Suspicious Circuits

Kyle Williams kyle.kwilliams at gmail.com
Mon Dec 10 07:03:36 UTC 2007


I researched this some more, and believe it to be a bug with the
0.2.0.12-alpha version being used for hidden services.  I switched it to
0.1.2.8-alpha and have not been able to reproduce the problem.

This makes me happy knowing this probably wasn't some sort of attack on
hidden services.  It was really weird seeing the same node twice in a
circuit though.

Bug hunting...fun times.

- Kyle

-----Original Message-----
From: Kyle Williams [mailto:kyle.kwilliams at gmail.com] 
Sent: Sunday, December 09, 2007 9:20 PM
To: 'or-talk at freehaven.net'
Subject: Suspicious Circuits

I've been having problems getting to hidden services the last couple of
days.
I noticed something odd in Vidalia the other day, but it was gone before I
could take a screenshot.
However this evening, I was having a lot of problems with .onion addresses,
and Vidalia was showing several (more than 6) nodes in a circuit almost
every time I tried to reach any hidden service, including my own.

Here are some cropped screenshots of the circuits as shown in Vidalia.

http://www.janusvm.com/pub/bad-1.jpg
http://www.janusvm.com/pub/bad-2.jpg
http://www.janusvm.com/pub/bad-3.jpg
http://www.janusvm.com/pub/bad-4.jpg
http://www.janusvm.com/pub/bad-5.jpg
http://www.janusvm.com/pub/bad-6.jpg    <--- VERY INTERESTING

These circuits have more than 3 nodes, and as shown in the picture, has the
same node more than once in the circuit.  Correct me if I'm wrong, but I
thought circuits are not allowed to have the same node more than once.

I noticed three nodes in a set, and three different sets acting this way.
=========================================================================
$443BAA7BE006A904179DD35013F788F1DDD275E5 - askatasuna 216.195.133.27
$847B1F850344D7876491A54892F904934E4EB85D - tor26 86.59.21.38
$99BDCC9E80D4E77E2357B77142E4023CE0D12B5A - Qba20070825pl 195.34.208.22
=========================================================================
$CCD030D151A5BAC14D49C77386EC33FF99EAE580 - paperoga 213.203.146.95
$B2CF35C7DF36E7FFC60CCC67D3189FE09E1E4E4A - univac 217.230.243.147
$08101AD124C3B10E2F1F18DF2B51F4901E385170 - SEC 192.42.113.248
=========================================================================
$376FF360B98C07F84E90D3A26831223440C11062 - chaoscitytor 85.25.52.40
$A0DD5DC19A0ED1692EB6663684D04A2ABD3D491B - shadow 24.29.193.226
$3AD690A220A316B08FBFBACF8757C92DA0033B57 - mushin 18.152.2.242
=========================================================================

What I found even more disturbing, 'tor26' (bad-6.jpg) seemed to be
participating in whatever was going on.  Isn't this a DA!?

So does anyone have a clue as to what is going on?  Is this an attack on
hidden services??

I added the following line to my torrc configs and everything seems to work
well now.

ExcludeNodes
$443BAA7BE006A904179DD35013F788F1DDD275E5,$847B1F850344D7876491A54892F904934
E4EB85D,$99BDCC9E80D4E77E2357B77142E4023CE0D12B5A,$3AD690A220A316B08FBFBACF8
757C92DA0033B57,$B2CF35C7DF36E7FFC60CCC67D3189FE09E1E4E4A,$08101AD124C3B10E2
F1F18DF2B51F4901E385170,$376FF360B98C07F84E90D3A26831223440C11062,$A0DD5DC19
A0ED1692EB6663684D04A2ABD3D491B,$CCD030D151A5BAC14D49C77386EC33FF99EAE580


- Kyle 



More information about the tor-talk mailing list