Heads UP! Possible Huge TOR Bug Discovered

Discussion in 'Computer Security' started by Labiodental Fricative, Aug 16, 2006.

  1. While browsing the TOR mailing list last night, the following subject caught
    my eye:

    http://archives.seul.org/or/talk/Aug-2006/threads.html
    Tor bug?: AllowInvalidNodes

    Spent the rest of the night running my own tests and sure enough, entry &
    exit nodes were /always/ 149.9.XXX.XXX and/or 154.35.XXX.XXX

    I tried deleting all tor's cached-routers/cached-status, rebooting etc.
    Nothing really changed, I still entered and exited on a 149* or 154* and
    quite a few times the exit node was not even supposed to be an exit node
    according to: http://serifos.eecs.harvard.edu/cgi-bin/exit.pl

    I then counted all the 149.9.XXX.XXX/154.35.XXX.XXX, there were 35, which
    begs the question; Does the CIA own 149* and the NSA own 154* ? Or vise
    versa? o_0
     
    Labiodental Fricative, Aug 16, 2006
    #1
    1. Advertisements

  2. Labiodental Fricative

    Zax Guest

    -----BEGIN PGP SIGNED MESSAGE-----
    Hash: SHA512

    ["Followup-To:" header set to alt.privacy.anon-server.]
    This isn't really a bug, there are just a lot of exit-nodes within two
    /16 networks. It could be a TLA running lots of nodes, or it could be
    just a couple of invididuals running (for example) vmware with a load of
    Tor test nodes on a single box.

    Even if it is a bad guy, you are still safe providing you have one
    honest node in your circuit. The next release of Tor will include a
    check to ensure that two nodes within the same /16 are treated as "same
    operator".


    -----BEGIN PGP SIGNATURE-----
    Version: GnuPG v1.4.3 (GNU/Linux)

    iQEVAwUBROMoY2oLu9HNUqmMAQq5XQf/cDnGv/UOJKf6FAXRiFlafvaYi1FL97lL
    AQl2R971PcckIMRXOqOcimkdFP5HlJkQwasTItNpLh4ah7U1hsMzGYdn/aZrPwK8
    wl+Fc2oG4BMWC86GTJrYKUHPjZYPKoCMi89bNQlRBYRXw3HkLWR5V5+lv0OHXh0w
    j2xG79402eKsN4W3q3ZVhkRksjk3BZR9lqANKN4uJEXWllTuHpvT4PVT8AVnSz4o
    bM9JYsFOAk4tbfbsqKTbworhET+XtVpQ0BnXAVVfMPNQTYLVOItRAzcUf8y4ayjH
    /O4DV2SBvhAMCjHsZTzm54Zkw48MCu8+S1qPEohi6gDMf0X7QzshVg==
    =EO1B
    -----END PGP SIGNATURE-----
     
    Zax, Aug 16, 2006
    #2
    1. Advertisements

  3. Labiodental Fricative

    ~David~ Guest

    I can verify this. I saw a lot of high bandwidth servers in 149.9.XXX.XXX in
    Washington DC, and most of them were running version 0.1.0.16 on Linux x86_64,
    and none of them appeared to have an email contact listed.
    Taking a "closer look" at one of the machines (149.9.122.209) revealed the name
    rootmethru.biz, though nmap couldn't find any non-filtered ports in the standard
    range.
    So this means put all 149.9.0.0/16 and 154.35.0.0/16 in the same family. That
    sounds like a good solution. I wonder who actually owns/controls these boxes;
    the fact that they are all from Washington DC and running similar configurations
    seems suspicious, although not proof of attempted tracking.Hopefully sooner rather than later :)

    David
     
    ~David~, Aug 16, 2006
    #3
  4. This wasn't/isn't a bug exactly, and certainly not a huge one even
    if you assume Tor developers should have addressed it precognitively.
    It's at worst an amateurish attempt to gain the ability to observe
    entry and exit nodes in real time. Something we all know Tor is
    vulnerable to, and have for quite a while. Any real time system is
    vulnerable to this, and if it were an actual attack it failed because
    it was trivial to spot and defeat. The "distributed" part of the
    distributed network implementation did a smashing job. :)

    In any case, it's already been fixed. If you're concerned about PSINET
    nodes being surreptitiously owned by the same operator the latest SVN
    treats all nodes in a /16 IP block as the same family regardless of
    what they report.
     
    George Orwell, Aug 16, 2006
    #4
  5. The address associated with the 149.9 is 1015 31st St NW, owned by
    Cogent Communications.
    149.9.0.27 is registered to Cogent Communications. This is an ISP, the
    10th largest in the world.
    149.9.0.21 is also regisrerd to CC.
    In fact, the whole 149.9.0.0 - 149.9.255.255 block is owned by Cogent
    Communications.
    154.35.0.0 - 154.35.255.255 is also Cogent.
    This isn't a conspiracy, Cogent is routing everything to DC, where
    they seem to be located.
    http://www.cogentco.com/htdocs/index.php is Cogent's website.
    I think there should be a more careful investigation of this before
    it's decided that it's a conspiriacy.
    Oh yeah, they would be really high bandwith if they're routing
    everyting thru these servers.
    I agree though that it's not a good thing to have 90% of Tor traffic
    coming thru Cogento.
     
    fatal.serpent, Aug 17, 2006
    #5
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.