[tor-relays] tor-relays Digest, Vol 78, Issue 19
0dayshoppingspree at tutanota.com
0dayshoppingspree at tutanota.com
Sat Jul 22 00:17:07 UTC 2017
Hello.
I apologize for leaving some of the relevant information out on the 1st email. The relay operator did contact me but im not him.
Ive seen it from the client side, where all my relays starting with a US bridge automatically connects to 1 or both other nodes which are also in the US. Ive had all 3 of them, Guard Middle and Exit All US Ips over and over and over again.
Changing bridges only works if the bridge is changed to a non-US IP. As soon as i change the bridge to 1 that hits a US Ip it automatically gives me a middle or exit or both in the US.
Later in the day i was contacted by a HS operator who said they had also witness strange relay behavior in the last 2 or 3 days. He subsequently has shut down his HS.
Ive studied Tor for the last 5 years and have been an active penetration tester in the community for the last 2 years. Something feels wrong but i just cant put my finger on it.
Thank You For Your Time
0Day
--
Securely sent with Tutanota. Claim your encrypted mailbox today!
https://tutanota.com
21. Jul 2017 18:00 by tor-relays-request at lists.torproject.org:
> Send tor-relays mailing list submissions to
> > tor-relays at lists.torproject.org
>
> To subscribe or unsubscribe via the World Wide Web, visit
> > https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
> or, via email, send a message with subject or body 'help' to
> > tor-relays-request at lists.torproject.org
>
> You can reach the person managing the list at
> > tor-relays-owner at lists.torproject.org
>
> When replying, please edit your Subject line so it is more specific
> than "Re: Contents of tor-relays digest..."
>
>
> Today's Topics:
>
> 1. Traffic Confimration Attacks/ Bad Relays
> (> 0dayshoppingspree at tutanota.com> )
> 2. Re: Traffic Confimration Attacks/ Bad Relays (Matt Traudt)
> 3. Re: 100K circuit request per minute for hours killed my relay
> (Arisbe)
> 4. Re: Traffic Confimration Attacks/ Bad Relays (Matt Traudt)
>
>
> ----------------------------------------------------------------------
>
> Message: 1
> Date: Fri, 21 Jul 2017 18:12:25 +0200 (CEST)
> From: <> 0dayshoppingspree at tutanota.com> >
> To: <> tor-relays at lists.torproject.org> >
> Subject: [tor-relays] Traffic Confimration Attacks/ Bad Relays
> Message-ID: <> Kp_uyMv--3-0 at tutanota.com> >
> Content-Type: text/plain; charset="utf-8"
>
> Hello
>
> A few users have detected suspicious activity around certain Relays in the network. There could be Time Confirmation Attacks happening currently on the Live Tor Network.
>
> If any Tor dev see this, Please Start Checking The US Relays in the network.
> --
> Securely sent with Tutanota. Claim your encrypted mailbox today!
> https://tutanota.com
> -------------- next part --------------
> An HTML attachment was scrubbed...
> URL: <> http://lists.torproject.org/pipermail/tor-relays/attachments/20170721/d314290f/attachment-0001.html> >
>
> ------------------------------
>
> Message: 2
> Date: Fri, 21 Jul 2017 12:56:02 -0400
> From: Matt Traudt <> sirmatt at ksu.edu> >
> To: > tor-relays at lists.torproject.org
> Subject: Re: [tor-relays] Traffic Confimration Attacks/ Bad Relays
> Message-ID: <> a80a4261-f0d5-6a10-cf50-144ce348a12b at ksu.edu> >
> Content-Type: text/plain; charset=utf-8
>
>
>
> On 7/21/17 12:12, > 0dayshoppingspree at tutanota.com> wrote:
>> Hello
>>
>> A few users have detected suspicious activity around certain Relays in
>> the network. There could be Time Confirmation Attacks happening
>> currently on the Live Tor Network.
>>
>> If any Tor dev see this, Please Start Checking The US Relays in the
>> network.
>> --
>> Securely sent with Tutanota. Claim your encrypted mailbox today!
>> https://tutanota.com
>>
>
> Since this person has yet again left out all the important information,
> here's what this person has to say. I'm quoting this Reddit comment:
> https://www.reddit.com/r/TOR/comments/6oor5n/confirmation_attacks_and_bad_relays/dkizo2o
>
> """
>
> Ive noticed every single node in the circuits i start building all
> connect to 3 Relays in the US.
>
> Then today a relay operator notices this:
>
> I operate the apx family of exit nodes. [1]
>
> It may be valuable to know that traffic confirmation attacks [2] are
> seemingly taking place. [3]
>
> [1] apx1 apx2 apx3
>
> [2] > http://www.ohmygodel.com/publications/usersrouted-ccs13.pdf
>
>
> EDIT> See
>
> https://www.reddit.com/r/DarkNetMarkets/comments/6oocii/tor_traffic_confirmation_attacks
>
> [3] Regular 30 second windows with around 1.8 Gbit/s - 2.1 Gbit/s of
> traffic on each of the exits which are also guards (apx1, apx2) while
> the exit which isn't a guard sees stable traffic of only ~ 1 Gbit/s
> (apx3). Circuits to hidden services include guards and middle nodes
> (rendevouz point). DDoS attacks against hidden services do not affect
> exit nodes unless they are also guard nodes.
>
> """
>
> I now ask:
>
> 1. Please provide proof that all your circuits always contain 3 relays
> in the US. If you didn't actually mean that all circuits always have all
> 3 relays in the US, then please explain why you think sometimes having
> all 3 in the same country is bad. Keep in mind that guard nodes are a
> thing and it isn't weird to have the same 1st hop in every circuit. Also
> keep in mind that (i) there are a large number of relays in a small
> number of countries, (ii) a relay existing in country X does not
> necessarily mean they are dangerous relays, (iii) you should assume
> large adversaries would geo-diversify.
>
> 2. What is the point of bringing up the traffic you see on your relays?
> It isn't obvious to me. Keep in mind that relays aren't always assigned
> weights in a predictable or perfectly fair manner. I run multiple relays
> on a single machine and they get weighted very differently.
>
> Matt
>
>
> ------------------------------
>
> Message: 3
> Date: Fri, 21 Jul 2017 12:30:20 -0700
> From: Arisbe <> arisbe at cni.net> >
> To: > tor-relays at lists.torproject.org
> Subject: Re: [tor-relays] 100K circuit request per minute for hours
> killed my relay
> Message-ID: <> 5813eac4-3000-c300-08aa-2718347b8bc1 at cni.net> >
> Content-Type: text/plain; charset=utf-8; format=flowed
>
> I was under the impression that HidServDirectoryV2 was an obsolete
> config option. I run 0.2.9.11
>
>
> On 7/21/2017 3:42 AM, Scott Bennett wrote:
>> Vort <>> vvort at yandex.ru>> > wrote:
>>
>>>> Your message prompted me to check logs, and on one relay I see the following:
>>> Similar thing for me:
>>>
>>> Jul 19 00:08:27.000 [notice] Circuit handshake stats since last time: 3571/3571 TAP, 41180/41180 NTor.
>>> Jul 19 06:08:27.000 [notice] Circuit handshake stats since last time: 2054/2054 TAP, 29181/29181 NTor.
>>> Jul 19 12:08:28.000 [notice] Circuit handshake stats since last time: 2773/2773 TAP, 26497/26497 NTor.
>>> Jul 19 18:08:28.000 [notice] Circuit handshake stats since last time: 3970/3970 TAP, 31344/31344 NTor.
>>> Jul 20 00:08:28.000 [notice] Circuit handshake stats since last time: 4096/4096 TAP, 41730/41730 NTor.
>>> Jul 20 06:08:28.000 [notice] Circuit handshake stats since last time: 18285/18285 TAP, 54102/54102 NTor.
>>> Jul 20 12:08:28.000 [notice] Circuit handshake stats since last time: 61136/61386 TAP, 378196/378339 NTor.
>>> Jul 20 18:08:29.000 [notice] Circuit handshake stats since last time: 73297/73688 TAP, 566708/566892 NTor.
>>> Jul 21 00:08:29.000 [notice] Circuit handshake stats since last time: 67165/67830 TAP, 572685/572851 NTor.
>>> Jul 21 06:08:29.000 [notice] Circuit handshake stats since last time: 31988/32138 TAP, 521455/521536 NTor.
>>> Jul 21 12:08:29.000 [notice] Circuit handshake stats since last time: 5523/5523 TAP, 222378/222432 NTor.
>>>
>>> Also there are too much "[warn] assign_to_cpuworker failed. Ignoring." lines in the logs.
>>>
>> This sort of thing has been going on for many years. I used to refer
>> to it as "mobbing". As nearly as I was ever able to determine, the behavior
>> is an unintended consequence of hidden services. I found that I could greatly
>> reduce the frequency of occurrence, but *not* to zero, by setting
>>
>> HidServDirectoryV2 0
>>
>> in my torrc file. My tentative conclusion was that the majority of these
>> events are cases in which a relay has been selected as an HSDir to which
>> a hidden service descriptor has been posted for a very popular hidden service,
>> so by refusing to be a hidden service directory mirror, those cases can be
>> eliminated. I never had a very satisfying hypothesis to explain the remaining
>> minority of cases.
>>
>>
>> Scott Bennett, Comm. ASMELG, CFIAG
>> **********************************************************************
>> * Internet: bennett at sdf.org *xor* bennett at freeshell.org *
>> *--------------------------------------------------------------------*
>> * "A well regulated and disciplined militia, is at all times a good *
>> * objection to the introduction of that bane of all free governments *
>> * -- a standing army." *
>> * -- Gov. John Hancock, New York Journal, 28 January 1790 *
>> **********************************************************************
>> _______________________________________________
>> tor-relays mailing list
>> tor-relays at lists.torproject.org
>> https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
>
>
>
> ------------------------------
>
> Message: 4
> Date: Fri, 21 Jul 2017 18:00:06 -0400
> From: Matt Traudt <> sirmatt at ksu.edu> >
> To: > tor-relays at lists.torproject.org
> Subject: Re: [tor-relays] Traffic Confimration Attacks/ Bad Relays
> Message-ID: <> 7cde3ca0-d263-41a4-a987-52d67cfb2bb2 at ksu.edu> >
> Content-Type: text/plain; charset=utf-8
>
>
>
> On 7/21/17 12:56, Matt Traudt wrote:
>> [This sender failed our fraud detection checks and may not be who they appear to be. Learn about spoofing at >> http://aka.ms/LearnAboutSpoofing]
>>
>> On 7/21/17 12:12, >> 0dayshoppingspree at tutanota.com>> wrote:
>>> Hello
>>>
>>> A few users have detected suspicious activity around certain Relays in
>>> the network. There could be Time Confirmation Attacks happening
>>> currently on the Live Tor Network.
>>>
>>> If any Tor dev see this, Please Start Checking The US Relays in the
>>> network.
>>> --
>>> Securely sent with Tutanota. Claim your encrypted mailbox today!
>>> https://tutanota.com
>>>
>>
>> Since this person has yet again left out all the important information,
>> here's what this person has to say. I'm quoting this Reddit comment:
>> https://www.reddit.com/r/TOR/comments/6oor5n/confirmation_attacks_and_bad_relays/dkizo2o
>>
>> """
>>
>> Ive noticed every single node in the circuits i start building all
>> connect to 3 Relays in the US.
>>
>> Then today a relay operator notices this:
>>
>> I operate the apx family of exit nodes. [1]
>>
>> It may be valuable to know that traffic confirmation attacks [2] are
>> seemingly taking place. [3]
>>
>> [1] apx1 apx2 apx3
>>
>> [2] >> http://www.ohmygodel.com/publications/usersrouted-ccs13.pdf
>>
>>
>> EDIT> See
>>
>> https://www.reddit.com/r/DarkNetMarkets/comments/6oocii/tor_traffic_confirmation_attacks
>>
>> [3] Regular 30 second windows with around 1.8 Gbit/s - 2.1 Gbit/s of
>> traffic on each of the exits which are also guards (apx1, apx2) while
>> the exit which isn't a guard sees stable traffic of only ~ 1 Gbit/s
>> (apx3). Circuits to hidden services include guards and middle nodes
>> (rendevouz point). DDoS attacks against hidden services do not affect
>> exit nodes unless they are also guard nodes.
>>
>> """
>>
>> I now ask:
>>
>> 1. Please provide proof that all your circuits always contain 3 relays
>> in the US. If you didn't actually mean that all circuits always have all
>> 3 relays in the US, then please explain why you think sometimes having
>> all 3 in the same country is bad. Keep in mind that guard nodes are a
>> thing and it isn't weird to have the same 1st hop in every circuit. Also
>> keep in mind that (i) there are a large number of relays in a small
>> number of countries, (ii) a relay existing in country X does not
>> necessarily mean they are dangerous relays, (iii) you should assume
>> large adversaries would geo-diversify.
>>
>> 2. What is the point of bringing up the traffic you see on your relays?
>> It isn't obvious to me. Keep in mind that relays aren't always assigned
>> weights in a predictable or perfectly fair manner. I run multiple relays
>> on a single machine and they get weighted very differently.
>>
>> Matt
>
> The following is a reply from the person running exit nodes. I
> originally confused the following person with the one posting the vague
> "OMG US relays" panic on this list.
>
> I'll probably be stepping out of this discussion at this point. I don't
> think there's more I can contribute.
>
> """
> Hey,
>
> I was made aware of this thread by the user pastly in the #tor IRC
> channel. I would like to clarify some things.
>
> To begin with, I really don't know what the user is referring to. There
> are currently 149 exit nodes from the US, from a total of 787 exit
> nodes; that is 81% non-US exit nodes. If the users' client does in fact
> only connect to US relays, that is likely unrelated to my observations.
> However, if that happens consistently, I would really appreciate if that
> would be investigated further.
>
> Now, to my observations and the post that was referred to:
>
> /I clearly failed to clarify/ that the "suspicious" traffic which caught
> my interest was about non-Tor IPs entering the network through my exits.
>
> As pastly nicely put it: /> will never be used as a guard by
> well-behaved tor clients./
>
> My observations were made using a utility I built using nDPI and sysdig
> (kernel module).
>
> That is, I have observed about a gigabit of traffic entering my exit
> nodes originating /from non-Tor IPs/, causing connections to be
> initiated to middle nodes.
>
> I have not claimed evidence to "prove" confirmation attacks. I have
> merely observed nearly a gigabit (on multiple nodes, that is) of inbound
> traffic entering the network through my exit nodes, which does not seem
> very reasonable to do unless the goal is attack hidden services.
>
> If I can clarify further, please let me know.
>
> -- Kenan
> """
>
>
> ------------------------------
>
> Subject: Digest Footer
>
> _______________________________________________
> tor-relays mailing list
> tor-relays at lists.torproject.org
> https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
>
>
> ------------------------------
>
> End of tor-relays Digest, Vol 78, Issue 19
> ******************************************
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.torproject.org/pipermail/tor-relays/attachments/20170722/79fd2c71/attachment-0001.html>
More information about the tor-relays
mailing list