[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

Re: First results of analysis

To: or-talk@xxxxxxxxxxxxx, "Alexander W. Janssen" <yalla@xxxxxxxxxxxx>
Subject: Re: First results of analysis
From: coderman <coderman@xxxxxxxxx>
Date: Thu, 5 Oct 2006 17:35:59 -0700
Delivered-to: archiver@seul.org
Delivered-to: or-talk-outgoing@seul.org
Delivered-to: or-talk@seul.org
Delivery-date: Thu, 05 Oct 2006 20:36:10 -0400
Domainkey-signature: a=rsa-sha1; q=dns; c=nofws; s=beta; d=gmail.com; h=received:message-id:date:from:to:subject:in-reply-to:mime-version:content-type:content-transfer-encoding:content-disposition:references; b=gFsw1Usqt2dg59woZ1X3kvo6I5Ftm0sBVsgmJktwgImxs21g3kyVPJNyNob2ZUs9zv7nE0MZyAdl5o34ggB4AUlYwA393wDw+vLn5ydpx4I7Qe8fHTDVkpYQSE02LcotboEyDKmoyL0J1MtGeWDpf0hLksGIGnlb5Dn/V4yDU6o=
In-reply-to: <20061005155651.GA30344@gmx.de>
References: <45226626.90203@Gmx.net> <20061003154813.GA31075@deadbox.ath.cx> <20061003161048.GA9281@gmx.de> <20061004163314.GB23881@gmx.de> <rknwz71qez8h.xowlj2nmtp3q$.dlg@40tude.net> <20061005154105.GA29448@gmx.de> <20061005155651.GA30344@gmx.de>
Reply-to: or-talk@xxxxxxxxxxxxx
Sender: owner-or-talk@xxxxxxxxxxxxx

On 10/5/06, Alexander W. Janssen <yalla@xxxxxxxxxxxx> wrote:

...
i checked 1161 nodes in total.
269 of them where responsive exit-nodes, all behaving correctly.


or just behaving when you were looking?  ;)

9 exitnodes where responsive, but their had some proxy installed which didn't
behave quite correct when you accessed a webpage with the notation
original.url.$nodename.exit; the error-messages varied from
"could not resolve" (looks like a DNS-leak to me) over "502 Bad Gateway"
through "502 Proxy Error".


if i were a rogue exit node i'd make sure that i leave all explicitly
routed *.exit requests alone and only MITM the rest :)

most of the exits running proxies are probably doing so with honest
intent, a caching proxy for example, and not actively logging /
attacking traffic.

[ commodore64 which is running a squid proxy on all port 80 it is
exiting is probably doing so for caching purposes:
http://serifos.eecs.harvard.edu/cgi-bin/desc.pl?q=commodore64 ]

However, in my list of exit-nodes i couldn't find any host which showed the
described behaviour. My test-URL was http://www.linux-magazine.com/.


the malicious exits seem to be rare (that is, the explicit attempts to
capture login / pass or route to phishing / spoofed sites).

a banking URL or web mail service would be a better test case for
these types of attacks.

So there is still some space left for discussion: Did i miss the "bad" or
"banned" exitnode?


it's been many weeks since i've seen an exit explicitly attacking
traffic to get account info.  so not a big problem to date... [and
that exit is long gone - someone said they were doing it as a warning
/ proof-of-concept?  i don't remember.]

However we probably should think if we should install some kind of early
warning system.


what you _really_ want is a reliable reputation metric for Tor nodes,
which is actually a very hard problem to do well without opening up
other attacks / vulnerabilities for the network as a whole.

I could imagine something like this: Every client checks once
per day some random website on the internet via, let's say, 10 random
exit-nodes and compares the results. If something is wrong the exitnode could
be signalled to a real human which could verify the claim.

How do you think about that?


- random pages will miss the targeted attacks on things like webmail
or banking sites.
- you may want to avoid checking with .exit so you don't tip off the
rogue nodes you are making a test request.
- comparing "wrong" results without lots of false positives is hard,
as most site changes are legitimate (rolling ad content, news or other
notices, etc).

some kind of automated testing for rogue exits would be useful though.

Follow-Ups:
- Re: First results of analysis
  - From: Claude LaFrenière

References:
- More bad tor server?
  - From: News Assi
- Re: More bad tor server?
  - From: nile
- Re: More bad tor server?
  - From: Alexander W. Janssen
- Analyzing TOR-exitnodes for anomalies
  - From: Alexander W. Janssen
- Re: Analyzing TOR-exitnodes for anomalies
  - From: Claude LaFrenière
- Re: Analyzing TOR-exitnodes for anomalies
  - From: Alexander W. Janssen
- First results of analysis
  - From: Alexander W. Janssen

Prev by Author: Re: forcing tor to build a new circuit [was: tor and its speed]
Next by Author: Re: Tor-compatible secure email systems
Previous by thread: First results of analysis
Next by thread: Re: First results of analysis
Index(es):
- Author
- Thread