v3 (prop 224) .onion for Whonix website

torjunkie · February 14, 2018, 10:41am

Ah - that’s a pity user defined rules must be used.

I thought this would be a simple (?) fix server-side. It goes contrary to user expectations i.e. most would think - “I’m connecting to the Whonix v2 or v3 onion, so why would it load resources from the clearnet address…”

Patrick · February 15, 2018, 6:37pm

Steady Supplies:

Fair enough. I appreciate the https trick though. I have now used that same method on many other sites like Protonmail, Bitmessage.ch, RiseUp, and a dozen other websites that have hidden service mirrors. So I appreciate the tip.

Good to hear.

Patrick I am certain you’ll find a more elegant solution soon enough.

Extremely unlikely.

Is there any possibility of Namecoin playing a role in this issue? Or is it another issue entirely? Or a non-issue due to some shortcoming?

I doubt that. It’s not a DNS issue. The problem is that webapps we are
using such as mediaiwki, wordpress, discourse are using our primary
https domain. These webapps don’t support multiple domain for the same
website. We don’t have the resources to provide patches to these
projects to add this feature.

torjunkie · February 17, 2018, 10:41am

Thanks for that info. Noted in wiki.

torjunkie · February 17, 2018, 11:01am

Denial of Service mitigation subsystem (#24902) · Issues · Legacy / Trac · GitLab

Major features:

Give relays some defenses against the recent network overload. We start with three defenses (default parameters in parentheses).
First: if a single client address makes too many connections (>100), hang up on further connections.
Second: if a single client address makes circuits too quickly (more than 3 per second, with an allowed burst of 90) while also having too many connections open (3), refuse new create cells for the next while (1-2 hours).
Third: if a client asks to establish a rendezvous point to you directly, ignore the request. These defenses can be manually controlled by new torrc options, but relays will also take guidance from consensus parameters, so there’s no need to configure anything manually. Implements ticket 24902.

Actually it has been merged into 0.2.9.x and onwards, see:

Denial of Service mitigation subsystem (#24902) · Issues · Legacy / Trac · GitLab

Presumably we have to wait for this to hit Debian stable.

torjunkie · March 19, 2018, 1:45am

The v3 onion is down but the v2 onion is not?

This is interesting phenomenon.

Why would the server successfully allow connections e.g. forums.kkkkkkkkkk63ava6.onion, but fail with forums.dds6qkxpwdeubwucdiaord2xgbbeyds25rbsgr73tbfpqpt4a6vjwsyd.onion at the same time (despite multiple attempts with new circuits)?

Firefox can’t establish a connection to the server at forums.dds6qkxpwdeubwucdiaord2xgbbeyds25rbsgr73tbfpqpt4a6vjwsyd.onion.

Yada yada.

Like just now.

Misconfiguration? Server overload? Not running latest Tor stable thus subject to an attack of some sort?

Interested users would like to know in terms of a stable server response, since it seems illogical that one would work (v2), while the other would not (v3) at the same time with latest Tor client software running (Tor Browser 7.5.2, Tor 3.2.10). Particularly since it worked just yesterday…

fortasse · March 19, 2018, 2:35am

We’re on latest stable. I looked at the logs, and according to this Tor Project ticket it looks like the entire network is under stress or load of some kind. Not much we can do on our end, I don’t think. I haven’t touched the configs before this started happening, unfortunately.

iry · March 19, 2018, 4:55pm

Hi @fortasse ! Whonix v3 onion is still not accessible as previously described by torjunkie. But all the other v3 onions like riseup or even the Qubes onion mirror are accessible.

Would you please investigate on this?

fortasse · March 19, 2018, 10:02pm

dds6qkxpwdeubwucdiaord2xgbbeyds25rbsgr73tbfpqpt4a6vjwsyd.onion is up and functional for me. I haven’t touched the machine since yesterday, and it came up on its own. I am inclined to believe it was simply congestion / stress of the whole Tor network. I believe hidden services form unique circuits, and it just so happened that the main v3 hidden service couldn’t find a reliable circuit, while the other hidden services could.

0brand · March 19, 2018, 10:45pm

Same here.

I was also having connectivity issues with Whonix v3 onion but now its accessible.

iry · March 20, 2018, 2:51pm

Thank you for your explanation, @fortasse !

torjunkie · March 23, 2018, 8:29am

Hi fortasse,

With v2 and v3 Whonix onions down for 3 days, there is some serious problem going on.

Tor metrics shows the number of “users” on the network has halved since Tor v3.2.10 was released, meaning the DDOS stuff is working in general (Germany alone lost around a million “users” over several days).

However, I see some tor ticket referred to too many circuit connections being opened (both client and server side?) which might be being exploited somehow to cause a permanent takedown effect we are seeing.

As a test, I checked various other v3 onions to see if they connect:

Worked

Riseup: http://vww6ybal4bd7szmgncyruucpgfkqahzddi37ktceo3ah7ngmcopnpyyd.onion/
Searx: http://ozmh2zkwx5cjuzopui64csb5ertcooi5vya6c2gm4e3vcvf2c2qvjiyd.onion/
Onionshare: http://lldan5gahapx5k7iafb3s4ikijc4ni7gx5iywdflkba5y2ezyg6sjgyd.onion/
Random legal firm: http://dlegal66uj5u2dvcbrev7vv6fjtwnd4moqu7j6jnd42rmbypv3coigyd.onion/
Federalist papers: http://7fa6xlti5joarlmkuhjaifa47ukgcwz6tfndgax45ocyn4rixm632jid.onion/fedpapers/federa00.htm
Gitea: http://lgekyjf5vosmbfvcxzg3g5mmcncmwy4d3nhjrdqqiqzl5nmhqlfemaid.onion/
Txtorcon: http://lgekyjf5vosmbfvcxzg3g5mmcncmwy4d3nhjrdqqiqzl5nmhqlfemaid.onion/

Didn’t work:

Qubes (also hosted by Whonix server?): http://sik5nlgfc5qylnnsr57qrbm64zbdx6t4lreyhpon3ychmxmiem7tioad.onion/
Whonix: http://dds6qkxpwdeubwucdiaord2xgbbeyds25rbsgr73tbfpqpt4a6vjwsyd.onion/

Conclusion:

If it is a network wide attack, I would expect other random v3 onions to fail at least once. That’s not the case.

Therefore, since you haven’t changed the configuration, it is most likely:

a) Targeted attack - meaning there is a strong rationale for a Whonix mirror or server with more capacity (?)
b) Some misconfiguration that wasn’t picked up previously, but is now being exploited.
c) Something else.

But whatever it is, it’s really annoying.

nurmagoz · March 23, 2018, 10:25am

@fortasse the mirrors of onion whonix r down for sure or they r missed up. not way to reach them since 2 days…

entr0py · March 23, 2018, 8:34pm

update needed when resolved: Keep Tor onion service up-to-date · Issue #1352 · QubesOS/qubes-issues · GitHub

torjunkie · March 25, 2018, 2:44am

Definitely Whonix-specific. All Debian v2 onions functional, all v2 search engines functional etc. A huge pity with fortasse leaving at this critical time.

Patrick · March 25, 2018, 6:57am

Do you think you can fix the v3 onion? @Ego

torjunkie · March 25, 2018, 9:28pm

To try and solve this in the absence of a webmaster, wouldn’t it be worth capturing the relevant logs and sending to tor-talk or similar?

No doubt various errors are popping up in Tor logs on the server, probably similar to:

Tor deals poorly with a very large number of incoming connection requests. (#15463) · Issues · Legacy / Trac · GitLab
[tor-talk] (D)DOS over Tor network ? Help !

Also, couldn’t the v3 instance also be recreated as a test to see if it is at least reachable?

NextGenOnions · Wiki · Legacy / Trac · GitLab

Open prop224 bugs are here:

Patrick · March 28, 2018, 12:17pm

Back online.

torjunkie · March 28, 2018, 1:51pm

Awesome!

It’s nerve-wracking trusting CAs to login to Whonix. Ditto edits.

Do we know why it went down?

nurmagoz · March 28, 2018, 7:26pm

Patrick · April 2, 2018, 9:25am

That is a personal thing but why the onions went down does have nothing to do with fortasse stepping down.