bizarre connection list to tor's DirPort

Kyle Williams kyle.kwilliams at gmail.com
Sat Sep 1 04:24:43 UTC 2007 

sounds strange

If it was my connection, I would fire up a network sniffer and see what's in
those requests.
If it continues and you don't feel comfortable with it, filter out that IP
on your firewall.

If you do see something unusual in those request, could you be so kind to
post a dump file (pcap format) of the traffic (filtered by that IP of
course) so the rest of us can take a look? :)



On 8/31/07, Scott Bennett <bennett at cs.niu.edu> wrote:
>
>      Using netstat or lsof, there are sometimes over 50 ESTABLISHED
> connections
> to my tor server's DirPort from a single IP source address, which resolves
> to
>
>         ignfwdnoi-nat.asia.csc.com
>
> Each such connection is usually displayed by netstat to have at least
> 32500
> bytes in the send queue.
>      I've checked the current cached-routers and cached-routers.new files
> and
> have found no sign of either ignfwdnoi-nat.asia.csc.com or its IP address
> (20.139.66.64) in either file, so it doesn't appear to be a valid exit
> server,
> from which directory fetch requests might be appearing.
>      Does anyone have an idea what might be going on?  I.e., is it
> something
> legitimate?  Or should I treat it as an attack of some sort and respond by
> blocking packets from that system at my router?
>
>
>                                   Scott Bennett, Comm. ASMELG, CFIAG
> **********************************************************************
> * Internet:       bennett at cs.niu.edu                              *
> *--------------------------------------------------------------------*
> * "A well regulated and disciplined militia, is at all times a good  *
> * objection to the introduction of that bane of all free governments *
> * -- a standing army."                                               *
> *    -- Gov. John Hancock, New York Journal, 28 January 1790         *
> **********************************************************************
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.torproject.org/pipermail/tor-talk/attachments/20070831/7af50142/attachment-0001.htm>

More information about the tor-talk mailing list