Hi!
Yesterday I encountered a strange IP address update via DynDNS:
Dec 19 23:00:32.000 [notice] Your IP address seems to have changed to 176.10.104.240 (METHOD=RESOLVED HOSTNAME=my.dyndns.cc). Updating. Dec 19 23:00:32.000 [notice] Our IP Address has changed from xx.xx.xx.xx to 176.10.104.240; rebuilding descriptor (source: METHOD=RESOLVED HOSTNAME=my.dyndns.cc). Dec 19 23:00:36.000 [notice] Self-testing indicates your ORPort is reachable from the outside. Excellent. Dec 19 23:04:32.000 [notice] Your IP address seems to have changed to xx.xx.xx.xx (METHOD=RESOLVED HOSTNAME=my.dyndns.cc). Updating. Dec 19 23:04:32.000 [notice] Our IP Address has changed from 176.10.104.240 to xx.xx.xx.xx ; rebuilding descriptor (source: METHOD=RESOLVED HOSTNAME=my.dyndns.cc). Dec 19 23:04:34.000 [notice] Self-testing indicates your ORPort is reachable from the outside. Excellent. Dec 19 23:08:32.000 [notice] Your IP address seems to have changed to 176.10.104.240 (METHOD=RESOLVED HOSTNAME=my.dyndns.cc). Updating. Dec 19 23:08:32.000 [notice] Our IP Address has changed from xx.xx.xx.xx to 176.10.104.240; rebuilding descriptor (source: METHOD=RESOLVED HOSTNAME=my.dyndns.cc). Dec 19 23:08:34.000 [notice] Self-testing indicates your ORPort is reachable from the outside. Excellent. Dec 19 23:13:32.000 [notice] Your IP address seems to have changed to xx.xx.xx.xx (METHOD=RESOLVED HOSTNAME=my.dyndns.cc). Updating. Dec 19 23:13:32.000 [notice] Our IP Address has changed from 176.10.104.240 to xx.xx.xx.xx; rebuilding descriptor (source: METHOD=RESOLVED HOSTNAME=my.dyndns.cc). Dec 19 23:13:36.000 [notice] Self-testing indicates your ORPort is reachable from the outside. Excellent. Dec 19 23:22:38.000 [notice] Self-testing indicates your DirPort is reachable from the outside. Excellent. Publishing server descriptor
The DynDNS client updates the IP every five minutes. It looks like somebody has tried to changed / update the IP manually or via spoofed update (DNS) entry. I also recognized the change at the WebGUI of the DynDNS Provider. The changed IP address is an exit node (0111BA9B604669E636FFD5B503F382A4B7AD6E80) in Switzerland.
I don't think, that this is a bug in Tor 0.2.9.7-rc. Are there any possible attacks to Tor relays, if they are using a faked IP address? Normally this shouldn't work. Even if the traffic is redirected to an exit node, but I am not sure.
Well, it should be safer to use autodetection of the IP though Tor.
Regards,
Hello,
I'm part of the abuse team of the mentioned Tor Exit. Also I follow this mailing list.
I read you post several times but I'm not sure what you where doing. It looks to me like you running a tor node and have also a dyndns update process running.
Is this correct ? Please provide some more information about you use case/configuration
best regards
Dirk
On 20.12.2016 15:25, diffusae wrote:
Hi!
Yesterday I encountered a strange IP address update via DynDNS:
Dec 19 23:00:32.000 [notice] Your IP address seems to have changed to 176.10.104.240 (METHOD=RESOLVED HOSTNAME=my.dyndns.cc). Updating. Dec 19 23:00:32.000 [notice] Our IP Address has changed from xx.xx.xx.xx to 176.10.104.240; rebuilding descriptor (source: METHOD=RESOLVED HOSTNAME=my.dyndns.cc). Dec 19 23:00:36.000 [notice] Self-testing indicates your ORPort is reachable from the outside. Excellent. Dec 19 23:04:32.000 [notice] Your IP address seems to have changed to xx.xx.xx.xx (METHOD=RESOLVED HOSTNAME=my.dyndns.cc). Updating. Dec 19 23:04:32.000 [notice] Our IP Address has changed from 176.10.104.240 to xx.xx.xx.xx ; rebuilding descriptor (source: METHOD=RESOLVED HOSTNAME=my.dyndns.cc). Dec 19 23:04:34.000 [notice] Self-testing indicates your ORPort is reachable from the outside. Excellent. Dec 19 23:08:32.000 [notice] Your IP address seems to have changed to 176.10.104.240 (METHOD=RESOLVED HOSTNAME=my.dyndns.cc). Updating. Dec 19 23:08:32.000 [notice] Our IP Address has changed from xx.xx.xx.xx to 176.10.104.240; rebuilding descriptor (source: METHOD=RESOLVED HOSTNAME=my.dyndns.cc). Dec 19 23:08:34.000 [notice] Self-testing indicates your ORPort is reachable from the outside. Excellent. Dec 19 23:13:32.000 [notice] Your IP address seems to have changed to xx.xx.xx.xx (METHOD=RESOLVED HOSTNAME=my.dyndns.cc). Updating. Dec 19 23:13:32.000 [notice] Our IP Address has changed from 176.10.104.240 to xx.xx.xx.xx; rebuilding descriptor (source: METHOD=RESOLVED HOSTNAME=my.dyndns.cc). Dec 19 23:13:36.000 [notice] Self-testing indicates your ORPort is reachable from the outside. Excellent. Dec 19 23:22:38.000 [notice] Self-testing indicates your DirPort is reachable from the outside. Excellent. Publishing server descriptor
The DynDNS client updates the IP every five minutes. It looks like somebody has tried to changed / update the IP manually or via spoofed update (DNS) entry. I also recognized the change at the WebGUI of the DynDNS Provider. The changed IP address is an exit node (0111BA9B604669E636FFD5B503F382A4B7AD6E80) in Switzerland.
I don't think, that this is a bug in Tor 0.2.9.7-rc. Are there any possible attacks to Tor relays, if they are using a faked IP address? Normally this shouldn't work. Even if the traffic is redirected to an exit node, but I am not sure.
Well, it should be safer to use autodetection of the IP though Tor.
Regards, _______________________________________________ tor-relays mailing list tor-relays@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
I'm familiar with DynDNS and the client. The client tries to detect your external IP address in order to keep your dynamic DNS record pointed at your current IP. It looks to me like you're running it on a machine that's routing through Tor. So it picks up the IP address of the Exit you're routed through, and incorrectly tries to update your dynamic DNS with this Exit IP instead of your actual IP.
If this theory is correct, there's not really a "bug" here. It's working as expected. You can't run the DynDNS client if you're routing traffic through Tor.
Hello,
yes you're right. It looks like I accidentally routed all traffic through tor due to a faulty firewall rule. It was a bit confusing, because of the quickly updates with the right IP. It took me a while to understand the background.
Thanks a lot for your help
Regards,
On 20.12.2016 19:35, anondroid wrote:
I'm familiar with DynDNS and the client. The client tries to detect your external IP address in order to keep your dynamic DNS record pointed at your current IP. It looks to me like you're running it on a machine that's routing through Tor. So it picks up the IP address of the Exit you're routed through, and incorrectly tries to update your dynamic DNS with this Exit IP instead of your actual IP.
If this theory is correct, there's not really a "bug" here. It's working as expected. You can't run the DynDNS client if you're routing traffic through Tor.
tor-relays mailing list tor-relays@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
Hello,
sorry, it also was a bit confusing for me as I've seen the logs. Yes, you are right. I am running a tor node and a ddclient on the same machine. Tor client and relay is running in a jail. So, it might be error, because of a faulty firewall rule. It looks like, I've routed all traffic though the tor client. Therefore it could be a "false" dynsdns update, but I've don't understand why it was changing so quickly with right IP.
So, for now I guess, it was my fault.
Regards, Reiner
On 20.12.2016 18:49, tor-relay.dirk@o.banes.ch wrote:
Hello,
I'm part of the abuse team of the mentioned Tor Exit. Also I follow this mailing list.
I read you post several times but I'm not sure what you where doing. It looks to me like you running a tor node and have also a dyndns update process running.
Is this correct ? Please provide some more information about you use case/configuration
best regards
Dirk
On 20.12.2016 15:25, diffusae wrote:
Hi!
Yesterday I encountered a strange IP address update via DynDNS:
Dec 19 23:00:32.000 [notice] Your IP address seems to have changed to 176.10.104.240 (METHOD=RESOLVED HOSTNAME=my.dyndns.cc). Updating. Dec 19 23:00:32.000 [notice] Our IP Address has changed from xx.xx.xx.xx to 176.10.104.240; rebuilding descriptor (source: METHOD=RESOLVED HOSTNAME=my.dyndns.cc). Dec 19 23:00:36.000 [notice] Self-testing indicates your ORPort is reachable from the outside. Excellent. Dec 19 23:04:32.000 [notice] Your IP address seems to have changed to xx.xx.xx.xx (METHOD=RESOLVED HOSTNAME=my.dyndns.cc). Updating. Dec 19 23:04:32.000 [notice] Our IP Address has changed from 176.10.104.240 to xx.xx.xx.xx ; rebuilding descriptor (source: METHOD=RESOLVED HOSTNAME=my.dyndns.cc). Dec 19 23:04:34.000 [notice] Self-testing indicates your ORPort is reachable from the outside. Excellent. Dec 19 23:08:32.000 [notice] Your IP address seems to have changed to 176.10.104.240 (METHOD=RESOLVED HOSTNAME=my.dyndns.cc). Updating. Dec 19 23:08:32.000 [notice] Our IP Address has changed from xx.xx.xx.xx to 176.10.104.240; rebuilding descriptor (source: METHOD=RESOLVED HOSTNAME=my.dyndns.cc). Dec 19 23:08:34.000 [notice] Self-testing indicates your ORPort is reachable from the outside. Excellent. Dec 19 23:13:32.000 [notice] Your IP address seems to have changed to xx.xx.xx.xx (METHOD=RESOLVED HOSTNAME=my.dyndns.cc). Updating. Dec 19 23:13:32.000 [notice] Our IP Address has changed from 176.10.104.240 to xx.xx.xx.xx; rebuilding descriptor (source: METHOD=RESOLVED HOSTNAME=my.dyndns.cc). Dec 19 23:13:36.000 [notice] Self-testing indicates your ORPort is reachable from the outside. Excellent. Dec 19 23:22:38.000 [notice] Self-testing indicates your DirPort is reachable from the outside. Excellent. Publishing server descriptor
The DynDNS client updates the IP every five minutes. It looks like somebody has tried to changed / update the IP manually or via spoofed update (DNS) entry. I also recognized the change at the WebGUI of the DynDNS Provider. The changed IP address is an exit node (0111BA9B604669E636FFD5B503F382A4B7AD6E80) in Switzerland.
I don't think, that this is a bug in Tor 0.2.9.7-rc. Are there any possible attacks to Tor relays, if they are using a faked IP address? Normally this shouldn't work. Even if the traffic is redirected to an exit node, but I am not sure.
Well, it should be safer to use autodetection of the IP though Tor.
Regards, _______________________________________________ tor-relays mailing list tor-relays@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
tor-relays mailing list tor-relays@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
tor-relays@lists.torproject.org
-
anondroid -
diffusae -
tor-relay.dirk@o.banes.ch