[tor-dev] Questions for the torflow developers

Philipp Winter phw at nymity.ch
Tue Mar 10 00:02:38 UTC 2015 

On Mon, Mar 09, 2015 at 11:15:21PM +0000, Francois Valiquette wrote:
> By reading the documentation of torflow, it is yet not clear to me, exactly
> which tests you are doing. One part of my project is to make a description
> of each possible attack an Exit Node can make and a description of a
> detection/mitigation mechanism for each of the attack but also I would like
> to implement one or more tests that have not been implemented by torflow.

As Damian mentioned, we are mostly using exitmap [0] these days.
TorFlow is no longer supported and several people had issues getting it
to run because of bit rot.

> Here is a list of attacks that we think that a malicious Exit Node could
> do. The list is not complete, we will expand it. I would like to know, what
> type of attacks have you not tested and also, feel free to complete this
> list.
> 
> -SSL  and none SSL Sniffing (Session Hijacking, emails, web URL, IRC
> channel, FTP )

exitmap has no module to detect sniffing but some folks have written
HoneyConnector [1] for that purpose.  It can detect sniffing for FTP and
IMAP as long as the adversary later tries to log in with the sniffed
credentials.

> -Virus Injection (Linux, OSX, Windows, Android)

Something like this is implemented in the patchingCheck module:
<https://gitweb.torproject.org/user/phw/exitmap.git/tree/src/modules/patchingCheck.py>

> -DNS Rebinding

We have a module that checks several domains:
<https://gitweb.torproject.org/user/phw/exitmap.git/tree/src/modules/dns.py>

> -Misc Injection/Tampering: advertisements, JavaScript, etc
> -SSL MITM with CN
> -SSL MITM (revoked certificate, expired certificate and untrusted
> certificate)
> -SSL Downgrade attacks
> -SSL stripping

We have modules for these attacks but they aren't available publicly.
If you are interested, please contact me off-list and I can send them to
you.

> -Pharming Attacks
> -Dropping TLS connections
> -Spurious RST packets
> -Exploiting Bittorrent Tracker to reveal a user’s real IP

It would be great to see modules for these attacks.  If you are
interested in extending exitmap, I have a suggestion below.

On a general note, we see two classes of malicious exit relays.  The
opportunistic attacker typically sets up a fresh relay, starts an
off-the-shelf MitM tool, and is curious to see what happens.  These
attacks don't last long and are easy to detect.  It's not that easy with
the second class, that is attackers who target specific web sites.  All
other web sites can remain unaffected, which makes it hard find these
exits.  These attackers make an effort to stay under the radar, e.g.,
MitM only requests coming from Tor Browser.  As a result, these attacks
are trickier to detect and after blacklisting such an exit relay, a new
one often pops up, similar to a game of Whac-A-Mole.

To do better against these attackers, it would be great to have
"adaptive" scanning modules that are able to pick their own targets.
For example, such a module could be seeded with a set of domains and it
then extracts other domains to visit from the HTML code of the seed set.

[0] <https://gitweb.torproject.org/user/phw/exitmap.git/>
[1] <https://github.com/mmulazzani/HoneyConnector>

Cheers,
Philipp

More information about the tor-dev mailing list