Suspicious Circuits

Kyle Williams kyle.kwilliams at gmail.com
Mon Dec 10 05:19:53 UTC 2007


I've been having problems getting to hidden services the last couple of
days.
I noticed something odd in Vidalia the other day, but it was gone before I
could take a screenshot.
However this evening, I was having a lot of problems with .onion addresses,
and Vidalia was showing several (more than 6) nodes in a circuit almost
every time I tried to reach any hidden service, including my own.

Here are some cropped screenshots of the circuits as shown in Vidalia.

http://www.janusvm.com/pub/bad-1.jpg
http://www.janusvm.com/pub/bad-2.jpg
http://www.janusvm.com/pub/bad-3.jpg
http://www.janusvm.com/pub/bad-4.jpg
http://www.janusvm.com/pub/bad-5.jpg
http://www.janusvm.com/pub/bad-6.jpg    <--- VERY INTERESTING

These circuits have more than 3 nodes, and as shown in the picture, has the
same node more than once in the circuit.  Correct me if I'm wrong, but I
thought circuits are not allowed to have the same node more than once.

I noticed three nodes in a set, and three different sets acting this way.
=========================================================================
$443BAA7BE006A904179DD35013F788F1DDD275E5 - askatasuna 216.195.133.27
$847B1F850344D7876491A54892F904934E4EB85D - tor26 86.59.21.38
$99BDCC9E80D4E77E2357B77142E4023CE0D12B5A - Qba20070825pl 195.34.208.22
=========================================================================
$CCD030D151A5BAC14D49C77386EC33FF99EAE580 - paperoga 213.203.146.95
$B2CF35C7DF36E7FFC60CCC67D3189FE09E1E4E4A - univac 217.230.243.147
$08101AD124C3B10E2F1F18DF2B51F4901E385170 - SEC 192.42.113.248
=========================================================================
$376FF360B98C07F84E90D3A26831223440C11062 - chaoscitytor 85.25.52.40
$A0DD5DC19A0ED1692EB6663684D04A2ABD3D491B - shadow 24.29.193.226
$3AD690A220A316B08FBFBACF8757C92DA0033B57 - mushin 18.152.2.242
=========================================================================

What I found even more disturbing, 'tor26' (bad-6.jpg) seemed to be
participating in whatever was going on.  Isn't this a DA!?

So does anyone have a clue as to what is going on?  Is this an attack on
hidden services??

I added the following line to my torrc configs and everything seems to work
well now.

ExcludeNodes
$443BAA7BE006A904179DD35013F788F1DDD275E5,$847B1F850344D7876491A54892F904934
E4EB85D,$99BDCC9E80D4E77E2357B77142E4023CE0D12B5A,$3AD690A220A316B08FBFBACF8
757C92DA0033B57,$B2CF35C7DF36E7FFC60CCC67D3189FE09E1E4E4A,$08101AD124C3B10E2
F1F18DF2B51F4901E385170,$376FF360B98C07F84E90D3A26831223440C11062,$A0DD5DC19
A0ED1692EB6663684D04A2ABD3D491B,$CCD030D151A5BAC14D49C77386EC33FF99EAE580


- Kyle 



More information about the tor-talk mailing list