Heads UP! Possible Huge TOR Bug Discovered

While browsing the TOR mailing list last night, the following subject caught
my eye:

http://archives.seul.org/or/talk/Aug-2006/threads.html
Tor bug?: AllowInvalidNodes

Spent the rest of the night running my own tests and sure enough, entry &
exit nodes were /always/ 149.9.XXX.XXX and/or 154.35.XXX.XXX

I tried deleting all tor's cached-routers/cached-status, rebooting etc.
Nothing really changed, I still entered and exited on a 149* or 154* and
quite a few times the exit node was not even supposed to be an exit node
according to: http://serifos.eecs.harvard.edu/cgi-bin/exit.pl

I then counted all the 149.9.XXX.XXX/154.35.XXX.XXX, there were 35, which
begs the question; Does the CIA own 149* and the NSA own 154* ? Or vise
versa? o_0

 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

["Followup-To:" header set to alt.privacy.anon-server.]

This isn't really a bug, there are just a lot of exit-nodes within two
/16 networks. It could be a TLA running lots of nodes, or it could be
just a couple of invididuals running (for example) vmware with a load of
Tor test nodes on a single box.

Even if it is a bad guy, you are still safe providing you have one
honest node in your circuit. The next release of Tor will include a
check to ensure that two nodes within the same /16 are treated as "same
operator".


-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.3 (GNU/Linux)

iQEVAwUBROMoY2oLu9HNUqmMAQq5XQf/cDnGv/UOJKf6FAXRiFlafvaYi1FL97lL
AQl2R971PcckIMRXOqOcimkdFP5HlJkQwasTItNpLh4ah7U1hsMzGYdn/aZrPwK8
wl+Fc2oG4BMWC86GTJrYKUHPjZYPKoCMi89bNQlRBYRXw3HkLWR5V5+lv0OHXh0w
j2xG79402eKsN4W3q3ZVhkRksjk3BZR9lqANKN4uJEXWllTuHpvT4PVT8AVnSz4o
bM9JYsFOAk4tbfbsqKTbworhET+XtVpQ0BnXAVVfMPNQTYLVOItRAzcUf8y4ayjH
/O4DV2SBvhAMCjHsZTzm54Zkw48MCu8+S1qPEohi6gDMf0X7QzshVg==
=EO1B
-----END PGP SIGNATURE-----

 

I can verify this. I saw a lot of high bandwidth servers in 149.9.XXX.XXX in
Washington DC, and most of them were running version 0.1.0.16 on Linux x86_64,
and none of them appeared to have an email contact listed.

Taking a "closer look" at one of the machines (149.9.122.209) revealed the name
rootmethru.biz, though nmap couldn't find any non-filtered ports in the standard
range.
So this means put all 149.9.0.0/16 and 154.35.0.0/16 in the same family. That
sounds like a good solution. I wonder who actually owns/controls these boxes;
the fact that they are all from Washington DC and running similar configurations
seems suspicious, although not proof of attempted tracking.Hopefully sooner rather than later

David

 

This wasn't/isn't a bug exactly, and certainly not a huge one even
if you assume Tor developers should have addressed it precognitively.
It's at worst an amateurish attempt to gain the ability to observe
entry and exit nodes in real time. Something we all know Tor is
vulnerable to, and have for quite a while. Any real time system is
vulnerable to this, and if it were an actual attack it failed because
it was trivial to spot and defeat. The "distributed" part of the
distributed network implementation did a smashing job.

In any case, it's already been fixed. If you're concerned about PSINET
nodes being surreptitiously owned by the same operator the latest SVN
treats all nodes in a /16 IP block as the same family regardless of
what they report.

 

The address associated with the 149.9 is 1015 31st St NW, owned by
Cogent Communications.
149.9.0.27 is registered to Cogent Communications. This is an ISP, the
10th largest in the world.
149.9.0.21 is also regisrerd to CC.
In fact, the whole 149.9.0.0 - 149.9.255.255 block is owned by Cogent
Communications.
154.35.0.0 - 154.35.255.255 is also Cogent.
This isn't a conspiracy, Cogent is routing everything to DC, where
they seem to be located.
http://www.cogentco.com/htdocs/index.php is Cogent's website.
I think there should be a more careful investigation of this before
it's decided that it's a conspiriacy.
Oh yeah, they would be really high bandwith if they're routing
everyting thru these servers.
I agree though that it's not a good thing to have 90% of Tor traffic
coming thru Cogento.