Missing Middle Box

[adquadratum]

I am in a middle box situation with certainty. I actually caught the man doing an ARP attack in August of 2016. I have collected quite a pile of evidence in screen shots of ip addresses.

My telephone was configured for TOR and I am pretty sure it was set to Toriffy all traffic. Initially Ooniprobe did not detect a middle box. I am not sure of this step but I think that I changed the phone settings to ignore IPV6. Then Ooniprobe detected a middle box twice. Then my phone was hacked and now says that transparent proxy is not supported and TOR no longer works. Ooniprobe on my phone no longer detects a middle box.

I installed Lepidopter on a Raspberry pi and noticed that the screen reports an IPV4 address as it should but users=0 so I cant tell whether it is functioning. It just sits at the command prompt. The IPV4 address is 192.168.1.64. My computer shows an IPV6 address until I set it to ignore and reset. Then I see is 173.183.190.200 which is a change from the Ooniprobe from my phone. I just got a new service and router in the same building as is being monitored. It was on AS852.

The method being used here seems similar to a method listed on the forum to block individual web sites. IPV6/DNS misdirection. Here it is being used to redirect the entire internet.

Thank-you for your hard work on this magnificent tool! If I can help let me know.

Greg Rudy

[anadahz]

Hello @adquadratum it seems that there is some confusion and I'm not quite sure I understand the issue here I will try to go through your report and try to make some sense.

I am in a middle box situation with certainty. I actually caught the man doing an ARP attack in August of 2016. I have collected quite a pile of evidence in screen shots of ip addresses.

Not sure how you actually found out about the attack but perhaps it will be useful to share this report with some people in private that may be able to help you (email?).

My telephone was configured for TOR and I am pretty sure it was set to Toriffy all traffic. Initially Ooniprobe did not detect a middle box. I am not sure of this step but I think that I changed the phone settings to ignore IPV6. Then Ooniprobe detected a middle box twice. Then my phone was hacked and now says that transparent proxy is not supported and TOR no longer works. Ooniprobe on my phone no longer detects a middle box.

If you are torifying all network traffic on your phone ooniprobe will run tests via the Tor network instead of the network that you are currently and the ooniprobe reports that you are reading are (most probably) not relevant to your network.

I installed Lepidopter on a Raspberry pi and noticed that the screen reports an IPV4 address as it should but users=0 so I cant tell whether it is functioning. It just sits at the command prompt. The IPV4 address is 192.168.1.64. My computer shows an IPV6 address until I set it to ignore and reset. Then I see is 173.183.190.200 which is a change from the Ooniprobe from my phone. I just got a new service and router in the same building as is being monitored. It was on AS852.

In order to initialize ooniprobe you need to access it's web interface usually reachable under the URL: http://lepidopter.local
Please read the documentation on how to access ooniprobe's web interface in lepidopter or let us know if you experience any issue with that.

The method being used here seems similar to a method listed on the forum to block individual web sites. IPV6/DNS misdirection. Here it is being used to redirect the entire internet.

I don't understand which method are you referring to?

Thank you reporting this issue, hope this helps you.

[koushikcs562]

Hello @adquadratum and @anadahz,
This is a complicated situation. I'd like to try and break down the issues to help you get Lepidopter running correctly and clarify how OONI reports relate to your network environment.

1. Lepidopter Configuration / Web Interface
   The key issue with your Raspberry Pi seems to be setup. As @anadahz noted, the users=0 and command prompt indicate you haven't yet configured the OONI probe via the web interface.
   Action: Please follow the documentation to access the web interface, usually at http://lepidopter.local (or http://192.168.1.64 in your case, assuming you are on that local network). The web interface is where you select the tests to run.
2. OONI Tests and Torification
   @anadahz is correct: If you configure a device (like your phone) to use a transparent Tor proxy (torify all traffic), OONI will measure the Tor network's path, not your local network's path.
   To measure your local network/ISP (where the middle box might be): OONI tests must run on the clear, un-Torified connection.
   To measure censorship/interference on the Tor network itself: OONI tests should run over Tor.
   The shift in IP addresses you observed is expected if you switch between running OONI over Tor and running it over the clear connection.
3. Diagnosing Middle Box/ARP Attacks
   The ARP attack and IPV6/DNS misdirection are highly concerning.