The "[ff00::]:443" - problem

I’m using the latest version of Qubes-Whonix and I’ve noticed some peculiarities for some time now.

When you first call a Whonix instance in Qubes and then analyze the circuit connections in the Tor Control Panel→Utilities→Onion Circuits, you notice the following:

(a) Above average number of times, no connection to a circuit can be made. See example 1.

example-1

b) Even if you have not yet visited a website, cryptic onion pages appear under random circuits, of which it is unclear what they mean.

c) When calling up a website, it is often impossible to establish a connection even though the gate is active. When analysing the circuits, it is noticeable that the following line is constantly being rebuilt and leads to a “continuous scrolling” and thus to a blocking of the connection:

This line can be either single (see example 2)

or several times below a circuit line (example 3).

example-3

More often, a circuit line with ff00:::443 appears, where ff00:::443 repeats itself indefinitely (Figures 4a and 4b).

example-4a

example-4b

In any case, the system is always trying to build new circuits to counteract this disruption.

If you then change the identity with the button in the upper right corner, the phenomenon often disappears, but not always.

I turned off IPv6, but it didn’t do anything.

I suspect that this problem is being artificially created from the outside to force Tor to build new circuits and increase the likelihood of correlation analysis. I may be wrong and it may be a bug, so I’m asking for experience and your views on it.

A search on the net has not yielded much, except for this link with similar facts, which does not describe 100 percent the same problem and does not lead to further insights.

See here:

Another peculiarity is that recently an IP address often appears as an entry node, and then only for a few minutes as an exit node. There may be suspicion that this is an attempt to compare and analyse the amount of data flowing in and out.

I would like your views on this. Thank you.

1 Like

sdwdate? Connects to onions.

Hot find. You could try to modify NoScript in the browser profile folder to patch out that IP to confirm if it is only caused by that.

I think it is merely a bug with stream-isolation in Tor Browser under certain conditions. Not a malicious attack.

1 Like