0.1.1 to any -> 95.211.138.7
rdr pass on bge0 inet proto tcp from any to 95.211.138.7 port = 443 ->
127.0.1.1 port 9001
}}}
This used to work fine and Tor correctly detected the external IP
address when the system only had one external IPv4 address.
After the system got a second external IP address, pf was briefly
nat'ing outgoing traffic using both external IPv4 addresses while
still only forwarding incoming traffic from 95.211.138.7:443 to Tor.
This resulted in undesirable behaviour:
{{{
Dec 01 18:34:58.337 [notice] {OR} Self-testing indicates your ORPort is
reachable from the outside. Excellent. Publishing server descriptor.
Dec 01 18:34:58.550 [notice] {GENERAL} Tor has successfully opened a
circuit. Looks like client functionality is working.
Dec 01 18:34:58.550 [notice] {CONTROL} Bootstrapped 100%: Done
Dec 01 18:36:45.949 [notice] {CONTROL} New control connection opened from
127.0.1.1.
Dec 01 18:41:01.459 [notice] {OR} Performing bandwidth self-test...done.
Dec 01 18:55:26.206 [notice] {GENERAL} Our IP Address has changed from
95.211.138.51 to 95.211.138.7; rebuilding descriptor (source:
144.76.92.46).
Dec 01 18:55:26.274 [notice] {OR} Self-testing indicates your ORPort is
reachable from the outside. Excellent. Publishing server descriptor.
Dec 01 19:55:29.426 [notice] {GENERAL} Our IP Address has changed from
95.211.138.7 to 95.211.138.51; rebuilding descriptor (source:
124.6.36.195).
Dec 01 19:55:30.351 [notice] {OR} Self-testing indicates your ORPort is
reachable from the outside. Excellent. Publishing server descriptor.
Dec 01 20:15:45.001 [notice] {GENERAL} Our IP Address has changed from
95.211.138.51 to 95.211.138.7; rebuilding descriptor (source:
146.0.32.144).
Dec 01 20:15:47.988 [notice] {OR} Self-testing indicates your ORPort is
reachable from the outside. Excellent. Publishing server descriptor.
Dec 01 20:16:35.027 [notice] {GENERAL} Our IP Address has changed from
95.211.138.7 to 95.211.138.51; rebuilding descriptor (source:
171.25.193.9).
Dec 01 20:16:35.367 [notice] {OR} Self-testing indicates your ORPort is
reachable from the outside. Excellent. Publishing server descriptor.
Dec 01 20:36:05.053 [notice] {GENERAL} Our IP Address has changed from
95.211.138.51 to 95.211.138.7; rebuilding descriptor (source:
212.51.155.40).
Dec 01 20:36:05.098 [notice] {OR} Self-testing indicates your ORPort is
reachable from the outside. Excellent. Publishing server descriptor.
Dec 01 20:56:25.006 [notice] {GENERAL} Our IP Address has changed from
95.211.138.7 to 95.211.138.51; rebuilding descriptor (source:
154.46.204.125).
Dec 01 20:56:25.254 [notice] {OR} Self-testing indicates your ORPort is
reachable from the outside. Excellent. Publishing server descriptor.
Dec 01 21:15:33.282 [notice] {GENERAL} Our IP Address has changed from
95.211.138.51 to 95.211.138.7; rebuilding descriptor (source:
50.7.184.58).
Dec 01 21:15:33.756 [notice] {OR} Self-testing indicates your ORPort is
reachable from the outside. Excellent. Publishing server descriptor.
Dec 01 21:16:34.015 [notice] {GENERAL} Our IP Address has changed from
95.211.138.7 to 95.211.138.51; rebuilding descriptor (source:
193.23.244.244).
Dec 01 21:16:34.033 [notice] {OR} Self-testing indicates your ORPort is
reachable from the outside. Excellent. Publishing server descriptor.
Dec 01 21:17:35.514 [notice] {GENERAL} Our IP Address has changed from
95.211.138.51 to 95.211.138.7; rebuilding descriptor (source:
208.83.223.34).
Dec 01 21:17:35.710 [notice] {OR} Self-testing indicates your ORPort is
reachable from the outside. Excellent. Publishing server descriptor.
Dec 01 21:56:14.079 [notice] {GENERAL} Our IP Address has changed from
95.211.138.7 to 95.211.138.51; rebuilding descriptor (source:
89.46.101.181).
Dec 01 21:56:14.414 [notice] {OR} Self-testing indicates your ORPort is
reachable from the outside. Excellent. Publishing server descriptor.
Dec 01 21:57:25.355 [notice] {GENERAL} Our IP Address has changed from
95.211.138.51 to 95.211.138.7; rebuilding descriptor (source:
185.11.136.211).
Dec 01 21:57:25.409 [notice] {OR} Self-testing indicates your ORPort is
reachable from the outside. Excellent. Publishing server descriptor.
}}}
The messages seem to imply that Tor is only publishing the IP address
after verifying that it can be reached through it.
Unless I misinterpret the code, it only verified that it got incoming
traffic
on its ORPort, though, and in this case all the traffic came through
95.211.138.7:443 while traffic to 95.211.138.51:443 was not forwarded to
this relay and not part of the reachability test.
Therefore I suspect that the contacted directories could trick the relay
into publishing any IP address in which case the relay could fall
out of the next consensus.
BTW, after noticing the issue I changed the pf configuration to use a
fixed
IP address mapping when nat'ing Tor traffic, but surprisingly this did
not completely workaround the problem for this relay and just reduced
the number of times address changes were detected. Even days later I got:
{{{
Dec 07 07:00:00.725 [notice] {ACCT} Configured hibernation. This interval
began at 2015-12-07 07:00:00; the scheduled wake-up time was 2015-12-07
07:00:00; we expect to exhaust our quota for this interval around
2015-12-08 07:00:00; the next interval begins at 2015-12-08 07:00:00 (all
times local)
Dec 07 10:23:30.725 [notice] {GENERAL} Our IP Address has changed from
95.211.138.7 to 95.211.138.51; rebuilding descriptor (source:
62.210.71.167).
Dec 07 10:23:30.841 [notice] {OR} Self-testing indicates your ORPort is
reachable from the outside. Excellent. Publishing server descriptor.
Dec 07 10:23:39.912 [notice] {OR} Performing bandwidth self-test...done.
Dec 07 10:43:52.145 [notice] {GENERAL} Our IP Address has changed from
95.211.138.51 to 95.211.138.7; rebuilding descriptor (source:
104.131.136.238).
Dec 07 10:43:52.737 [notice] {OR} Self-testing indicates your ORPort is
reachable from the outside. Excellent. Publishing server descriptor.
Dec 07 11:28:43.311 [notice] {GENERAL} Our IP Address has changed from
95.211.138.7 to 95.211.138.51; rebuilding descriptor (source:
62.210.142.39).
Dec 07 11:28:43.734 [notice] {OR} Self-testing indicates your ORPort is
reachable from the outside. Excellent. Publishing server descriptor.
Dec 07 11:45:51.148 [notice] {CIRC} No circuits are opened. Relaxed
timeout for circuit 665 (a General-purpose client 1-hop circuit in state
doing handshakes with channel state open) to 60000ms. However, it appears
the circuit has timed out anyway. 2 guards are live.
Dec 07 12:05:10.598 [notice] {GENERAL} Our IP Address has changed from
95.211.138.51 to 95.211.138.7; rebuilding descriptor (source:
198.100.155.91).
Dec 07 12:05:10.905 [notice] {OR} Self-testing indicates your ORPort is
reachable from the outside. Excellent. Publishing server descriptor.
Dec 07 12:34:54.194 [notice] {HEARTBEAT} Heartbeat: Tor's uptime is 0:29
hours, with 2018 circuits open. I've sent 592.36 GB and received 591.16
GB.
Dec 07 12:34:54.205 [notice] {HEARTBEAT} Heartbeat: Accounting enabled.
Sent: 41.50 GB / 1000.00 GB, Received: 41.41 GB / 1000.00 GB. The current
accounting interval ends on 2015-12-08 07:00:00, in 18:25 hours.
Dec 07 12:34:54.205 [notice] {HEARTBEAT} Circuit handshake stats since
last time: 30713/30713 TAP, 64172/64172 NTor.
Dec 07 12:34:54.205 [notice] {HEARTBEAT} Since startup, we have initiated
0 v1 connections, 3 v2 connections, 10 v3 connections, and 233777 v4
connections; and received 402 v1 connections, 112 v2 connections, 3 v3
connections, and 179033 v4 connections.
}}}
I finally added "Address 95.211.138.7" to see if this helps, but for the
relay
polizei-erziehung (5CE3AD8AD04ADE66C0037A3CF5F7F7A40D48A20B) which is
running
in another jail on the same system this wasn't necessary and I have no
idea why.
While both relays are running 0.2.7.4-rc, other releases should be
affected as well.
--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/17782>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online
More information about the tor-bugs
mailing list