vanguards - Additional protections for Tor Onion Services

Very simple. I manually installed this deb package tor (0.4.8.8-1) - snapshot.debian.org for Whonix gateway via dpkg, pedaled Tor inside the gateway. The logs on tor control panel show version 0.4.8.8, so the downgrade was successful. and started downloading the file in the workstation using the same method that causes an error with version 0.4.8.9. The download was successful without connection failures. I tried several more times, the problem did not appear.

I’m sorry But on gitlab torproject where Vanguards is being discussed there is no open registration, there you have to somehow through anonymous report, ask to create an account.

1 Like

Hi @Patrick,

Correct me if I’m wrong I just restarted tor on my Whonix-Gateway and the internet connection on the workstation works just fine with vanguards enabled. Was this simple solution all that was needed? My platform is Windows running Whonix on VirtualBox.

EDIT: Maybe we should wait for the devs to release an official statement. We have no way of guaranteeing whether vanguards works properly with the new version (0.4.8.12).

EDIT 2: Sorry the issue persists on 0.4.8.12 regardless of restarting tor with vanguards enabled. I was wrong.

No. Please read the instructions for reproduction as posted in the
ticket at the Tor Project issue tracker.

It seems that last week’s post about the problem being solved in the last version was wrong.

It seems to me that we need to at least find the conditions to reproduce the problem exactly. I’m using 0.4.8.12, three Obfs4 bridges, enabled Vanguards via systemctl start Vanguards. In the logs “Vanguards 0.3.1 connected to Tor 0.4.8.12 using stem 1.8.1”. Tried to download Tor browser via scurl-download and got an error, in the log “WARNING[Thu Sep 26 13:XXXX 2024]: Possible Tor bug, or possible attack if very frequent: Got 3 dropped cells on circ 159 (in state CONFLUX_LINKED None; old state CONFLUX_UNLINKED None)” . Repeated. Error. Repeated. Error. Error.
I waited 10 minutes. Error again.
Systemctl restart Vanguards on gateway.
Tor browser downloaded successfully on the first try. I restarted Tor via the control panel and Vanguards via systemctl. Download is successful

I can’t understand the playback conditions. Can the problem be solved by just systemctl restart Vanguards? Is Vanguards working at all? The logs say “Vanguards connected to Tor”, it’s probably working.

I continued the tests. I reboot Whonix gateway, systemctl start Vanguards, systemctl restart Vanguards before Tor could full connect to the network (I have slow network), the logs show that Vanguards connected to Tor 0.4.8.12 using stem 1.8.1. Downloading Tor browser in workstation goes successfully without any errors or problems

I waited 10 minutes, restart the download. Error. Same thing in the logs, conflux. Systemctl restart Vanguards. The download was successful. Seems like finding an exact way to reproduce the problem would take a lot of time and effort.The only guaranteed condition that always fails: Whonix gateway with Vanguards initially disabled, wait for a full connection to the Tor network, systemctl start Vanguards and start downloading any large enough file. 100mb fail, 250kb succeed.

You’d have to run too many tests

I added ConfluxEnabled 0 to tor_control_panel.conf. Systemctl enable Vanguards. Everything works fine. Restarting Tor, Vanguards, other ways to cause the problem - everything works fine.

Can we add ConfluxEnabled 0 to torrc as a temporary solution to this problem and enable Vanguards? How much worse would this be for security and anonymity than disabling Vanguards and leaving conflux on?

Just want to confirm that I have downgraded to version 0.4.8.8 with vanguards enabled and found that this version has no problems with vanguards.

please test with download via curl any large file. Example: tor browser.

Sorry for my previous confusing comments. It seems like even 0.4.8.8 might be affected. The result of tor download is inconclusive. When I ran it for the first few times it didn’t work and gave me this result

Blockquote
From Gateway:
[gateway user ~/Downloads]% sudo systemctl status vanguards
○ vanguards.service - Additional protections for Tor onion services
Loaded: loaded (/lib/systemd/system/vanguards.service; disabled; preset: enabled)
Drop-In: /usr/lib/systemd/system/vanguards.service.d
└─30_anon-gw-anonymizer-config.conf
Active: inactive (dead)
Docs: man:vanguards(1)
Sep 27 01:56:04 host vanguards[6543]: WARNING[Fri Sep 27 01:56:04 2024]: Possible Tor bug, or possible attack if very frequent: Got 10 dropped cell on circ 2248 (in state CONFLUX_LINKED Non>
Sep 27 01:56:04 host vanguards[6543]: WARNING[Fri Sep 27 01:56:04 2024]: Possible Tor bug, or possible attack if very frequent: Got 11 dropped cell on circ 2248 (in state CONFLUX_LINKED Non>
Sep 27 01:56:04 host vanguards[6543]: WARNING[Fri Sep 27 01:56:04 2024]: Possible Tor bug, or possible attack if very frequent: Got 12 dropped cell on circ 2248 (in state CONFLUX_LINKED Non>
Sep 27 01:56:04 host vanguards[6543]: WARNING[Fri Sep 27 01:56:04 2024]: Possible Tor bug, or possible attack if very frequent: Got 13 dropped cell on circ 2248 (in state CONFLUX_LINKED Non>
Sep 27 01:56:04 host vanguards[6543]: WARNING[Fri Sep 27 01:56:04 2024]: Possible Tor bug, or possible attack if very frequent: Got 14 dropped cell on circ 2248 (in state CONFLUX_LINKED Non>
Sep 27 01:56:04 host vanguards[6543]: WARNING[Fri Sep 27 01:56:04 2024]: Possible Tor bug, or possible attack if very frequent: Got 15 dropped cell on circ 2248 (in state CONFLUX_LINKED Non>
Sep 27 01:57:01 host systemd[1]: Stopping vanguards.service - Additional protections for Tor onion services…
Sep 27 01:57:01 host systemd[1]: vanguards.service: Deactivated successfully.
Sep 27 01:57:01 host systemd[1]: Stopped vanguards.service - Additional protections for Tor onion services.
Sep 27 01:57:01 host systemd[1]: vanguards.service: Consumed 1min 7.448s CPU time.

Blockquote
From Workstation:
[workstation user /]% torsocks curl --fail --output /tmp/test.tar.xz https://dist.torproject.org/torbrowser/13.5.4/tor-browser-linux-x86_64-13.5.4.tar.xz
% Total % Received % Xferd Average Speed Time Time Time Current
Dload Upload Total Spent Left Speed
0 111M 0 7536 0 0 4601 0 7:03:09 0:00:01 7:03:08 4603
curl: (18) transfer closed with 116809996 bytes remaining to read
zsh: exit 18 torsocks curl --fail --output /tmp/test.tar.xz

Then I restarted vanguards then it was fine:

Blockquote
From Gateway:
[gateway user ~/Downloads]% sudo systemctl status vanguards
● vanguards.service - Additional protections for Tor onion services
Loaded: loaded (/lib/systemd/system/vanguards.service; disabled; preset: enabled)
Drop-In: /usr/lib/systemd/system/vanguards.service.d
└─30_anon-gw-anonymizer-config.conf
Active: active (running) since Fri 2024-09-27 02:02:58 UTC; 1min 15s ago
Docs: man:vanguards(1)
Main PID: 19242 (vanguards)
Tasks: 3 (limit: 6074)
Memory: 45.9M
CPU: 16.968s
CGroup: /system.slice/vanguards.service
└─19242 /usr/bin/python3 /usr/bin/vanguards
Sep 27 02:02:58 host systemd[1]: Started vanguards.service - Additional protections for Tor onion services.
Sep 27 02:02:58 host vanguards[19242]: NOTICE[Fri Sep 27 02:02:58 2024]: Vanguards 0.3.1 connected to Tor 0.4.8.8 using stem 1.8.1

Blockquote
From Workstation:
[workstation user /]% torsocks curl --fail --output /tmp/test.tar.xz https://dist.torproject.org/torbrowser/13.5.4/tor-browser-linux-x86_64-13.5.4.tar.xz
% Total % Received % Xferd Average Speed Time Time Time Current
Dload Upload Total Spent Left Speed
100 111M 100 111M 0 0 1417k 0 0:01:20 0:01:20 --:–:-- 1893k
[workstation user /]% torsocks curl --fail --output /tmp/test.tar.xz https://dist.torproject.org/torbrowser/13.5.4/tor-browser-linux-x86_64-13.5.4.tar.xz
% Total % Received % Xferd Average Speed Time Time Time Current
Dload Upload Total Spent Left Speed
100 111M 100 111M 0 0 1790k 0 0:01:03 0:01:03 --:–:-- 1137k

Hi, @Patrick,

Please report to the GitLab issue IF and ONLY IF this issue is reproducible for you. The issue seems to come back after the gateway is on for some time.

I downgraded to 0.4.8.8-1 by downloading tor, tor-geoipdb and libzstd1 (because of dependency issues) from the following links:
https://snapshot.debian.org/archive/debian/20231106T025649Z/pool/main/t/tor/tor_0.4.8.8-1_amd64.deb
'https://snapshot.debian.org/archive/debian/20231106T025649Z/pool/main/t/tor/tor-geoipdb_0.4.8.8-1_all.deb’-> rename to “tor-geoipdb_0.4.8.8-1_all.deb”
'https://snapshot.debian.org/archive/debian/20240614T024814Z/pool/main/libz/libzstd/libzstd1_1.5.6%2Bdfsg-1_amd64.deb’-> rename to “libzstd1_1.5.6+dfsg-1_amd64.deb”.
Finally installed with “sudo dpkg -i tor_0.4.8.8-1_amd64.deb tor-geoipdb_0.4.8.8-1_all.deb libzstd1_1.5.6+dfsg-1_amd64.deb”

tor version 0.4.8.4 also drops cells when running with vanguard. This is probably the version where the bug was introduced. The previous tor version was 0.4.7.16-1.

tor version 0.4.8.4 changelog:

Changes in version 0.4.8.4 - 2023-08-23
  Finally, this is the very first stable release of the 0.4.8.x series making,
  among other features, Proof-of-Work (prop#327) and Conflux (prop#329)
  available to the entire network. Several new features and a lot of bugfixes
  detailed below.

  o Major feature (denial of service):
    - Extend DoS protection to partially opened channels and known relays.
      Because re-entry is not allowed anymore, we can apply DoS protections
      onto known IP namely relays. Fixes bug 40821; bugfix on 0.3.5.1-alpha.

  o Major features (onion service, proof-of-work):
    - Implement proposal 327 (Proof-Of-Work). This is aimed at thwarting
      introduction flooding DoS attacks by introducing a dynamic Proof-Of-Work
      protocol that occurs over introduction circuits. This introduces several
      torrc options prefixed with "HiddenServicePoW" in order to control this
      feature. By default, this is disabled. Closes ticket 40634.

  o Major features (conflux):
    - Implement Proposal 329 (conflux traffic splitting). Conflux splits
      traffic across two circuits to Exits that support the protocol. These
      circuits are pre-built only, which means that if the pre- built conflux
      pool runs out, regular circuits will then be used. When using conflux
      circuit pairs, clients choose the lower-latency circuit to send data to
      the Exit. When the Exit sends data to the client, it maximizes
      throughput, by fully utilizing both circuits in a multiplexed fashion.
      Alternatively, clients can request that the Exit optimize for latency
      when transmitting to them, by setting the torrc option 'ConfluxClientUX
      latency'. Onion services are not currently supported, but will be in
      arti. Many other future optimizations will also be possible using this
      protocol. Closes ticket 40593.

  o Major features (dirauth):
    - Directory authorities and relays now interact properly with directory
      authorities if they change addresses. In the past, they would continue to
      upload votes, signatures, descriptors, etc to the hard-coded address in
      the configuration. Now, if the directory authority is listed in the
      consensus at a different address, they will direct queries to this new
      address. Implements ticket 40705.

  o Major bugfixes (conflux):
    - Fix a relay-side crash caused by side effects of the fix for bug
      40827. Reverts part of that fix that caused the crash and adds additional
      log messages to help find the root cause. Fixes bug 40834; bugfix on
      0.4.8.3-rc.

  o Major bugfixes (conflux):
    - Fix a relay-side assert crash caused by attempts to use a conflux circuit
      between circuit close and free, such that no legs were on the conflux
      set. Fixed by nulling out the stream's circuit back- pointer when the
      last leg is removed. Additional checks and log messages have been added
      to detect other cases. Fixes bug 40827; bugfix on 0.4.8.1-alpha.

  o Major bugfixes (proof of work, onion service, hashx):
    - Fix a very rare buffer overflow in hashx, specific to the dynamic
      compiler on aarch64 platforms. Fixes bug 40833; bugfix on 0.4.8.2-alpha.

  o Major bugfixes (vanguards):
    - Rotate to a new L2 vanguard whenever an existing one loses the Stable or
      Fast flag. Previously, we would leave these relays in the L2 vanguard
      list but never use them, and if all of our vanguards end up like this we
      wouldn't have any middle nodes left to choose from so we would fail to
      make onion-related circuits. Fixes bug 40805; bugfix on 0.4.7.1-alpha.

  o Minor features (bridge):
    - warn when a bridge is also configure to be an exit relay.
      Closes ticket 40819.

  o Minor features (geoip data):
    - Update the geoip files to match the IPFire Location Database, as
      retrieved on 2023/08/23.

  o Minor features (fallbackdir):
    - Regenerate fallback directories generated on August 23, 2023.

  o Minor features (testing):
    - All Rust code is now linted (cargo clippy) as part of GitLab CI, and
      existing warnings have been fixed. - Any unit tests written in Rust now
      run as part of GitLab CI.

  o Minor feature (CI):
    - Update CI to use Debian Bullseye for runners.

  o Minor feature (client, IPv6):
    - Make client able to pick IPv6 relays by default now meaning
      ClientUseIPv6 option now defaults to 1. Closes ticket 40785.

  o Minor feature (compilation):
    - Fix returning something other than "Unknown N/A" as libc version
      if we build tor on an O.S. like DragonFlyBSD, FreeBSD, OpenBSD
      or NetBSD.

  o Minor feature (cpuworker):
    - Always use the number of threads for our CPU worker pool to the
      number of core available but cap it to a minimum of 2 in case of a
      single core. Fixes bug 40713; bugfix on 0.3.5.1-alpha.

  o Minor feature (lzma):
    - Fix compiler warnings for liblzma >= 5.3.1. Closes ticket 40741.

  o Minor feature (MetricsPort, relay):
    - Expose time until online keys expires on the MetricsPort. Closes
      ticket 40546.

  o Minor feature (MetricsPort, relay, onion service):
    - Add metrics for the relay side onion service interactions counting
      seen cells. Closes ticket 40797. Patch by "friendly73".

  o Minor features (directory authorities):
    - Directory authorities now include their AuthDirMaxServersPerAddr
      config option in the consensus parameter section of their vote.
      Now external tools can better predict how they will behave.
      Implements ticket 40753.

  o Minor features (directory authority):
    - Add a new consensus method in which the "published" times on
      router entries in a microdesc consensus are all set to a
      meaningless fixed date. Doing this will make the download size for
      compressed microdesc consensus diffs much smaller. Part of ticket
      40130; implements proposal 275.

  o Minor features (network documents):
    - Clients and relays no longer track the "published on" time
      declared for relays in any consensus documents. When reporting
      this time on the control port, they instead report a fixed date in
      the future. Part of ticket 40130.

  o Minor features (fallbackdir):
    - Regenerate fallback directories generated on June 01, 2023.

  o Minor features (geoip data):
    - Update the geoip files to match the IPFire Location Database, as
      retrieved on 2023/06/01.

  o Minor features (hs, metrics):
    - Add tor_hs_rend_circ_build_time and tor_hs_intro_circ_build_time
      histograms to measure hidden service rend/intro circuit build time
      durations. Part of ticket 40757.

  o Minor features (metrics):
    - Add a `reason` label to the HS error metrics. Closes ticket 40758.
    - Add service side metrics for REND and introduction request
      failures. Closes ticket 40755.
    - Add support for histograms. Part of ticket 40757.

  o Minor features (pluggable transports):
    - Automatically restart managed Pluggable Transport processes when
      their process terminate. Resolves ticket 33669.

  o Minor features (portability, compilation):
    - Use OpenSSL 1.1 APIs for LibreSSL, fixing LibreSSL 3.5
      compatibility. Fixes issue 40630; patch by Alex Xu (Hello71).

  o Minor features (relay):
    - Do not warn about configuration options that may expose a non-
      anonymous onion service. Closes ticket 40691.

  o Minor features (relays):
    - Trigger OOS when bind fails with EADDRINUSE. This improves
      fairness when a large number of exit connections are requested,
      and properly signals exhaustion to the network. Fixes issue 40597;
      patch by Alex Xu (Hello71).

  o Minor features (tests):
    - Avoid needless key reinitialization with OpenSSL during unit
      tests, saving significant time. Patch from Alex Xu.

  o Minor bugfix (hs):
    - Fix compiler warnings in equix and hashx when building with clang.
      Closes ticket 40800.

  o Minor bugfix (FreeBSD, compilation):
    - Fix compilation issue on FreeBSD by properly importing
      sys/param.h. Fixes bug 40825; bugfix on 0.4.8.1-alpha.

  o Minor bugfixes (compression):
    - Right after compression/decompression work is done, check for
      errors. Before this, we would consider compression bomb before
      that and then looking for errors leading to false positive on that
      log warning. Fixes bug 40739; bugfix on 0.3.5.1-alpha. Patch
      by "cypherpunks".

  o Minor bugfixes (compilation):
    - Fix all -Werror=enum-int-mismatch warnings. No behavior change.
      Fixes bug 40824; bugfix on 0.3.5.1-alpha.

  o Minor bugfixes (protocol warn):
    - Wrap a handful of cases where ProtocolWarning logs could emit IP
      addresses. Fixes bug 40828; bugfix on 0.3.5.1-alpha.

  o Minor bugfix (congestion control):
    - Reduce the accepted range of a circuit's negotiated 'cc_sendme_inc'
      to be +/- 1 from the consensus parameter value. Fixes bug 40569;
      bugfix on 0.4.7.4-alpha.
    - Remove unused congestion control algorithms and BDP calculation
      code, now that we have settled on and fully tuned Vegas. Fixes bug
      40566; bugfix on 0.4.7.4-alpha.
    - Update default congestion control parameters to match consensus.
      Fixes bug 40709; bugfix on 0.4.7.4-alpha.

  o Minor bugfixes (compilation):
    - Fix "initializer is not a constant" compilation error that
      manifests itself on gcc versions < 8.1 and MSVC. Fixes bug 40773;
      bugfix on 0.4.8.1-alpha

  o Minor bugfixes (conflux):
    - Count leg launch attempts prior to attempting to launch them. This
      avoids inifinite launch attempts due to internal circuit building
      failures. Additionally, double-check that we have enough exits in
      our consensus overall, before attempting to launch conflux sets.
      Fixes bug 40811; bugfix on 0.4.8.1-alpha.
    - Fix a case where we were resuming reading on edge connections that
      were already marked for close. Fixes bug 40801; bugfix
      on 0.4.8.1-alpha.
    - Fix stream attachment order when creating conflux circuits, so
      that stream attachment happens after finishing the full link
      handshake, rather than upon set finalization. Fixes bug 40801;
      bugfix on 0.4.8.1-alpha.
    - Handle legs being closed or destroyed before computing an RTT
      (resulting in warns about too many legs). Fixes bug 40810; bugfix
      on 0.4.8.1-alpha.
    - Remove a "BUG" warning from conflux_pick_first_leg that can be
      triggered by broken or malicious clients. Fixes bug 40801; bugfix
      on 0.4.8.1-alpha.

  o Minor bugfixes (KIST):
    - Prevent KISTSchedRunInterval from having values of 0 or 1, neither
      of which work properly. Additionally, make a separate
      KISTSchedRunIntervalClient parameter, so that the client and relay
      KIST values can be set separately. Set the default of both to 2ms.
      Fixes bug 40808; bugfix on 0.3.2.1-alpha.

  o Minor bugfix (relay, logging):
    - The wrong max queue cell size was used in a protocol warning
      logging statement. Fixes bug 40745; bugfix on 0.4.7.1-alpha.

  o Minor bugfixes (logging):
    - Avoid ""double-quoting"" strings in several log messages. Fixes
      bug 22723; bugfix on 0.1.2.2-alpha.
    - Correct a log message when cleaning microdescriptors. Fixes bug
      40619; bugfix on 0.2.5.4-alpha.

  o Minor bugfixes (metrics):
    - Decrement hs_intro_established_count on introduction circuit
      close. Fixes bug 40751; bugfix on 0.4.7.12.

  o Minor bugfixes (pluggable transports, windows):
    - Remove a warning `BUG()` that could occur when attempting to
      execute a non-existing pluggable transport on Windows. Fixes bug
      40596; bugfix on 0.4.0.1-alpha.

  o Minor bugfixes (relay):
    - Remove a "BUG" warning for an acceptable race between a circuit
      close and considering that circuit active. Fixes bug 40647; bugfix
      on 0.3.5.1-alpha.
    - Remove a harmless "Bug" log message that can happen in
      relay_addr_learn_from_dirauth() on relays during startup. Finishes
      fixing bug 40231. Fixes bug 40523; bugfix on 0.4.5.4-rc.

  o Minor bugfixes (sandbox):
    - Allow membarrier for the sandbox. And allow rt_sigprocmask when
      compiled with LTTng. Fixes bug 40799; bugfix on 0.3.5.1-alpha.
    - Fix sandbox support on AArch64 systems. More "*at" variants of
      syscalls are now supported. Signed 32 bit syscall parameters are
      checked more precisely, which should lead to lower likelihood of
      breakages with future compiler and libc releases. Fixes bug 40599;
      bugfix on 0.4.4.3-alpha.

  o Minor bugfixes (state file):
    - Avoid a segfault if the state file doesn't contains TotalBuildTimes
      along CircuitBuildAbandonedCount being above 0. Fixes bug 40437;
      bugfix on 0.3.5.1-alpha.

  o Removed features:
    - Remove the RendPostPeriod option. This was primarily used in
      Version 2 Onion Services and after its deprecation isn't needed
      anymore. Closes ticket 40431. Patch by Neel Chauhan.

I’m able to download with 0.4.8.4 but will cells dropping. I am maybe wrong about this but it seems that in later versions the cell drop rate became extremely high because of further code changes to the point where in 0.4.8.9 where it made tor unusable with vanguards.

[gateway user ~]% sudo systemctl status vanguards
● vanguards.service - Additional protections for Tor onion services
     Loaded: loaded (/lib/systemd/system/vanguards.service; disabled; preset: enabled)
    Drop-In: /usr/lib/systemd/system/vanguards.service.d
             └─30_anon-gw-anonymizer-config.conf
     Active: active (running) since Fri 2024-09-27 06:49:22 UTC; 1min 27s ago
       Docs: man:vanguards(1)
   Main PID: 2683 (vanguards)
      Tasks: 3 (limit: 6074)
     Memory: 49.8M
        CPU: 1.910s
     CGroup: /system.slice/vanguards.service
             └─2683 /usr/bin/python3 /usr/bin/vanguards

Sep 27 06:50:47 host vanguards[2683]: WARNING[Fri Sep 27 06:50:47 2024]: Possible Tor bug, or possible attack if very frequent: Got 1 dropped cell on circ 254 (in state CONFLUX_LINKED None;>
Sep 27 06:50:47 host vanguards[2683]: NOTICE[Fri Sep 27 06:50:47 2024]: We force-closed circuit 254
Sep 27 06:50:49 host vanguards[2683]: WARNING[Fri Sep 27 06:50:49 2024]: Possible Tor bug, or possible attack if very frequent: Got 1 dropped cell on circ 259 (in state CONFLUX_UNLINKED Non>
Sep 27 06:50:49 host vanguards[2683]: NOTICE[Fri Sep 27 06:50:49 2024]: We force-closed circuit 259
Sep 27 06:50:49 host vanguards[2683]: WARNING[Fri Sep 27 06:50:49 2024]: Possible Tor bug, or possible attack if very frequent: Got 1 dropped cell on circ 257 (in state CONFLUX_UNLINKED Non>
Sep 27 06:50:49 host vanguards[2683]: NOTICE[Fri Sep 27 06:50:49 2024]: We force-closed circuit 257
Sep 27 06:50:49 host vanguards[2683]: WARNING[Fri Sep 27 06:50:49 2024]: Possible Tor bug, or possible attack if very frequent: Got 1 dropped cell on circ 256 (in state CONFLUX_UNLINKED Non>
Sep 27 06:50:49 host vanguards[2683]: NOTICE[Fri Sep 27 06:50:49 2024]: We force-closed circuit 256
Sep 27 06:50:49 host vanguards[2683]: WARNING[Fri Sep 27 06:50:49 2024]: Possible Tor bug, or possible attack if very frequent: Got 1 dropped cell on circ 258 (in state CONFLUX_UNLINKED Non>
Sep 27 06:50:49 host vanguards[2683]: NOTICE[Fri Sep 27 06:50:49 2024]: We force-closed circuit 258

zsh: interrupt  sudo systemctl status vanguards
[gateway user ~]% sudo systemctl status vanguards
● vanguards.service - Additional protections for Tor onion services
     Loaded: loaded (/lib/systemd/system/vanguards.service; disabled; preset: enabled)
    Drop-In: /usr/lib/systemd/system/vanguards.service.d
             └─30_anon-gw-anonymizer-config.conf
     Active: active (running) since Fri 2024-09-27 06:49:22 UTC; 1min 48s ago
       Docs: man:vanguards(1)
   Main PID: 2683 (vanguards)
      Tasks: 3 (limit: 6074)
     Memory: 49.8M
        CPU: 2.157s
     CGroup: /system.slice/vanguards.service
             └─2683 /usr/bin/python3 /usr/bin/vanguards

Sep 27 06:51:09 host vanguards[2683]: WARNING[Fri Sep 27 06:51:09 2024]: Possible Tor bug, or possible attack if very frequent: Got 1 dropped cell on circ 307 (in state CONFLUX_UNLINKED Non>
Sep 27 06:51:09 host vanguards[2683]: NOTICE[Fri Sep 27 06:51:09 2024]: We force-closed circuit 307
Sep 27 06:51:09 host vanguards[2683]: WARNING[Fri Sep 27 06:51:09 2024]: Possible Tor bug, or possible attack if very frequent: Got 1 dropped cell on circ 306 (in state CONFLUX_UNLINKED Non>
Sep 27 06:51:09 host vanguards[2683]: NOTICE[Fri Sep 27 06:51:09 2024]: We force-closed circuit 306
Sep 27 06:51:09 host vanguards[2683]: WARNING[Fri Sep 27 06:51:09 2024]: Possible Tor bug, or possible attack if very frequent: Got 1 dropped cell on circ 309 (in state CONFLUX_UNLINKED Non>
Sep 27 06:51:09 host vanguards[2683]: NOTICE[Fri Sep 27 06:51:09 2024]: We force-closed circuit 309
Sep 27 06:51:10 host vanguards[2683]: WARNING[Fri Sep 27 06:51:10 2024]: Possible Tor bug, or possible attack if very frequent: Got 1 dropped cell on circ 308 (in state CONFLUX_UNLINKED Non>
Sep 27 06:51:10 host vanguards[2683]: NOTICE[Fri Sep 27 06:51:10 2024]: We force-closed circuit 308
Sep 27 06:51:10 host vanguards[2683]: WARNING[Fri Sep 27 06:51:10 2024]: Possible Tor bug, or possible attack if very frequent: Got 1 dropped cell on circ 311 (in state CONFLUX_UNLINKED Non>
Sep 27 06:51:10 host vanguards[2683]: NOTICE[Fri Sep 27 06:51:10 2024]: We force-closed circuit 311

zsh: interrupt  sudo systemctl status vanguards
[gateway user ~]% sudo systemctl status vanguards
● vanguards.service - Additional protections for Tor onion services
     Loaded: loaded (/lib/systemd/system/vanguards.service; disabled; preset: enabled)
    Drop-In: /usr/lib/systemd/system/vanguards.service.d
             └─30_anon-gw-anonymizer-config.conf
     Active: active (running) since Fri 2024-09-27 06:49:22 UTC; 2min 55s ago
       Docs: man:vanguards(1)
   Main PID: 2683 (vanguards)
      Tasks: 3 (limit: 6074)
     Memory: 49.8M
        CPU: 3.145s
     CGroup: /system.slice/vanguards.service
             └─2683 /usr/bin/python3 /usr/bin/vanguards

Sep 27 06:52:16 host vanguards[2683]: WARNING[Fri Sep 27 06:52:16 2024]: Possible Tor bug, or possible attack if very frequent: Got 1 dropped cell on circ 489 (in state CONFLUX_UNLINKED Non>
Sep 27 06:52:16 host vanguards[2683]: NOTICE[Fri Sep 27 06:52:16 2024]: We force-closed circuit 489
Sep 27 06:52:16 host vanguards[2683]: WARNING[Fri Sep 27 06:52:16 2024]: Possible Tor bug, or possible attack if very frequent: Got 1 dropped cell on circ 486 (in state CONFLUX_UNLINKED Non>
Sep 27 06:52:16 host vanguards[2683]: NOTICE[Fri Sep 27 06:52:16 2024]: We force-closed circuit 486
Sep 27 06:52:16 host vanguards[2683]: WARNING[Fri Sep 27 06:52:16 2024]: Possible Tor bug, or possible attack if very frequent: Got 1 dropped cell on circ 487 (in state CONFLUX_UNLINKED Non>
Sep 27 06:52:16 host vanguards[2683]: NOTICE[Fri Sep 27 06:52:16 2024]: We force-closed circuit 487
Sep 27 06:52:17 host vanguards[2683]: WARNING[Fri Sep 27 06:52:17 2024]: Possible Tor bug, or possible attack if very frequent: Got 1 dropped cell on circ 492 (in state CONFLUX_UNLINKED Non>
Sep 27 06:52:17 host vanguards[2683]: NOTICE[Fri Sep 27 06:52:17 2024]: We force-closed circuit 492
Sep 27 06:52:17 host vanguards[2683]: WARNING[Fri Sep 27 06:52:17 2024]: Possible Tor bug, or possible attack if very frequent: Got 1 dropped cell on circ 490 (in state CONFLUX_UNLINKED Non>
Sep 27 06:52:17 host vanguards[2683]: NOTICE[Fri Sep 27 06:52:17 2024]: We force-closed circuit 490

zsh: interrupt  sudo systemctl status vanguards
[gateway user ~]% sudo systemctl status vanguards
● vanguards.service - Additional protections for Tor onion services
     Loaded: loaded (/lib/systemd/system/vanguards.service; disabled; preset: enabled)
    Drop-In: /usr/lib/systemd/system/vanguards.service.d
             └─30_anon-gw-anonymizer-config.conf
     Active: active (running) since Fri 2024-09-27 06:49:22 UTC; 6min ago
       Docs: man:vanguards(1)
   Main PID: 2683 (vanguards)
      Tasks: 3 (limit: 6074)
     Memory: 49.8M
        CPU: 5.709s
     CGroup: /system.slice/vanguards.service
             └─2683 /usr/bin/python3 /usr/bin/vanguards

Sep 27 06:55:41 host vanguards[2683]: WARNING[Fri Sep 27 06:55:41 2024]: Possible Tor bug, or possible attack if very frequent: Got 1 dropped cell on circ 1019 (in state CONFLUX_UNLINKED No>
Sep 27 06:55:41 host vanguards[2683]: NOTICE[Fri Sep 27 06:55:41 2024]: We force-closed circuit 1019
Sep 27 06:55:41 host vanguards[2683]: WARNING[Fri Sep 27 06:55:41 2024]: Possible Tor bug, or possible attack if very frequent: Got 1 dropped cell on circ 1020 (in state CONFLUX_UNLINKED No>
Sep 27 06:55:41 host vanguards[2683]: NOTICE[Fri Sep 27 06:55:41 2024]: We force-closed circuit 1020
Sep 27 06:55:43 host vanguards[2683]: WARNING[Fri Sep 27 06:55:43 2024]: Possible Tor bug, or possible attack if very frequent: Got 1 dropped cell on circ 1023 (in state CONFLUX_LINKED None>
Sep 27 06:55:43 host vanguards[2683]: NOTICE[Fri Sep 27 06:55:43 2024]: We force-closed circuit 1023
Sep 27 06:55:43 host vanguards[2683]: WARNING[Fri Sep 27 06:55:43 2024]: Possible Tor bug, or possible attack if very frequent: Got 1 dropped cell on circ 1025 (in state CONFLUX_UNLINKED No>
Sep 27 06:55:43 host vanguards[2683]: NOTICE[Fri Sep 27 06:55:43 2024]: We force-closed circuit 1025
Sep 27 06:55:44 host vanguards[2683]: WARNING[Fri Sep 27 06:55:44 2024]: Possible Tor bug, or possible attack if very frequent: Got 1 dropped cell on circ 1027 (in state CONFLUX_UNLINKED No>
Sep 27 06:55:44 host vanguards[2683]: NOTICE[Fri Sep 27 06:55:44 2024]: We force-closed circuit 1027
lines 1-23/23 (END)...skipping...
● vanguards.service - Additional protections for Tor onion services
     Loaded: loaded (/lib/systemd/system/vanguards.service; disabled; preset: enabled)
    Drop-In: /usr/lib/systemd/system/vanguards.service.d
             └─30_anon-gw-anonymizer-config.conf
     Active: active (running) since Fri 2024-09-27 06:49:22 UTC; 6min ago
       Docs: man:vanguards(1)
   Main PID: 2683 (vanguards)
      Tasks: 3 (limit: 6074)
     Memory: 49.8M
        CPU: 5.709s
     CGroup: /system.slice/vanguards.service
             └─2683 /usr/bin/python3 /usr/bin/vanguards

Sep 27 06:55:41 host vanguards[2683]: WARNING[Fri Sep 27 06:55:41 2024]: Possible Tor bug, or possible attack if very frequent: Got 1 dropped cell on circ 1019 (in state CONFLUX_UNLINKED No>
Sep 27 06:55:41 host vanguards[2683]: NOTICE[Fri Sep 27 06:55:41 2024]: We force-closed circuit 1019
Sep 27 06:55:41 host vanguards[2683]: WARNING[Fri Sep 27 06:55:41 2024]: Possible Tor bug, or possible attack if very frequent: Got 1 dropped cell on circ 1020 (in state CONFLUX_UNLINKED No>
Sep 27 06:55:41 host vanguards[2683]: NOTICE[Fri Sep 27 06:55:41 2024]: We force-closed circuit 1020
Sep 27 06:55:43 host vanguards[2683]: WARNING[Fri Sep 27 06:55:43 2024]: Possible Tor bug, or possible attack if very frequent: Got 1 dropped cell on circ 1023 (in state CONFLUX_LINKED None>
Sep 27 06:55:43 host vanguards[2683]: NOTICE[Fri Sep 27 06:55:43 2024]: We force-closed circuit 1023
Sep 27 06:55:43 host vanguards[2683]: WARNING[Fri Sep 27 06:55:43 2024]: Possible Tor bug, or possible attack if very frequent: Got 1 dropped cell on circ 1025 (in state CONFLUX_UNLINKED No>
Sep 27 06:55:43 host vanguards[2683]: NOTICE[Fri Sep 27 06:55:43 2024]: We force-closed circuit 1025
Sep 27 06:55:44 host vanguards[2683]: WARNING[Fri Sep 27 06:55:44 2024]: Possible Tor bug, or possible attack if very frequent: Got 1 dropped cell on circ 1027 (in state CONFLUX_UNLINKED No>
Sep 27 06:55:44 host vanguards[2683]: NOTICE[Fri Sep 27 06:55:44 2024]: We force-closed circuit 1027

They need to look at all the code changes from 0.4.8.4, 0.4.8.5, 0.4.8.6, 0.4.8.7 to 0.4.8.8. I want to mention that every time vanguards is restarted the problem seems to go away for a while.

Didn’t test. Did you manage to identify the offending git commit?

This script was originally written by a developer in November 2023 when the issue originally came to light. I have modified it to change the initial and last commit. The script works well but I am not sure if I could get accurate results in regards with the connection dropping because I see build errors. There are about 80 commits between the initial and final commit so it would take quite some time maybe days with the script running to identify the issue. I posted this here because I am not an expert with bash and would like to find a way to solve the build errors.

1 Like

Were you able to run the script. I know it takes a while. Are you also experiencing build errors?

1 Like

I didn’t try.

And I’d be probably stuck with the same build errors.

In any case of any build errors, please seek support from Tor directly.

Probably best to have this in git?

I was unsuccessful in finding any download errors using the script. Even after building tor with commit “7aa496a2e0” the tor version still shows as being 0.4.7.16-1. If anyone else has any luck please try to run the script on Whonix-Gateway and provide feedback. Patrick I assure you that there is no malware or spyware in the script. I encourage you to run the script. We are all trying to fix this issue. Also I’m not sure what you meant by your last comment.

#!/bin/bash

# Welcome to tor debugger. I have purposely not used git bisect because I feel it would be very easy to miss commits with issues.

TIME_WHEN_TOR_SOCKS_DOWNLOAD_RUNS_BINARY=""

TIME_WHEN_VANGUARDS_STATUS_RUNS=""

TIME_WHEN_VANGUARDS_STATUS_RUNS_BINARY=""

GET_TEXT_WHERE_THE_WARNING_OCCURS=""

WARNING_WHEN_CELLS_DROP="Possible Tor bug, or possible attack if very frequent"

ALTERNATE_WARNING_WHEN_CELLS_DROP="We force-closed circuit"

FIRST_COMMIT="7aa496a2e0"

#FIRST_COMMIT="a56350abc8"

#FIRST_COMMIT="d7f14a54fb"

CURRENT_COMMIT=""

LAST_COMMIT="364b8c2925"

TOR="tor"

STOP=0

COMMIT_BEFORE_LAST_COMMIT=""

COMMIT_BEFORE_LAST_COMMIT_TEMP=""

DIRECTORY="/home/user/Downloads/tor"

LAUNCH_DIR=$(pwd)

HERE="$(dirname "$(readlink -f "${0}")")"


LOG_DIR="${LAUNCH_DIR}/logs"
mkdir -p "${LOG_DIR}"
LOG_FILE="${LOG_DIR}/BuildTest.log"

exec > >(tee -a $LOG_FILE) 2>&1

# Logs a message in a standardized format to stdout
# $1 The message to log
log() {
    local MSG="${1}"
    local CMD="$(basename "${0}")"
    local TIMESTAMP=$(date -u --rfc-3339=seconds)

    echo "${TIMESTAMP} [BuildTest] [${CMD}] ${MSG}"
}

# Check if there is a tor directory and then navigate to it. If not clone and download from GitLab.
# Install all essential tools needed to build Tor
# Downgrade tor and tor-geoipdb to version 0.4.7.16-1
initialize(){
    sudo apt-get update
    sudo apt-get dist-upgrade -y
    sudo apt-get install tor=0.4.7.16-1 tor-geoipdb=0.4.7.16-1 --allow-downgrades -y
    if [ -d "$DIRECTORY" ]; then
        log "$DIRECTORY does exist."
    else
        git clone https://gitlab.com/torproject/tor.git
    fi
    cd tor
    git checkout $LAST_COMMIT
    log "Changed to Tor Directory:$HERE/$TOR"
    sudo apt-get install git build-essential automake libevent-dev libssl-dev zlib1g-dev pkg-config
    sudo service vanguards start
    COMMIT_BEFORE_LAST_COMMIT_TEMP=$(git rev-list $FIRST_COMMIT^...$LAST_COMMIT|grep -A 1 $LAST_COMMIT|head -1| cut -c1-10)
}

# Builds tor from local directory
# git checkout moves head to a particular commit
build_tor_from_source(){
    CURRENT_COMMIT="${1}"
    git checkout $CURRENT_COMMIT
    log "Building Tor with commit:$CURRENT_COMMIT"
    ./autogen.sh
    ./configure --disable-asciidoc
    make
    sudo make install
    run_tor_socks_download
    get_vanguards_status
    check_if_the_commit_causes_download_errors
}

# A test download is executed.
# The time when the download occured is captured and converted to binary.
run_tor_socks_download(){
    torsocks curl --fail --silent --show-error --output "/tmp/test.png" "https://onlinetestcase.com/wp-content/uploads/2023/06/1MB.png"
    TIME_WHEN_TOR_SOCKS_DOWNLOAD_RUNS_BINARY=$(echo "obase=2;$(date +%s)" |bc)
    log "Tor Socks curl Download has executed."
    log "Tor socks download time captured in binary."
}

# Gets vanguards status and then captures the line whichs shows the warning about cells dropped after the curl download.
# The time is converted to binary
get_vanguards_status(){
    GET_TEXT_WHERE_THE_WARNING_OCCURS=$(sudo service vanguards status| tail -n 1)
    TIME_WHEN_VANGUARDS_STATUS_RUNS=$(sudo service vanguards status| tail -n 1| cut -c1-15)
    TIME_WHEN_VANGUARDS_STATUS_RUNS_BINARY=$(echo "obase=2;$(date -d "$TIME_WHEN_VANGUARDS_STATUS_RUNS" +%s)" |bc)
    log "Vanguards status time captured in binary."
}
 

# Tor is built commit by commit to see where the download failures occur.
go_to_next_commit(){
    CURRENT_COMMIT="${1}"
    GREP_OUTPUT="$(git rev-list $FIRST_COMMIT^...$LAST_COMMIT|grep -B 1 $CURRENT_COMMIT|head -1)"
    NEXT_COMMIT="$(echo "$GREP_OUTPUT"| cut -c1-10)"
    CURRENT_COMMIT=$NEXT_COMMIT
    log "The latest or last commit to this repository was $LAST_COMMIT"
    GREP_OUTPUT1=$(git rev-list $FIRST_COMMIT^...$LAST_COMMIT|grep -A 1 $CURRENT_COMMIT| head -1)
    COMMIT_BEFORE_LAST_COMMIT=$(echo "$GREP_OUTPUT1"| cut -c1-10)
    if [[ "$COMMIT_BEFORE_LAST_COMMIT_TEMP" == $COMMIT_BEFORE_LAST_COMMIT ]]; then
        log "The commit before the last commit reached"
        STOP=1
        build_tor_from_source "$CURRENT_COMMIT"
    else
        build_tor_from_source "$CURRENT_COMMIT"
    fi
}

#  This section of the code checks if the commit causes download errors
check_if_the_commit_causes_download_errors(){
# See if the warnings occur when vanguards status is checked. If no warnings occur that means this commit is fine.
if [[ "$GET_TEXT_WHERE_THE_WARNING_OCCURS" =~ "$WARNING_WHEN_CELLS_DROP" ]] || [[ "$GET_TEXT_WHERE_THE_WARNING_OCCURS" =~ "$ALTERNATE_WARNING_WHEN_CELLS_DROP" ]]; then
    if [[ "$TIME_WHEN_VANGUARDS_STATUS_RUNS_BINARY" == "$TIME_WHEN_TOR_SOCKS_DOWNLOAD_RUNS_BINARY" ]]; then
        log "Download failures have been detected at this commit:$CURRENT_COMMIT"
        git checkout "$LAST_COMMIT"
        log "The head has been restored to it's original location"
        exit
    else
        log "Binary times are not matching. So else statement was executed"
        go_to_next_commit "$CURRENT_COMMIT"
    fi
else
    log "The commit:$CURRENT_COMMIT seems to be fine."

    if [[ $STOP == 1 ]]; then
        log "The build process has been terminated because the last commit has been reached."
        git checkout "$LAST_COMMIT"
        log "The head has been restored to it's original location"
        exit
    fi
    log "Moving on to the next commit"
    go_to_next_commit "$CURRENT_COMMIT"
fi
}

# Initialize then build tor from source.
initialize
build_tor_from_source "$FIRST_COMMIT"
````````````

sudo service vanguards start

Ok, but…

You build it, you run “sudo make install”, but you’re not restarting the Tor systemd unit. I guess this line is missing:

sudo systemctl restart tor@default

Or

sudo service tor@default restart

Therefore you’re not really testing any different git commits and keep running the system installed version.

I also don’t know if make install installs to /usr/bin/tor or /usr/local/bin/tor. If it is the latter case, then “sudo service tor@default restart” would not start it.

Installing by building from source installs to /usr/local/bin/tor. Installing using apt installs to /usr/bin/tor.

From a web search maybe the appropriate way to restart Tor would be:

sudo systemctl restart tor.service

That works because at time of writing Whonix is using systemd by default.
Using service command above is also possible. Debian kept service as a compatibility wrapper.

This explains why above test did not show a changed version number nor bug reproduction.

TODO: Figure out how to use sudo make install to install to /usr instead of /usr/local.