Unfamiliar IP address want to connects to my Syncthing instance -- but is spoofing my server names

I use Syncthing on an Ubuntu 16.04 desktop, a CentOS 7 server (gollum), and two Fedora 24 servers (frodo and samwise) (the servers are all hosted on DigitalOcean, specifically one of the NY data centers). Recently I’ve been getting messages saying that these servers speak an older version of the protocol and have since been disconnected.

Now I’m getting two requests from the same IP address (in France, according to ipinfo.io), with different device IDs, claiming to be both frodo and samwise. I run a web server on frodo, so I checked that IP address in my browser and I get a Debian Nginx landing page. I have three questions:

  1. How could this attacker (for attacker it clearly is) have gotten my device ID?
  2. How could this attacker know how my other machines identified themselves?
  3. Has this attack vector been seen before in the wild?

Relay connections, almost certainly.

Can you point me at some docs explaining this?

Never mind, I see them. (https://docs.syncthing.net/users/relaying.html) – how would I verify this?

In the console logs, you’ll see the connection type mentioned in the same line as the address etc, at the end.

You can also compare the IP address against the list of relays on http://relays.syncthing.net, and disable relaying to see if it goes away.

1 Like

Awesome. Thanks. It’s a relay server.

1 Like

Both frodo and samwise are running syncthing 0.13, and golumn is running the incompatible 0.14. Golumn cannot talk directly to frodo or samwise, so a relay connection is used.

In the “old device version” message, the relay’s address is shown (which makes sense, but is a bit unfortunate as it can only lead to confusion) because that’s where the connection came from.

No attackers necessary. Clearly :slight_smile:


Ha, sure, maybe I jumped the gun a bit.

Actually, syncthing --version shows 0.14.3 on all machines, but I’ve been getting “gollum wants to connect using protocol 0.13.9”. I restarted the daemons and gollum has since connected correctly, but the hobbits have not. The ports are open. Should I open a new thread?

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.