I noticed this on some websites that get a Cloudflare “Checking if the site connection is secure” CAPTCHA without a puzzle that never goes away (this might be Cloudflare in its Bot Fight Mode behavior, but I’m not sure).
What happens is that I see the page reload without my input, and after checking the circuit display, it shows a different circuit than it had originally. This sometimes repeats a while, all happening within seconds or minutes, and definitely not exceeding the 10 minute circuit reset timer that I think Tor Browser has. A normal page reload triggered by me doesn’t cause a new circuit to be created.
How does this happen, and should it be prevented? I feel like an adversary could theoretically use this to ‘harvest’ information about all those exist they now know the same client is associated with, information which I suppose could make de-anonymization attacks easier.
I also notice when I visit some pages the same thing happens to me, the circuit keeps changing every few seconds until it finally settles on a “stable” circuit. I don’t think Cloudflare CAPTCHAs were involved in the pages I visit which do this. I don’t know what the reason is and I also wonder how and why this happens and if it is exploitable or something to worry about
Well, not every node in the circuit is stable and if you happen to create a circuit with a relay with really low specs, depending on the traffic is already handling + your traffic it may become unresponsive and drop some circuits to keep others alive. This doesn’t mean it is your problem at all, just a thought of my own. I operate a relay with limited hardware (but enough to usefully contribute) and it has become unresponsive a couple times, specially after some days without maintenance. I do care about my relay and limit its capabilities to what it can handle, but I bet there’s operators out there who just set it up, tweak them a little and completely forget about it.
About CloudFlare’s captcha… all I can think of is the typical compression bomb warning we get from time to time. I’d say its not that as I belive it requires some more data to be decompressed, but maybe something of the kind. It causes our relays to deploy anti DoS methods and drop those circuits immediately to avoid crashing and affecting all of the other circuits we are involved in.
Indeed, on some sites, Tor changes circuit almost every second. This makes working with the site very difficult. And the problem is deeper than it seems.
Then if the circuit is quickly automatically changed, blocked nodes can be used, which can create a big security risk. Excessive circuit changes ignore the rules for using nodes.
This situation happens. You restrict the output node, for example {PL}, and enter the site. You pass the captcha. After a few seconds, the circuit changes and any action you take on the site returns you to a captcha, which becomes endless. At the same time, the change of circuit can stop in any country, and not just {PL}. Even if the nodes of this country are exclude. When you manually change the circuit, the rules begin to apply again and the output node becomes {PL}. The site remembers that you have already completed the captcha and works fine. Until a few seconds later a new cascade of circuit changes occurs.
1.StrictExitNodes and StrictEntryNodes is obsolete and have no effect. Use StrictNodes instead
2.StrictNodes does not apply to ExcludeExitNodes, ExitNodes, MiddleNodes, or MapAddress. It Work only for ExcludeNodes
3.Sites that are sensitive to IP address changes can be listed in the TrackHostExits option and set them an alternative interval between circuit changes using the option TrackHostExitsExpire
So I spent several tests with a new syntax. And the problem still exists. I indicated the site with Cloudflare in TrackHostExits. When showing a captcha nodes change every second. Then I added Canada (is often an emerging but slow node) in ExcludeExitNodes. I also limited ExitNodes to several countries (among which there is no Canada). The site with Cloudflare continues to change Nodes every second. And often uses not indicated in the list of permissible countries, such as Germany, and including prohibited Canada. I mean exit nodes of course. Okay, then I tried to add TrackHostExitsExpire 2000 and it works very strange. Yes, nodes shift frequency has slowed down. With a every second to every 10-20 seconds. By the way, I use snowflake. Perhaps this is related.
When using tor it determine a circuit and I remember old versions of tor on android allowed the user to select circuits. When I am connected to a circuit it may change while connected to a site or not at all. Example if I go to https://speed.cloudflare.com/ the circuit changes frequently.