On Mon, Mar 09, 2015 at 11:15:21PM +0000, Francois Valiquette wrote:
By reading the documentation of torflow, it is yet not clear to me, exactly which tests you are doing. One part of my project is to make a description of each possible attack an Exit Node can make and a description of a detection/mitigation mechanism for each of the attack but also I would like to implement one or more tests that have not been implemented by torflow.
As Damian mentioned, we are mostly using exitmap [0] these days. TorFlow is no longer supported and several people had issues getting it to run because of bit rot.
Here is a list of attacks that we think that a malicious Exit Node could do. The list is not complete, we will expand it. I would like to know, what type of attacks have you not tested and also, feel free to complete this list.
-SSL and none SSL Sniffing (Session Hijacking, emails, web URL, IRC channel, FTP )
exitmap has no module to detect sniffing but some folks have written HoneyConnector [1] for that purpose. It can detect sniffing for FTP and IMAP as long as the adversary later tries to log in with the sniffed credentials.
-Virus Injection (Linux, OSX, Windows, Android)
Something like this is implemented in the patchingCheck module: https://gitweb.torproject.org/user/phw/exitmap.git/tree/src/modules/patchingCheck.py
-DNS Rebinding
We have a module that checks several domains: https://gitweb.torproject.org/user/phw/exitmap.git/tree/src/modules/dns.py
-Misc Injection/Tampering: advertisements, JavaScript, etc -SSL MITM with CN -SSL MITM (revoked certificate, expired certificate and untrusted certificate) -SSL Downgrade attacks -SSL stripping
We have modules for these attacks but they aren't available publicly. If you are interested, please contact me off-list and I can send them to you.
-Pharming Attacks -Dropping TLS connections -Spurious RST packets -Exploiting Bittorrent Tracker to reveal a user’s real IP
It would be great to see modules for these attacks. If you are interested in extending exitmap, I have a suggestion below.
On a general note, we see two classes of malicious exit relays. The opportunistic attacker typically sets up a fresh relay, starts an off-the-shelf MitM tool, and is curious to see what happens. These attacks don't last long and are easy to detect. It's not that easy with the second class, that is attackers who target specific web sites. All other web sites can remain unaffected, which makes it hard find these exits. These attackers make an effort to stay under the radar, e.g., MitM only requests coming from Tor Browser. As a result, these attacks are trickier to detect and after blacklisting such an exit relay, a new one often pops up, similar to a game of Whac-A-Mole.
To do better against these attackers, it would be great to have "adaptive" scanning modules that are able to pick their own targets. For example, such a module could be seeded with a set of domains and it then extracts other domains to visit from the HTML code of the seed set.
[0] https://gitweb.torproject.org/user/phw/exitmap.git/ [1] https://github.com/mmulazzani/HoneyConnector
Cheers, Philipp