Bitcoin-QT bypassing Tor

[Rampion]

I'm running Bitcoin Core 0.10.0 and while I have it configured to run through Tor only its been a few weeks that the client tries to bypass Tor and connect directly to 100.64.68.8 or other IP addresses in the same subnet.

My reverse firewall is blocking it, but it seems very strange to me that the client tries to bypass Tor, that looks like a privacy/security problem.

Anyone has seen the same behavior?

[1715081091]

1715081091

[1715081091]

1715081091

[scientific]

I'm running Bitcoin Core 0.10.0 and while I have it configured to run through Tor only its been a few weeks that the client tries to bypass Tor and connect directly to 100.64.68.8 or other IP addresses in the same subnet.

My reverse firewall is blocking it, but it seems very strange to me that the client tries to bypass Tor, that looks like a privacy/security problem.

Anyone has seen the same behavior?

Can you reproduce this every time? I mean, does it happen right when you start the program or at random times?

[Rampion]

I'm running Bitcoin Core 0.10.0 and while I have it configured to run through Tor only its been a few weeks that the client tries to bypass Tor and connect directly to 100.64.68.8 or other IP addresses in the same subnet.

My reverse firewall is blocking it, but it seems very strange to me that the client tries to bypass Tor, that looks like a privacy/security problem.

Anyone has seen the same behavior?

Can you reproduce this every time? I mean, does it happen right when you start the program or at random times?

Today it happened right when I started Bitcoin Core, but usually it happens at random times.

[scientific]

I'm running Bitcoin Core 0.10.0 and while I have it configured to run through Tor only its been a few weeks that the client tries to bypass Tor and connect directly to 100.64.68.8 or other IP addresses in the same subnet.

My reverse firewall is blocking it, but it seems very strange to me that the client tries to bypass Tor, that looks like a privacy/security problem.

Anyone has seen the same behavior?

Can you reproduce this every time? I mean, does it happen right when you start the program or at random times?

Today it happened right when I started Bitcoin Core, but usually it happens at random times.

Certainly shouldn't happen. Are these connection attempts to remote port 8333 or something else? Maybe you can get a packet capture.

[Rampion]

I'm running Bitcoin Core 0.10.0 and while I have it configured to run through Tor only its been a few weeks that the client tries to bypass Tor and connect directly to 100.64.68.8 or other IP addresses in the same subnet.

My reverse firewall is blocking it, but it seems very strange to me that the client tries to bypass Tor, that looks like a privacy/security problem.

Anyone has seen the same behavior?

Can you reproduce this every time? I mean, does it happen right when you start the program or at random times?

Today it happened right when I started Bitcoin Core, but usually it happens at random times.

Certainly shouldn't happen. Are these connection attempts to remote port 8333 or something else? Maybe you can get a packet capture.

Yes, these connections definitely attempt to remote port 8333. Didn't have wireshark running, but here goes a screenshot of my reverse firewall.

[gmaxwell]

Thats not very informative; is there a way to tell if that isn't an _inbound_ connection that someone is trying to make towards you?

100.64/10 is reserved private address space and not generally routable on the internet; see RFC 6598.

[Rampion]

Thats not very informative; is there a way to tell if that isn't an _inbound_ connection that someone is trying to make towards you?

100.64/10 is reserved private address space and not generally routable on the internet; see RFC 6598.

I'll try to get ASAP the packet captured with Wireshark, hopefully that's more informative.

FYI: my reverse firewall lists this connection as an outbound one - you can see in the screenshot I uploaded an arrow pointing to 100.64.68.8, that means the connection was outbound, when it is inbound the arrow points to the opposite side and I get a different type of pop-up warning.

Summing up, either my firewall is screwing up or this is definitely an outbound clearnet connection attempt from a Bitcoin Core instance which is supposed to connect only via Tor.

Should I worry?

[gmaxwell]

No reason to panic, lets just investigate.  There have been leaks in the past but I'm not aware of any right now; doesn't mean there aren't any.   Are the DNS servers your host is using any of those IPs?  do those IPs get mentioned at all in your debug.log?

[Blazr]

Are you connecting to clearnet nodes over Tor? In some cases Tor assigns an internal IP to a hidden service to allow for proper DNS resolution etc, maybe you are connecting to clearnet nodes, and whenever your client tries to connect to a hidden service, Tor assigns it an internal IP, which is then blocked by your firewall.

Do you have onlynet=tor in your config? this will force you to only connect to hidden services.

[Rampion]

No reason to panic, lets just investigate.  There have been leaks in the past but I'm not aware of any right now; doesn't mean there aren't any.   Are the DNS servers your host is using any of those IPs?  do those IPs get mentioned at all in your debug.log?

My Bitcoin 0.11.2 keeps trying to bypass Tor. To answer Gregory's questions:

- my DNS servers are not using this IPs

- yes, these IPs are mentioned in my debug.log, which says "failed: Host is down" because I keep blocking this connections with my reverse firewall

Today I allowed one of such connections and captured it with Wireshark. Any specific info you would like me to post to try to understand why Bitcoin Core is bypassing Tor?

Are you connecting to clearnet nodes over Tor? In some cases Tor assigns an internal IP to a hidden service to allow for proper DNS resolution etc, maybe you are connecting to clearnet nodes, and whenever your client tries to connect to a hidden service, Tor assigns it an internal IP, which is then blocked by your firewall.

Do you have onlynet=tor in your config? this will force you to only connect to hidden services.

I don't have "onlynet=tor" in my config; I just configured the SOCKS5 proxy on the Network settings in the Preferences of Core.