I use Syncthing on an Ubuntu 16.04 desktop, a CentOS 7 server (gollum), and two Fedora 24 servers (frodo and samwise) (the servers are all hosted on DigitalOcean, specifically one of the NY data centers). Recently I’ve been getting messages saying that these servers speak an older version of the protocol and have since been disconnected.
Now I’m getting two requests from the same IP address (in France, according to ipinfo.io), with different device IDs, claiming to be both frodo and samwise. I run a web server on frodo, so I checked that IP address in my browser and I get a Debian Nginx landing page. I have three questions:
How could this attacker (for attacker it clearly is) have gotten my device ID?
How could this attacker know how my other machines identified themselves?
Has this attack vector been seen before in the wild?
Both frodo and samwise are running syncthing 0.13, and golumn is running the incompatible 0.14. Golumn cannot talk directly to frodo or samwise, so a relay connection is used.
In the “old device version” message, the relay’s address is shown (which makes sense, but is a bit unfortunate as it can only lead to confusion) because that’s where the connection came from.
Actually, syncthing --version shows 0.14.3 on all machines, but I’ve been getting “gollum wants to connect using protocol 0.13.9”. I restarted the daemons and gollum has since connected correctly, but the hobbits have not. The ports are open. Should I open a new thread?
