[tor-relays] Exit relay operators: a call for packets on port 8118

rotpoison throngnet rotpoison at gmail.com
Mon Jul 22 18:21:33 UTC 2013 

I believe you are exactly right, Javntea.  Thank you for the insight. I
opened up Privoxy for a few seconds on my node (below) and had similar
results.    I had no idea that pay for click advertisers would even accept
referrals from Tor.  It is pretty basic to filter identified exit relays
and other anonymous proxies.  So apparently the return of investment from
this sort of clickfraud pays the leasing bills of thousands of servers?

WoW, I have been schooled...

 - Kent


09:21:01.419951 IP 23.19.89.126.2318 > my.exit.node.8118: Flags [P.], seq
1:416, ack 1, win 65535, length 415
E..... at .u.u/..Y~B...    ...^.]^M....P.......GET
http://ad.media-servers.net/st?ad_type=iframe&ad_size=160x600&section=4432147HTTP/1.0
Accept: */*
Referer:
http://giftcardsrus.net/index.php?option=com_content&view=article&id=1741:when-you-are-not-able-to-get-standard-loans&catid=54:financial-services-&Itemid=412
Accept-Language: en-us
User-Agent: Mozilla/4.0 (compatible; MSIE 5.5; Windows NT 4.0)
Host: ad.media-servers.net
Connection: Keep-Alive


09:21:01.419973 IP my.exit.node.8118 > 23.19.89.126.2318: Flags [.], ack
416, win 6432, length 0
E..(.. at .@...B.....Y~..  .....^.^.P.. .k..
09:21:01.420501 IP my.exit.node.8118 > 23.19.89.126.2318: Flags [P.], seq
1:256, ack 416, win 6432, length 255
E..'.. at .@...B.....Y~..  .....^.^.P.. .j..HTTP/1.0 403 Request blocked by
Privoxy
Content-Type: image/png
Content-Length: 102
Cache-Control: no-cache
Date: Mon, 22 Jul 2013 09:21:01 GMT
Last-Modified: Wed, 08 Jun 1955 12:00:00 GMT
Expires: Sat, 17 Jun 2000 12:00:00 GMT
Pragma: no-cache


09:21:01.430712 IP 173.208.16.93.1094 > my.exit.node.8118: Flags [.], ack
1, win 65535, length 0
E..(...........]B....F...._..x..P....~........
09:21:01.431701 IP 173.208.16.93.1094 > my.exit.node.8118: Flags [P.], seq
1:511, ack 1, win 65535, length 510
E..&...........]B....F...._..x..P.......GET
http://ad.globe7.com/st?ad_type=pop&ad_size=0x0&section=3910946&banned_pop_types=29&pop_times=1&pop_frequency=0&pop_nofreqcap=1&pub_url=${PUB_URL}HTTP/1.0
Accept: */*
Referer:
http://twicemagic.com/index.php?option=com_content&view=category&layout=blog&id=44&Itemid=100&limitstart=48
Accept-Language: en-us
User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64;
Trident/5.0; SLCC2; Media Center PC 6.0; InfoPath.3; MS-RTC LM 8; Zune 4.7)
Host: ad.globe7.com
Connection: Keep-Alive


09:21:01.431722 IP my.exit.node.8118 > 173.208.16.93.1094: Flags [.], ack
511, win 6432, length 0
E..(.. at .@.b.B......]...F.x....a.P.. ....
09:21:01.432462 IP my.exit.node.8118 > 173.208.16.93.1094: Flags [P.], seq
1:256, ack 511, win 6432, length 255
E..'.. at .@.a.B......]...F.x....a.P.. ....HTTP/1.0 403 Request blocked by
Privoxy
Content-Type: image/png
Content-Length: 102
Cache-Control: no-cache




Message: 3
Date: Mon, 22 Jul 2013 00:09:55 -0700 (PDT)
From: Javantea <jvoss at altsci.com>
To: tor-relays at lists.torproject.org
Subject: Re: [tor-relays] Exit relay operators: a call for packets on
        port    8118
Message-ID: <20130722070955.1CF571380F1 at mail.altsci.com>
Content-Type: text/plain; charset="us-ascii"

Hi Kent,

I am getting 125 packets per second sustained incoming on port 8118 like
you on my exit node. I noticed this last year but forgot about it because
it was such low bandwidth. I count 2582 unique IPs in 20 minutes.

I think you've found something significant. The obvious question is why
since sending data in the clear is pretty worthless and it's going to come
out of a tor exit node just like if they were using tor.

I'm a security researcher and would be happy to help you learn more about
these silly systems. You've already done most of the basic research though:
who, what, and where. When I open port 8118 with netcat a few times I get
this:

GET
http://ad.yieldmanager.com/st?ad_type=iframe&ad_size=300x250&section=4211101&pub_url=${PUB_URL}
 HTTP/1.0
Accept: */*
Referer:
http://www.lotsoffree.com/index.php?option=com_content&view=article&id=84:free-gift-card-microsoft-privacy&catid=39:free-gift-cards&Itemid=106
Accept-Language: en-us
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.0.3)
Gecko/2008092417 Firefox/3.0.3
Host: ad.yieldmanager.com
Connection: Keep-Alive

GET http://ib.adnxs.com/ttj?id=1284883 HTTP/1.0
Accept: */*
Referer: http://www.psxobs.com/privacy-policy
Accept-Language: en-us
User-Agent: Mozilla/5.0 (Windows NT 6.2; WOW64; rv:5.0) Gecko/20100101
Firefox/5.0
Host: ib.adnxs.com
Connection: Keep-Alive

That looks like clickfraud to me. Perhaps someone wrote a quick script that
downloads the list of tor exit nodes and sends clickfraud requests to 8118
and was too lazy to add tor. That would mean that the sites in the referrer
are the attackers and the url on the first line is the ad service which is
being defrauded. Of course there is the possibility of a joe job occuring,
but we know that at least some of them are the bad actors. Whois on both
referrers returns China. I'm surprised that the script doesn't remove
servers from the list that have the port closed. It's a very inefficient
script.

Regards,
Javantea
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.torproject.org/pipermail/tor-relays/attachments/20130722/b1f58470/attachment-0001.html>

More information about the tor-relays mailing list