[tor-relays] Faravahar messing with my IP address

Tim Wilson-Brown - teor teor2345 at gmail.com
Mon Nov 9 09:04:55 UTC 2015 

> On 9 Nov 2015, at 18:56, Matthew Finkel <matthew.finkel at gmail.com> wrote:
> 
> Which version of Tor were you previously running? Have you seen these
> messages within the last few days, after you upgraded?
> 

Hi SiNA, Matthew,

I can reproduce some unusual behaviour from Faravahar simply using wget.
It seems that a web cache in front of Faravahar's dirport might be misbehaving.

*Exit Notice - Reproducible Incorrect X-Your-Address-Is*

I just retrieved the Faravahar "exit notice" from a US AWS address, then a few seconds later made a query from an Australian home IP address.

Both queries returned the US AWS address in X-Your-Address-Is.
(A previous query from the Australian address a few minutes beforehand had the correct address.)

I can reproduce this behaviour: whichever query starts first is the one whose IP address gets recorded.

Subsequent queries get the same IP address for several tens of seconds afterwards.

I'm using:
wget --save-headers http://154.35.175.225/

The headers I see look like:

HTTP/1.0 200 OK
Age: 976
Date: Mon, 09 Nov 2015 08:35:20 GMT
Expires: Mon, 09 Nov 2015 08:55:20 GMT
Connection: Keep-Alive
ETag: "KXJDGONEHLPTLKVYRY"
Content-Type: text/html
X-Your-Address-Is: <not my IP address>
Content-Encoding: identity
Content-Length: 38126

*Directory Documents - Once-Off Header Corruption*

This caching behaviour isn't reproducible with the actual documents, but I did see one instance of corrupted headers:
* Content-Length is misspelt Xontent-Length,
* Connection and ETag are present, but they're not typically present in the headers of other directory documents from Faravahar.
* Expires is in the location it would typically be in for the exit notice (after Date), not the directory documents (last, after Content-Encoding)

wget --save-headers http://154.35.175.225/tor/status-vote/current/consensus-ns

HTTP/1.0 200 OK
Age: 975
Date: Mon, 09 Nov 2015 08:43:32 GMT
Expires: Mon, 09 Nov 2015 09:00:00 GMT
Xontent-Length:
Connection: Close
ETag: "KXJDGONEHLSKRWTYRY"
Content-Type: text/plain
X-Your-Address-Is: 180.200.153.214
Content-Encoding: identity

The second download with exactly the same URL did not contain [C|X]ontent-Length, Connection, or ETag.

It's probably worth mentioning that similar queries to other directory authorities do not show the same behaviour.

Tim

Tim Wilson-Brown (teor)

teor2345 at gmail dot com
PGP 968F094B

teor at blah dot im
OTR CAD08081 9755866D 89E2A06F E3558B7F B5A9D14F

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.torproject.org/pipermail/tor-relays/attachments/20151109/bc331c17/attachment.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 842 bytes
Desc: Message signed with OpenPGP using GPGMail
URL: <http://lists.torproject.org/pipermail/tor-relays/attachments/20151109/bc331c17/attachment.sig>

More information about the tor-relays mailing list