netstat reporting destinion IP address

anonym anonym at lavabit.com
Sat Nov 24 20:49:48 UTC 2007 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Greetings list,

Some of you might know me as the new maintainer of the Incognito LiveCD
(blatant advertising: http://incognito.anonymityanywhere.com). Any way,
it uses a kernel level network filter (with Linux' netfilter/iptables)
which forwards all TCP traffic not sent directly through Tor to the
transparent Tor proxy that bundles with Tor (altough it is not activated
in the standard config). With this we don't need to configure
applications to explicitly use Tor which is nice as we have no idea what
our users intend to do.

However, I recently discovered that netstat will report these forwarded
TCP connections with the destination address as the "foreign" remote
host! netstat also reports that connections are made through Tor, but
still that one connection is made directly to the destination host. So,
for example, if I run "ssh desthost" where desthost is the destination
SSH server, netstat will output something like this (ignoring
connections to Tor nodes):

Active Internet connections (w/o servers)
Proto  Recv-Q  Send-Q  Local Address    Foreign         Address State
tcp         0       0  localhost:36762  desthost:ssh    ESTABLISHED

If I instead configure the SSH client to use Tor's SOCKS interface
explicitly or run "torify ssh desthost" etc. netstat gives this:

Active Internet connections (w/o servers)
Proto  Recv-Q  Send-Q  Local Address    Foreign         Address State
tcp         0       0  localhost:36762  localhost:9050  ESTABLISHED

Or, in other words, Tor is used (it listens on 9050) and all is well.

Naturally, this made me concerned to say the least since transparent
connection forwarding is an essential feature of Incognito. So I fired
up a packet sniffer to investigate if this relly was the case.
Fortunately, I couldn't find desthost's IP address in any packet, only
alot of communication with Tor nodes. So Tor is used and netstat is just
"wrong". Phew!

Now, with this background information in mind I can go on to my actual
questions for those of you who have managed to read all this (sorry for
being so verbose): Why does this happen? Is netstat operating on a too
high level to detect this kernel level magic?

Even though we still get as much anonymity as Tor offers and netstat is
wrong in some way I really do not want this to happen. Incognito uses
TorK as a control GUI to Tor, and since its "Non-Tor traffic log" uses
netstat and thus will log these erroneous connections, users might freak
out and think that Incognito is unsafe. In fact, that was what happened
to me. Can this be fixed?

Perhaps this should be taken with the net-tools devs direcly, as it
_might_ be a bug (or undesirable feature), but I thought I should ask
you guys first as some here might have experience with this combination
of configurations and software. So, any thoughts?
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.7 (GNU/Linux)

iD8DBQFHSI5mp8EswdDmSVgRApziAJ0WnoDV6pX7auMfbo2HXAUFuACuAACZAZ0E
f5J5Y/upHUj1wJG2eIyGNbw=
=KpBV
-----END PGP SIGNATURE-----

More information about the tor-talk mailing list