[tor-relays] Updating our IP Address

diffusae punasipuli at t-online.de
Tue Dec 20 14:25:26 UTC 2016 

Hi!

Yesterday I encountered a strange IP address update via DynDNS:

Dec 19 23:00:32.000 [notice] Your IP address seems to have changed to
176.10.104.240 (METHOD=RESOLVED HOSTNAME=my.dyndns.cc). Updating.
Dec 19 23:00:32.000 [notice] Our IP Address has changed from xx.xx.xx.xx
to 176.10.104.240; rebuilding descriptor (source: METHOD=RESOLVED
HOSTNAME=my.dyndns.cc).
Dec 19 23:00:36.000 [notice] Self-testing indicates your ORPort is
reachable from the outside. Excellent.
Dec 19 23:04:32.000 [notice] Your IP address seems to have changed to
xx.xx.xx.xx (METHOD=RESOLVED HOSTNAME=my.dyndns.cc). Updating.
Dec 19 23:04:32.000 [notice] Our IP Address has changed from
176.10.104.240 to xx.xx.xx.xx ; rebuilding descriptor (source:
METHOD=RESOLVED HOSTNAME=my.dyndns.cc).
Dec 19 23:04:34.000 [notice] Self-testing indicates your ORPort is
reachable from the outside. Excellent.
Dec 19 23:08:32.000 [notice] Your IP address seems to have changed to
176.10.104.240 (METHOD=RESOLVED HOSTNAME=my.dyndns.cc). Updating.
Dec 19 23:08:32.000 [notice] Our IP Address has changed from xx.xx.xx.xx
to 176.10.104.240; rebuilding descriptor (source: METHOD=RESOLVED
HOSTNAME=my.dyndns.cc).
Dec 19 23:08:34.000 [notice] Self-testing indicates your ORPort is
reachable from the outside. Excellent.
Dec 19 23:13:32.000 [notice] Your IP address seems to have changed to
xx.xx.xx.xx (METHOD=RESOLVED HOSTNAME=my.dyndns.cc). Updating.
Dec 19 23:13:32.000 [notice] Our IP Address has changed from
176.10.104.240 to xx.xx.xx.xx; rebuilding descriptor (source:
METHOD=RESOLVED HOSTNAME=my.dyndns.cc).
Dec 19 23:13:36.000 [notice] Self-testing indicates your ORPort is
reachable from the outside. Excellent.
Dec 19 23:22:38.000 [notice] Self-testing indicates your DirPort is
reachable from the outside. Excellent. Publishing server descriptor

The DynDNS client updates the IP every five minutes. It looks like
somebody has tried to changed / update the IP manually or via spoofed
update (DNS) entry. I also recognized the change at the WebGUI of the
DynDNS Provider. The changed IP address is an exit node
(0111BA9B604669E636FFD5B503F382A4B7AD6E80) in Switzerland.

I don't think, that this is a bug in Tor 0.2.9.7-rc. Are there any
possible attacks to Tor relays, if they are using a faked IP address?
Normally this shouldn't work. Even if the traffic is redirected to an
exit node, but I am not sure.

Well, it should be safer to use autodetection of the IP though Tor.

Regards,

More information about the tor-relays mailing list