[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

Re: Analyzing TOR-exitnodes for anomalies

To: or-talk@xxxxxxxxxxxxx
Subject: Re: Analyzing TOR-exitnodes for anomalies
From: Claude LaFrenière <climenole@xxxxxxxxx>
Date: Thu, 5 Oct 2006 08:06:40 -0400
Delivered-to: archiver@seul.org
Delivered-to: or-talk-outgoing@seul.org
Delivered-to: or-talk@seul.org
Delivery-date: Thu, 05 Oct 2006 08:09:58 -0400
References: <45226626.90203@Gmx.net> <20061003154813.GA31075@deadbox.ath.cx> <20061003161048.GA9281@gmx.de> <20061004163314.GB23881@gmx.de> <zloxk66uvddu$.zmc79xil68b2$.dlg@40tude.net> <20061005074705.GA27855@gmx.de>
Reply-to: or-talk@xxxxxxxxxxxxx
Sender: owner-or-talk@xxxxxxxxxxxxx
User-agent: 40tude_Dialog/2.0.15.1fr

Hi  *Alexander W. Janssen*   :

> On Wed, Oct 04, 2006 at 08:45:03PM -0400, Claude LaFrenière wrote:
>> Hmmm...  Bogus exit nodes or bogus DNS servers ?
> 
> One or the other way, brute forcing my way through all exit-nodes should
> reveil it. Hopefully...

This is a lot a job. May be a very long investigation.
You need data from the other Tor users about this issue.

> 
>> Is it possible that the strange side effects comes, not from the exit nodes
>> themselves, but from the DNS server used by these exit nodes ?
> 
> Could be either way. Things which popped up in my mind:
> 1) DNS poisoning
> 2) Exit-node is behind a transparent proxy which is compromised or modified in
> some way

Yes!

> 3) Outbound traffic from the exit-node gets DNATed away by some firewall

ok

and the fourth:
some infected exit nodes with trojans, virus, worms...
This limit the investigation to Windows exit nodes !!!  ;-)
(No such things with BSD/Linux  I presume...)

> 
> Things you could do:
> 1) Replacing complete websites with link-farms (that's what happened me)
> 2) Using a modified web-proxy which insert advertisement into the HTML-code
> (possible, it's exactly the reverse of what Privoxy does)
> 3) Filter content
> 4) Replacing valid downloads by trojaned versions
> 5) Replace all pictures of a website with a picture of the goatse-man...
> 6) Modifying text in a subtle way using simple lex-programs (e.g. replace all
> "must" by "could" or "police" by "SS")
> 7) <insert favourite attack here>

Or the German Tor exit nodes seized by the polizei...
Did they return these computers with some "add on" ???
(Hmmm... to much paranoïd I guess...  ;-)  )

>  
>> Our suspicions about "bogus exit nodes" must be based on facts 
>> so I suggest to collect information about this issue here.
> 
> My first run during the night was not very successful, most of the exitnodes
> refused to talk to me. I'm in timezone GMT+2 and that's pretty normal for that
> time of the day, I started another scan just minutes ago. Usually the
> TOR-network is not that congested in the morning.

OK. Let us know if you find somethings interresting.

> 
>> What we can do is to report any "strange side effect" including:
>> 
>> the link to the web site
>> the resulting link with the redirection like the ones we're talking about
>> the exit node used to access this web site
> 
> Aye.

Best regards,

-- 
Claude LaFrenière

References:
- More bad tor server?
  - From: News Assi
- Re: More bad tor server?
  - From: nile
- Re: More bad tor server?
  - From: Alexander W. Janssen
- Analyzing TOR-exitnodes for anomalies
  - From: Alexander W. Janssen
- Re: Analyzing TOR-exitnodes for anomalies
  - From: Claude LaFrenière
- Re: Analyzing TOR-exitnodes for anomalies
  - From: Alexander W. Janssen

Prev by Author: Re: Analyzing TOR-exitnodes for anomalies
Next by Author: Re: Analyzing TOR-exitnodes for anomalies
Previous by thread: Re: Analyzing TOR-exitnodes for anomalies
Next by thread: Re: Analyzing TOR-exitnodes for anomalies
Index(es):
- Author
- Thread