[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

Re: [tor-talk] Bad Exit Nodes.

On Fri, Jun 27, 2014 at 04:26:30AM -0700, Bobby Brewster wrote:
> How could a person who is sniffing / stripping exit traffic be detected?

We recently did some work on that:

Long story short: Active attacks such as sslstripping are easy to detect
because they modify network traffic.  Passive attacks such as traffic sniffing
is more difficult to detect but you can catch sniffers if they later decide to
log in with sniffed credentials.

> Also, how are bad nodes determined. For example, iiioooeee is a bad node.
> Why?  What makes it bad?  It is not an exit node.

"Bad" typically means either malicious or misconfigured.  Some relays were
assigned the BadExit flag because their DNS resolver blocks domain categories
such as pornography or proxy/anonymiser.  BadExiting a relay is a last resort
and sending an email to the exit relay operator is typically enough to fix the

The relay iiioooeee has the BadExit flag because it is located in Iran.  Here's
the discussion leading to that:

> However, HKT01 is an exit node that is marked bad.  Why?  Interestingly,
> HKT02 which is also an exit node is not marked bad even though they are on
> the same subnet as HKT01.

The HKT relays are not malicious but seem to be subject to the Great Firewall's
DNS poisoning.  While that won't hurt you, it can be quite annoying when trying
to connect to web sites which are blocked in China.

HKT02 is not marked as bad yet because it is not clear if it's a good idea to
block all relays which sometimes return broken DNS records.  Many exit relays
use crappy resolvers and blocking all of them might be worse for the Tor
network than being redirected to unexpected web sites every now and then.

tor-talk mailing list - tor-talk@xxxxxxxxxxxxxxxxxxxx
To unsubscribe or change other settings go to