[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

[Fwd: High-traffic Colluding Tor Routers in Washington, D.C. Confirmed]



...However none of the mentioned below router nicknames or fingerprints
was found in the current local cache file.

-------- Original Message --------
Subject: High-traffic Colluding Tor Routers in Washington, D.C.  Confirmed
Date: Thu, 12 Apr 2007 23:35:52 -0400
From: Nostra2004@xxxxxxxxxxxxx
To: cypherpunks@xxxxxxxx

A group of 9 Tor routers also functioning overtly or indirectly as Tor
exit nodes have been observed colluding on the public Tor network.

The colluding routers map to two /16 IP subnets administered by Cogent
(formerly by PSINet) [1]. Traceroute reveals all routes to these routers
pass through Rethem.demarc.cogentco.com (38.112.12.190) at the final hop.

Analysis of a local snapshot of the Tor cached-routers file from
2006-05-27 first suggested the presence of colluding routers. The
analysis yielded the following information:

  - 9 Tor routers self-identified as aala, donk3ypunch, TheGreatSantini,
mauger, paxprivoso, soprano1, hubbahubbahubba, m00kie, and joiseytor
together reported carrying what amounted to 11% of the traffic on the
Tor network at the time of the snapshot, while the remaining 89% of Tor
traffic was carried by the other 551 (approximated) routers.

  - All 9 of these routers appear to be located in the Washington, D.C.
area.

  - 5 of these routers are on the same 149.9.0.0/16 IP subnet.

  - 4 of these routers are on the same 154.35.0.0/16 IP subnet.

  - All 9 routers reported running Tor 0.1.0.16 on FreeBSD i386 machines.

  - All 9 routers reported nearly identical uptimes.

  - 3 of the 5 routers on the 149.9.0.0/16 IP subnet reported providing
outproxy service for DNS, HTTP, POP3, IMAP, HTTPS, AIM and IRC traffic
on Tor.

  - The other 2 routers on the 149.9.0.0/16 IP subnet reported rejecting
all outproxy traffic.

  - The 4 routers on the 154.35.0.0/16 IP subnet reported providing
outproxy service for the above traffic plus SSH and NNTP.


Collusion was definitively established by the following method:

1. The following lines were added to the local torrc:

   ExitNodes donk3ypunch,mauger,paxprivoso,soprano1,hubbahubbahubba,
m00kie,joiseytor
   StrictExitNodes 1

2. The local Tor client was restarted so the new configuration would
take effect

3. Using Tor as an HTTP proxy, the websites of the IP address mirror
services whatismyip.com and whatsmyipaddy.com were visited repeatedly
over the course of one hour

The results: An IP address of 149.9.0.25 was always reported by the IP
address mirror services. This is not the IP address of any of the exit
nodes forced by the new torrc configuration, but rather the address of
aala, one of the 2 other colluding Tor routers which report themselves
as rejecting direct Tor HTTP outproxy traffic.

Although further testing is needed, it appears that all 8 of the other
Tor routers identified may be forwarding their HTTP outproxy traffic to
the router known as aala, and that aala may be performing the exit node
duties on their behalf. aala may perform exit node duties for all
protocols supported by this collusion network--not merely HTTP. This
strategy would make aala a single point of transit (and possible data
retention or traffic analysis) for up to 11% of the traffic leaving and
entering the Tor network through exit nodes.

The function in this collusion network of the router identified as
TheGreatSantini is still undetermined. Its published exit policy, like
aala's, purported to reject all outproxy traffic, yet it hasn't been
observed acting as an outproxy as aala has. It may simply serve as an
intermediate router.

Due to the sheer amount of traffic apparently passing through this
collusion network, consolidation and analysis of exit node traffic is
only one of several forms of anonymity attacks made more feasible. Hence
these 9 routers appear to pose a significant anonymity threat to users
of the public Tor network.


-------------------------------------------

Excerpted router descriptor data [2] of colluding routers taken from
snapshot of local Tor cached-routers file on 2006-05-27


1.	router aala 149.9.0.25 9001 0 9030
	platform Tor 0.1.0.16 on FreeBSD i386
	published 2006-05-27 16:39:07
	opt fingerprint 3F8A 0FF0 39E0 E047 6EF9 24C2 7519 2A59 E6AE 58FB
	uptime 2462963
	bandwidth 2097152 5242880 695815
	reject *:*

	(Observed throughput for this router: 695.82 KB/s)

2.	router donk3ypunch 149.9.25.222 9001 0 9030
	platform Tor 0.1.0.16 on FreeBSD i386
	published 2006-05-27 16:00:20
	opt fingerprint AA40 19D8 5823 518F 0904 3F05 E61E AE5E 52CA 78B4
	uptime 2460631
	bandwidth 2097152 5242880 700879
	accept *:53
	accept *:80
	accept *:110
	accept *:143
	accept *:443
	accept *:5190
	accept *:6660-6669
	reject *:*

	(Observed throughput for this router: 700.88 KB/s)

3.	router TheGreatSantini 149.9.92.194 9001 0 9030
	platform Tor 0.1.0.16 on FreeBSD i386
	published 2006-05-27 17:39:30
	opt fingerprint 2C75 CCA2 A663 5D80 B286 B2EC 88AC A449 333F 6018
	uptime 2466570
	bandwidth 2097152 5242880 683980
	reject *:*

	(Observed throughput for this router: 683.98 KB/s)

4.	router mauger 149.9.137.153 9001 0 9030
	platform Tor 0.1.0.16 on FreeBSD i386
	published 2006-05-27 11:39:56
	opt fingerprint 00E0 3AAF EE0A 45BF E617 7DD3 E45B 91B2 EC15 E554
	uptime 2445004
	bandwidth 2097152 5242880 728744
	accept *:53
	accept *:80
	accept *:110
	accept *:143
	accept *:443
	accept *:5190
	accept *:6660-6669
	reject *:*

	(Observed throughput for this router: 728.74 KB/s)

5.	router paxprivoso 149.9.205.73 9001 0 9030
	platform Tor 0.1.0.16 on FreeBSD i386
	published 2006-05-27 18:20:52
	opt fingerprint 66E8 A96B 5AB3 702A 16F3 85CD A11F 569A 3302 7224
	uptime 2469058
	bandwidth 2097152 5242880 801391
	accept *:53
	accept *:80
	accept *:110
	accept *:143
	accept *:443
	accept *:5190
	accept *:6660-6669
	reject *:*

	(Observed throughput for this router: 801.40 KB/s)

6.	router m00kie 154.35.36.18 9001 0 9030
	platform Tor 0.1.0.16 on FreeBSD i386
	published 2006-05-27 09:39:34
	opt fingerprint 72C7 F3BA AF5B 4AF6 878F 6970 5842 80B2 F97A 07D4
	uptime 2437788
	bandwidth 2097152 5242880 774745
	accept *:22
	accept *:53
	accept *:80
	accept *:110
	accept *:119
	accept *:143
	accept *:443
	accept *:5190
	accept *:6660-6669
	reject *:*

	(Observed throughput for this router: 774.75 KB/s)

7.	router hubbahubbahubba 154.35.47.59 9001 0 9030
	platform Tor 0.1.0.16 on FreeBSD i386
	published 2006-05-27 12:39:56
	opt fingerprint 86C8 B35E D131 1782 490B 7E8F FD79 F23D 51D4 620F
	uptime 2448609
	bandwidth 2097152 5242880 696962
	accept *:22
	accept *:53
	accept *:80
	accept *:110
	accept *:119
	accept *:143
	accept *:443
	accept *:5190
	accept *:6660-6669
	reject *:*

	(Observed throughput for this router: 696.96 KB/s)

8.	router soprano1 154.35.72.223 9001 0 9030
	platform Tor 0.1.0.16 on FreeBSD i386
	published 2006-05-27 20:20:58
	opt fingerprint F902 4CBC D340 93C4 D9E1 D1F7 FA82 F5D4 A57F 25B5
	uptime 2476261
	bandwidth 2097152 5242880 857343
	accept *:22
	accept *:53
	accept *:80
	accept *:110
	accept *:119
	accept *:143
	accept *:443
	accept *:5190
	accept *:6660-6669
	reject *:*

	(Observed throughput for this router: 857.34 KB/s)

9.	router joiseytor 154.35.85.17 9001 0 9030
	platform Tor 0.1.0.16 on FreeBSD i386
	published 2006-05-27 20:00:30
	opt fingerprint 7BC2 DC0A 06CA C5B6 21BE D132 AD3A 7217 0BBF 5FDB
	uptime 2475043
	bandwidth 2097152 5242880 729315
	accept *:22
	accept *:53
	accept *:80
	accept *:110
	accept *:119
	accept *:143
	accept *:443
	accept *:5190
	accept *:6660-6669
	reject *:*

	(Observed throughput for this router: 729.32 KB/s)

-------------------------------------------

Total Observed Throughput of Above Washington, D.C. Routers:    6.67 MB/s
Total Observed Throughput of All Known Running Tor Routers *: ~60.00 MB/s

  * Taken from aggregate stats of all known (~560) running Tor routers
at [3]


Notes on select router descriptor fields:

  bandwidth <bandwidth-avg> <bandwidth-burst> <bandwidth-observed>

    Estimated bandwidth for this router, in bytes per second. The
"average" bandwidth is the volume per second that the OR is willing to
sustain over long periods; the "burst" bandwidth is the volume that the
OR is willing to sustain in very short intervals. The "observed" value
is an estimate of the capacity this server can handle. The server
remembers the max bandwidth sustained output over any ten second period
in the past day, and another sustained input. The "observed" value is
the lesser of these two numbers.

  uptime

    The number of seconds that this OR process has been running.


References:

  [1] http://serifos.eecs.harvard.edu/cgi-bin/exit.pl
  [2] http://tor.eff.org/cvs/tor/doc/tor-spec.txt
  [3] http://www.noreply.org/tor-running-routers/

Found at: http://jadeserpent.i2p.tin0.de/tor-dc-nodes-2.txt



Attachment: signature.asc
Description: OpenPGP digital signature