[tor-dev] Malicious relays and honeypots

Gareth Owen gareth.owen at port.ac.uk
Wed Nov 26 10:30:42 UTC 2014

Hi all

I wonder if it might be worth having a discussion on how to detect
malicious and/or suspicious relays.  To my knowledge, the project currently
only scans for MITM and tries to detect larger Sybil attacks (but doesn't
always act when detected).

We have a lot of knowledge now about types of attacks and the unusual
behaviours that might present if they are being deployed.  For example:

1) Relays changing their ident every 24 hours are likely trying to be in a
position to be the directory node for a HS (there are several of these
relays active today).
2) Many relays being launched on sequential IP addresses, and/or with two
nodes per IP - again - likely intercepting DHT publications or Sybil.
3) I have spotted several times a large number of relays in the same
subnet, or adjacent /24 subnets.  You could extend this to ASes.
4) Honeypot relays that try to spot unusual cells or traffic patterns
traversing the tor network.  For example, this could have detected the
RELAY_EARLY attack if it was based on a different code base.  One could
define very robust and tight rules for what is permitted - flagging nodes
sending unusual traffic.  Additionally, PADDING cells are not currently
used by the official client but are used very widely in traffic
confirmation attacks - whilst intermediate relays wont be able to detect
this, clients can and could flag it with an authority (via a 3-hop circuit).
5) One could scan for unusual descriptors being returned too - e.g., the
descriptor is currently with in tight size bounds - but one could pad with
bytes to support traffic confirmation if PADDING cells are put on the red
flag list.
6) We also have the wider question of traffic tampering by exits, like the
recent binary patching exit which I believe was not detected by the project.
7) And finally, Exits that only exit ports which permit tampering - e.g.
the exits that only exit Bitcoin traffic for example.

The question of course is where is the threshold and what does one do in
the event of one of these..  Personally I am of the view that suspicious
relays are not worth keeping in favour of diversity - but that view does
contradict the project's I think.


Dr Gareth Owen
Senior Lecturer
Forensic Computing Course Leader
School of Computing, University of Portsmouth

*Office:* BK1.25
*Tel:* +44 (0)2392 84 (6423)
*Web*: ghowen.me
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.torproject.org/pipermail/tor-dev/attachments/20141126/29444d2f/attachment.html>

More information about the tor-dev mailing list