
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Hello everyone, Some months ago I encountered a situation where a user running an exit node with a publicly exposed privoxy (intentionally or not, I'm not sure) was constantly receiving a number of requests directed to advertisement networks. Fundamentally, someone is/was running an infrastructure using exposed Privoxies to perform some sort of advertisement fraud. It's been roughly documented also here: https://b.kentbackman.com/2013/04/15/rotpoion-botnet-powered-by-thousands-of... Out of interest, I gave a quick look at existing relays and exists and it turns out that there's ~20 nodes exposing Privoxy on public IPs. Host: 46.65.12.134 (46-65-12-134.zone16.bethere.co.uk) Ports: 8118/open/tcp//privoxy/// Host: 66.146.193.31 (sable.dredel.com) Ports: 8118/open/tcp//privoxy/// Host: 66.180.193.219 (tor-proxy.die.net) Ports: 8118/open/tcp//privoxy/// Host: 69.164.211.18 (nsi.mirt.net) Ports: 8118/open/tcp//privoxy/// Host: 71.246.241.109 (koansys.com) Ports: 8118/open/tcp//privoxy/// Host: 75.137.122.118 (75-137-122-118.dhcp.gnvl.sc.charter.com) Ports: 8118/open/tcp//privoxy/// Host: 78.47.41.125 (maurer-web.wisseberger-jonges.de) Ports: 8118/open/tcp//privoxy/// Host: 81.56.102.224 (perso.schenck.fr) Ports: 8118/open/tcp//privoxy/// Host: 82.45.34.136 (cpc11-hawk13-2-0-cust135.aztw.cable.virginm.net) Ports: 8118/open/tcp//privoxy/// Host: 93.207.83.51 (p5DCF5333.dip0.t-ipconnect.de) Ports: 8118/open/tcp//privoxy/// Host: 95.140.34.187 (medea.tobias.vn) Ports: 8118/open/tcp//privoxy/// Host: 95.140.34.188 (mikrobi.tobias.vn) Ports: 8118/open/tcp//privoxy/// Host: 123.254.105.104 () Ports: 8118/open/tcp//privoxy/// Host: 151.28.124.42 (ppp-42-124.28-151.libero.it) Ports: 8118/open/tcp//privoxy/// Host: 162.243.5.88 () Ports: 8118/open/tcp//privoxy/// Host: 165.154.108.120 () Ports: 8118/open/tcp//privoxy/// Host: 176.31.127.140 (ks396886.kimsufi.com) Ports: 8118/open/tcp//privoxy/// Host: 199.184.154.12 () Ports: 8118/open/tcp//privoxy/// First thing first, I'm interested to know whether there's an actual reason for doing this or if it's something discouraged. Best, /nex -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.15 (GNU/Linux) Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iQIcBAEBAgAGBQJSf4ReAAoJEDmTLM1sbEdvCgMP/id8RbYksJwVBwAXQwJmRMbI +MDLGARDSRlLaQYfNoJyfViuj2rX1RowbwemUsmOQgogHMBJgWSzHMhE4cuxmRG0 dFlcSQI5Fs9y2aFzo4BeS2409yU3/ewpBcgly9AFWAiChCyV2j1q7pZjDcbmxQZK /2AQjRmNeAtLuEnJO7cTSc3ljmnr6IXENFuS4I440c3YWubjqa4TTSy1iONLH0Xi iq0Sgfz/Fs2rGArKRlfamNZIaAyvecuFkbqSp96lu5klAVlCnmYhqt9TStMvskb6 yWegDjTlzVfnjEC5dZIwlMTtHBJT3ERKbShouErjKgGGv0Ld4bgOR56JZO+wmUzC 4XRh41wxh7WbWryTFbdYup546rASPIPSeuyWwqKLnDyVUJa2ehm/8ZQoYT4To4tk eYDOkYkEmr9seqn1p+5+H2CbqPotHscyPwpDTyKTVhg+WhACX2jiZSTBCuJQ61wt rqGlnuZgy28nw+4jzk8V6BrqxSw9t0l7hfGTCqNimE0EHIvb80wwMH80tztR4CNT CpkY3o3DOqQkk0CSjTIRmzR62kmGdNCRP3QnLXCQuA61RdH1Lg5GZh4zCcfitnS3 4ixaIaDhMnRqyUR5QNEpWXBGHEDc3EHjcBCI1Vy/j03fSZaxGZ/BavJfK+0GEE31 VeVmDYjM0Kut1w5PXFEx =asRg -----END PGP SIGNATURE-----

On 13-11-10 08:04 AM, Claudio wrote:
Some months ago I encountered a situation where a user running an exit node with a publicly exposed privoxy (intentionally or not, I'm not sure) was constantly receiving a number of requests directed to advertisement networks. Fundamentally, someone is/was running an infrastructure using exposed Privoxies to perform some sort of advertisement fraud.
Privoxy has never been part of the Tor relay configuration, AFAIK. Privoxy was discontinued as part of the Tor client configuration a couple of years ago. Therefore such a phenomemon *should not* have anything to do with Tor relays. However there may be a few rogues who run Tor exits that cache or snoop traffic or who simultaneously run other proxy services (for example misconfigured home exit nodes). The Legal FAQ gives some advice on these issues: https://www.torproject.org/eff/tor-legal-faq.html.en
It's been roughly documented also here: https://b.kentbackman.com/2013/04/15/rotpoion-botnet-powered-by-thousands-of...
Out of interest, I gave a quick look at existing relays and exists and it turns out that there's ~20 nodes exposing Privoxy on public IPs.
Host: 46.65.12.134 (46-65-12-134.zone16.bethere.co.uk) Ports: 8118/open/tcp//privoxy/// Host: 66.146.193.31 (sable.dredel.com) Ports: 8118/open/tcp//privoxy/// Host: 66.180.193.219 (tor-proxy.die.net) Ports: 8118/open/tcp//privoxy/// Host: 69.164.211.18 (nsi.mirt.net) Ports: 8118/open/tcp//privoxy/// Host: 71.246.241.109 (koansys.com) Ports: 8118/open/tcp//privoxy/// Host: 75.137.122.118 (75-137-122-118.dhcp.gnvl.sc.charter.com) Ports: 8118/open/tcp//privoxy/// Host: 78.47.41.125 (maurer-web.wisseberger-jonges.de) Ports: 8118/open/tcp//privoxy/// Host: 81.56.102.224 (perso.schenck.fr) Ports: 8118/open/tcp//privoxy/// Host: 82.45.34.136 (cpc11-hawk13-2-0-cust135.aztw.cable.virginm.net) Ports: 8118/open/tcp//privoxy/// Host: 93.207.83.51 (p5DCF5333.dip0.t-ipconnect.de) Ports: 8118/open/tcp//privoxy/// Host: 95.140.34.187 (medea.tobias.vn) Ports: 8118/open/tcp//privoxy/// Host: 95.140.34.188 (mikrobi.tobias.vn) Ports: 8118/open/tcp//privoxy/// Host: 123.254.105.104 () Ports: 8118/open/tcp//privoxy/// Host: 151.28.124.42 (ppp-42-124.28-151.libero.it) Ports: 8118/open/tcp//privoxy/// Host: 162.243.5.88 () Ports: 8118/open/tcp//privoxy/// Host: 165.154.108.120 () Ports: 8118/open/tcp//privoxy/// Host: 176.31.127.140 (ks396886.kimsufi.com) Ports: 8118/open/tcp//privoxy/// Host: 199.184.154.12 () Ports: 8118/open/tcp//privoxy///
First thing first, I'm interested to know whether there's an actual reason for doing this or if it's something discouraged.
Best, /nex _______________________________________________ tor-relays mailing list tor-relays@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays

On Sun, 10 Nov 2013, Claudio wrote:
Host: 66.180.193.219 (tor-proxy.die.net) Ports: 8118/open/tcp//privoxy///
Want to make HTTP requests through these ports and see who will actually proxy content for you? If you try making a request through this port on tor-proxy.die.net, it won't proxy but rather will take as long as possible to send you a bogus 10 meg reply, acting as what is known as a "tarpit". In September, I sent a note privately to the contacts of the other 19 Tor nodes that had an open 8118 port, and 5 or so fixed their configs. A few more replied saying that they had all ports open intentionally but weren't really passing traffic. -- Aaron

On 11/10/2013 08:15 PM, Aaron Hopkins wrote:
On Sun, 10 Nov 2013, Claudio wrote:
Host: 66.180.193.219 (tor-proxy.die.net) Ports: 8118/open/tcp//privoxy///
Want to make HTTP requests through these ports and see who will actually proxy content for you?
If you try making a request through this port on tor-proxy.die.net, it won't proxy but rather will take as long as possible to send you a bogus 10 meg reply, acting as what is known as a "tarpit".
In September, I sent a note privately to the contacts of the other 19 Tor nodes that had an open 8118 port, and 5 or so fixed their configs. A few more replied saying that they had all ports open intentionally but weren't really passing traffic.
You're right, just a few actually do proxy. With a few seconds timeout only 162.243.5.88 and 78.47.41.125 do to me at the moment. Just out of curiosity, what would be the reason for leaving such port open but inactive? Thanks, /nex

On Sun, 10 Nov 2013, Claudio wrote:
You're right, just a few actually do proxy. With a few seconds timeout only 162.243.5.88 and 78.47.41.125 do to me at the moment.
Good to know. I don't see a contact for 162.243.5.88 and I sent mail to the contact address listed for 78.47.41.125 in September but didn't get a response.
Just out of curiosity, what would be the reason for leaving such port open but inactive?
For me, it is to try to waste TCP sockets and OS threads of whichever botnet is trying to hit 8118 on all Tor nodes over and over, in an effort to slow them down. Though I'm currently holding open 43000 connections from them, I don't think it has had much of an effect, unfortunately. See http://en.wikipedia.org/wiki/Tarpit_(networking) for more background. It talks about IP-level and SMTP-level tarpits, but my HTTP tarpit is similar in theory, but operates at the HTTP protocol level. -- Aaron

I was running a non-exit relay using beta RC version vidalia-relay-bundle-0.2.4.17-rc-0.2.21.exe on win XP On the "Message Log" console I was seeing hourly entries for TAP and nTor connections. After over a week, I was getting very low traffic, so rolled back to the stable version vidalia-relay-bundle-0.2.3.25-0.2.21-2.exe to compare, trying to see if would be more useful. After changing, I no longer see any hourly entries as I did with the beta/RC version. I tried unsuccessfully to find a change log that would indicate this might have been one thing changed. Can anyone confirm this was a feature of the beta/RC version since the last stable version? or might I have missed some setting somewhere to enable hourly connection stat logging? BugZ

On Sun, Nov 10, 2013 at 09:58:20PM -0500, gq wrote:
On the "Message Log" console I was seeing hourly entries for TAP and nTor connections.
Yep.
After over a week, I was getting very low traffic, so rolled back to the stable version vidalia-relay-bundle-0.2.3.25-0.2.21-2.exe to compare, trying to see if would be more useful.
After changing, I no longer see any hourly entries as I did with the beta/RC version. I tried unsuccessfully to find a change log that would indicate this might have been one thing changed.
Can anyone confirm this was a feature of the beta/RC version since the last stable version? or might I have missed some setting somewhere to enable hourly connection stat logging?
It is new in 0.2.4.17-rc: - Track how many "TAP" and "NTor" circuit handshake requests we get, and how many we complete, and log it every hour to help relay operators follow trends in network load. Addresses ticket 9658. https://trac.torproject.org/projects/tor/ticket/9658 --Roger

Roger that :) thank you. On 11/10/2013 10:01 PM, Roger Dingledine wrote:
On Sun, Nov 10, 2013 at 09:58:20PM -0500, gq wrote:
On the "Message Log" console I was seeing hourly entries for TAP and nTor connections. Yep.
After over a week, I was getting very low traffic, so rolled back to the stable version vidalia-relay-bundle-0.2.3.25-0.2.21-2.exe to compare, trying to see if would be more useful.
After changing, I no longer see any hourly entries as I did with the beta/RC version. I tried unsuccessfully to find a change log that would indicate this might have been one thing changed.
Can anyone confirm this was a feature of the beta/RC version since the last stable version? or might I have missed some setting somewhere to enable hourly connection stat logging? It is new in 0.2.4.17-rc:
- Track how many "TAP" and "NTor" circuit handshake requests we get, and how many we complete, and log it every hour to help relay operators follow trends in network load. Addresses ticket 9658.
https://trac.torproject.org/projects/tor/ticket/9658
--Roger
_______________________________________________ tor-relays mailing list tor-relays@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
participants (5)
-
Aaron Hopkins
-
Claudio
-
gq
-
krishna e bera
-
Roger Dingledine