[tor-dev] Do Tor relays rely on ICMP type 11 (time exceeded / timeout in transit)?
teor
teor2345 at gmail.com
Sun Oct 22 20:55:28 UTC 2017
> On 23 Oct 2017, at 05:14, Igor Mitrofanov <igor.n.mitrofanov at gmail.com> wrote:
>
> On my relays I am dropping any traffic that Tor itself does not rely on.
> I wonder if I should allow or block incoming and/outgoing ICMP type 11
> (time exceeded / timeout in transit)?
Try it and see?
> My host does receive some ICMP type 11 packets, and does seem to send
> some out, but I am not sure if Tor is the source or destination.
> Do Tor relays use some 'traceroute'-like mechanism to detect unreachable relays?
Not as far as I am aware.
> "netstat -s:
> ...
> ICMP input histogram:
> ...
> timeout in transit: 1923
> ...
> ICMP output histogram:
> ...
> timeout in transit: 1277
> "
> I remember seeing outgoing TCP packets with TTL set to 1 - those were
> the ones triggering incoming ICMP type 11 packets.
Are you running an exit?
Do you have multiple IP addresses?
Using OutboundBindAddressExit can help you to find out if it's tor relaying
traffic, or tor exit traffic from clients that are doing TCP traceroutes.
T
More information about the tor-dev
mailing list