[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

Re: [tor-talk] SIGAINT email service targeted by 70 bad exit nodes

Hash: SHA512

> On Sun, Apr 26, 2015 at 11:19:08AM +0000, nusenu wrote:
>>> On Thu, Apr 23, 2015 at 07:30:57PM +0000, nusenu wrote:
>>>>> Almost all of them were younger than one month and they
>>>>> seem to have joined the network in small batches.  I
>>>>> uploaded Onionoo's JSON-formatted relay descriptors, so
>>>>> everybody can have a look: 
>>>>> <http://www.nymity.ch/badexit/bad_descriptors_2015-04-23.zip>
I compared your list (71 FPs) with my list (55 FPs) from
>>>> 2015-04-05 [1], we have an overlap of (only) 30 relays. An 
>>>> overlap of around ~50 would be better.
>>> Yes, I remember your list.  Thanks a lot for sharing it, it's 
>>> really helpful!
>>> The relays that are in your, but not in my list indeed look
>>> quite similar to the rest.  They don't have a BadExit flag
>>> because nobody has caught them doing something nasty yet.
>> So you do not think that they are controlled by the same
>> (malicious) entity? (even though some declare their MyFamily
>> accordingly*)
> I'm not sure, unfortunately.
I would appreciate to hear your thoughts on the MyFamily group [2].

Lets make sure that we are on common ground regarding the following

- - you saw their (speaking about the 55 relays [1]) sign up timing/pattern
- - you saw their restart timing/pattern
- - the combination of these two
- - you saw that all of them changed their DirPort setting after [1]

 - relay: Chifuniro (BadExit)
	aka CC6339702D3AB62DE86F693474FFDB4C22B1FCA0

 - relay: Kyriakos + 3 others (no BadExit flag)
	currently down - shutdown ~20 hours ago
	aka CB1F5320223B1DB51F19717BE95E20AB9BF51523

both signed up on 2015-04-01 within a two hours timeframe
	(2015-04-01 06:00:00  vs. 2015-04-01 08:00:00)

both restarted on 2015-04-04 within a 11 seconds timeframe
	(2015-04-04 01:33:11 vs. 2015-04-04 01:33:22)

other matching properties:
	- AS
	- tor version
	- no contact
	- no family
	- DirPort auto (back then)

Now to actually weight the information above one would have to compare
that with the rest of the network. How likely is it that something
like this happens coincidentally? I didn't do the actual processing
but I'd say the likelihood is low.

Anyway, it is good that relays are not flagged to easily as BadExits.

[1] https://lists.torproject.org/pipermail/tor-talk/2015-April/037384.ht
[2] https://lists.torproject.org/pipermail/tor-talk/2015-April/037587.html

>> The case that one took over legit relays is unlikely since many
>> are rather 'fresh' ones.
> Maybe somebody started a Tor relay after breaking into them?

Is that a reason to *not* flag them as BadExit?
I mentioned the sentence above (compromising legit relays) since that
would/should influence the decision whether a group of relays operated
by one entity should be treated as 'bad' if one behaves 'bad'.

>> Did you (or anyone else?) try to reach out to them via their
>> ISP(s)?
> Not yet, but I hope to get to it later today.

Thanks for doing this, keep us posted.
(I was also about to ask the hoster whether some IPs relate to the
same customer but I'll leave it to you then.)

> It's certainly odd that all these relays were in only a few data
> centers.

Why is that odd? I thought that is good as it makes detection
potentially easier if bad guys use just a single or few ISPs, no?
I was also wondering whether current doctor should trigger on events
like the one on 2015-04-01.

tor-talk mailing list - tor-talk@xxxxxxxxxxxxxxxxxxxx
To unsubscribe or change other settings go to