Relays may publish descriptors with incorrect IP address
I suspect that the following bug could be used by malicious directories to cause relays that rely on directories to get their external IP address to publish bogus descriptors which should reduce their chances to make it into the next consensus.
I privately reported the issue yesterday and it has been decided that there's no need to keep it secret.
The relay elektrobier2 (3D615DEF97F387631F50201FAFA6E7B67FDF3FEF) is running in an ElectroBSD jail with:
ORPort 9001 NoAdvertise ORPort 443 NoListen
Tor binds to 127.0.1.1:9001, pf is forwarding incoming traffic from 95.211.138.7:443 and nat'ing outgoing traffic:
[fk@elektrobier ~]$ jls | grep elektrobier2
5 127.0.1.1 elektrobier2 /usr/jails/elektrobier2
[fk@elektrobier ~]$ sudo pfctl -sn -P | grep 127.0.1.1
nat on bge0 inet from 127.0.1.1 to any -> 95.211.138.7
rdr pass on bge0 inet proto tcp from any to 95.211.138.7 port = 443 -> 127.0.1.1 port 9001This used to work fine and Tor correctly detected the external IP address when the system only had one external IPv4 address.
After the system got a second external IP address, pf was briefly nat'ing outgoing traffic using both external IPv4 addresses while still only forwarding incoming traffic from 95.211.138.7:443 to Tor.
This resulted in undesirable behaviour:
Dec 01 18:34:58.337 [notice] {OR} Self-testing indicates your ORPort is reachable from the outside. Excellent. Publishing server descriptor.
Dec 01 18:34:58.550 [notice] {GENERAL} Tor has successfully opened a circuit. Looks like client functionality is working.
Dec 01 18:34:58.550 [notice] {CONTROL} Bootstrapped 100%: Done
Dec 01 18:36:45.949 [notice] {CONTROL} New control connection opened from 127.0.1.1.
Dec 01 18:41:01.459 [notice] {OR} Performing bandwidth self-test...done.
Dec 01 18:55:26.206 [notice] {GENERAL} Our IP Address has changed from 95.211.138.51 to 95.211.138.7; rebuilding descriptor (source: 144.76.92.46).
Dec 01 18:55:26.274 [notice] {OR} Self-testing indicates your ORPort is reachable from the outside. Excellent. Publishing server descriptor.
Dec 01 19:55:29.426 [notice] {GENERAL} Our IP Address has changed from 95.211.138.7 to 95.211.138.51; rebuilding descriptor (source: 124.6.36.195).
Dec 01 19:55:30.351 [notice] {OR} Self-testing indicates your ORPort is reachable from the outside. Excellent. Publishing server descriptor.
Dec 01 20:15:45.001 [notice] {GENERAL} Our IP Address has changed from 95.211.138.51 to 95.211.138.7; rebuilding descriptor (source: 146.0.32.144).
Dec 01 20:15:47.988 [notice] {OR} Self-testing indicates your ORPort is reachable from the outside. Excellent. Publishing server descriptor.
Dec 01 20:16:35.027 [notice] {GENERAL} Our IP Address has changed from 95.211.138.7 to 95.211.138.51; rebuilding descriptor (source: 171.25.193.9).
Dec 01 20:16:35.367 [notice] {OR} Self-testing indicates your ORPort is reachable from the outside. Excellent. Publishing server descriptor.
Dec 01 20:36:05.053 [notice] {GENERAL} Our IP Address has changed from 95.211.138.51 to 95.211.138.7; rebuilding descriptor (source: 212.51.155.40).
Dec 01 20:36:05.098 [notice] {OR} Self-testing indicates your ORPort is reachable from the outside. Excellent. Publishing server descriptor.
Dec 01 20:56:25.006 [notice] {GENERAL} Our IP Address has changed from 95.211.138.7 to 95.211.138.51; rebuilding descriptor (source: 154.46.204.125).
Dec 01 20:56:25.254 [notice] {OR} Self-testing indicates your ORPort is reachable from the outside. Excellent. Publishing server descriptor.
Dec 01 21:15:33.282 [notice] {GENERAL} Our IP Address has changed from 95.211.138.51 to 95.211.138.7; rebuilding descriptor (source: 50.7.184.58).
Dec 01 21:15:33.756 [notice] {OR} Self-testing indicates your ORPort is reachable from the outside. Excellent. Publishing server descriptor.
Dec 01 21:16:34.015 [notice] {GENERAL} Our IP Address has changed from 95.211.138.7 to 95.211.138.51; rebuilding descriptor (source: 193.23.244.244).
Dec 01 21:16:34.033 [notice] {OR} Self-testing indicates your ORPort is reachable from the outside. Excellent. Publishing server descriptor.
Dec 01 21:17:35.514 [notice] {GENERAL} Our IP Address has changed from 95.211.138.51 to 95.211.138.7; rebuilding descriptor (source: 208.83.223.34).
Dec 01 21:17:35.710 [notice] {OR} Self-testing indicates your ORPort is reachable from the outside. Excellent. Publishing server descriptor.
Dec 01 21:56:14.079 [notice] {GENERAL} Our IP Address has changed from 95.211.138.7 to 95.211.138.51; rebuilding descriptor (source: 89.46.101.181).
Dec 01 21:56:14.414 [notice] {OR} Self-testing indicates your ORPort is reachable from the outside. Excellent. Publishing server descriptor.
Dec 01 21:57:25.355 [notice] {GENERAL} Our IP Address has changed from 95.211.138.51 to 95.211.138.7; rebuilding descriptor (source: 185.11.136.211).
Dec 01 21:57:25.409 [notice] {OR} Self-testing indicates your ORPort is reachable from the outside. Excellent. Publishing server descriptor.The messages seem to imply that Tor is only publishing the IP address after verifying that it can be reached through it.
Unless I misinterpret the code, it only verified that it got incoming traffic on its ORPort, though, and in this case all the traffic came through 95.211.138.7:443 while traffic to 95.211.138.51:443 was not forwarded to this relay and not part of the reachability test.
Therefore I suspect that the contacted directories could trick the relay into publishing any IP address in which case the relay could fall out of the next consensus.
BTW, after noticing the issue I changed the pf configuration to use a fixed IP address mapping when nat'ing Tor traffic, but surprisingly this did not completely workaround the problem for this relay and just reduced the number of times address changes were detected. Even days later I got:
Dec 07 07:00:00.725 [notice] {ACCT} Configured hibernation. This interval began at 2015-12-07 07:00:00; the scheduled wake-up time was 2015-12-07 07:00:00; we expect to exhaust our quota for this interval around 2015-12-08 07:00:00; the next interval begins at 2015-12-08 07:00:00 (all times local)
Dec 07 10:23:30.725 [notice] {GENERAL} Our IP Address has changed from 95.211.138.7 to 95.211.138.51; rebuilding descriptor (source: 62.210.71.167).
Dec 07 10:23:30.841 [notice] {OR} Self-testing indicates your ORPort is reachable from the outside. Excellent. Publishing server descriptor.
Dec 07 10:23:39.912 [notice] {OR} Performing bandwidth self-test...done.
Dec 07 10:43:52.145 [notice] {GENERAL} Our IP Address has changed from 95.211.138.51 to 95.211.138.7; rebuilding descriptor (source: 104.131.136.238).
Dec 07 10:43:52.737 [notice] {OR} Self-testing indicates your ORPort is reachable from the outside. Excellent. Publishing server descriptor.
Dec 07 11:28:43.311 [notice] {GENERAL} Our IP Address has changed from 95.211.138.7 to 95.211.138.51; rebuilding descriptor (source: 62.210.142.39).
Dec 07 11:28:43.734 [notice] {OR} Self-testing indicates your ORPort is reachable from the outside. Excellent. Publishing server descriptor.
Dec 07 11:45:51.148 [notice] {CIRC} No circuits are opened. Relaxed timeout for circuit 665 (a General-purpose client 1-hop circuit in state doing handshakes with channel state open) to 60000ms. However, it appears the circuit has timed out anyway. 2 guards are live.
Dec 07 12:05:10.598 [notice] {GENERAL} Our IP Address has changed from 95.211.138.51 to 95.211.138.7; rebuilding descriptor (source: 198.100.155.91).
Dec 07 12:05:10.905 [notice] {OR} Self-testing indicates your ORPort is reachable from the outside. Excellent. Publishing server descriptor.
Dec 07 12:34:54.194 [notice] {HEARTBEAT} Heartbeat: Tor's uptime is 0:29 hours, with 2018 circuits open. I've sent 592.36 GB and received 591.16 GB.
Dec 07 12:34:54.205 [notice] {HEARTBEAT} Heartbeat: Accounting enabled. Sent: 41.50 GB / 1000.00 GB, Received: 41.41 GB / 1000.00 GB. The current accounting interval ends on 2015-12-08 07:00:00, in 18:25 hours.
Dec 07 12:34:54.205 [notice] {HEARTBEAT} Circuit handshake stats since last time: 30713/30713 TAP, 64172/64172 NTor.
Dec 07 12:34:54.205 [notice] {HEARTBEAT} Since startup, we have initiated 0 v1 connections, 3 v2 connections, 10 v3 connections, and 233777 v4 connections; and received 402 v1 connections, 112 v2 connections, 3 v3 connections, and 179033 v4 connections.I finally added "Address 95.211.138.7" to see if this helps, but for the relay polizei-erziehung (5CE3AD8AD04ADE66C0037A3CF5F7F7A40D48A20B) which is running in another jail on the same system this wasn't necessary and I have no idea why.
While both relays are running 0.2.7.4-rc, other releases should be affected as well.