Analyzing TOR-exitnodes for anomalies

[George Shaffer]

On Thu, 2006-10-05 at 11:41, Alexander W. Janssen wrote:

> OK, well, i checked that whistlersmother as well and got this picture:
> http://cjoint.com/data/kfr4jmDAsY.htm

I've read or skimmed the entire thread which seems to have ended midday
Thu, 10-5. Friday morning I clicked on a Cnet newsletter link:

http://ct.cnet-ssa.cnet.com/clicks?t=13228073-17329da91d4282a70255804e6ba2f6d5-bf&s=5&fs=0

Tor was enabled in Firefox and I got a page almost identical to the one
Alexander posted above, except it it had Cnet.com at the top. At some
subsequent time I copied the URL into an open copy of Firefox, and got a
somewhat similar page, except it had a variety of graphic content that
made the page look much slicker.

I wondered what was going on. Is Cnet blocking anonymous traffic? I
tried a browser not using Tor, and got a normal Cnet page with the
expected content. I then tried three other anonymizing services, The
Cloak, Anonymouse, and HideMyAss with the same URL. All got the same
correct result as the non Tor browser.

While reading this thread, when I saw Alexander's screen capture, I
realized that was just about what I'd seen Friday morning and tried
Firefox with Tor again and saw the expected Cnet page. I've tried
multiple times since, over a couple hours and each time got the right
page.

I am very skeptical of one of the hypotheses, that web hosting services
are blocking Tor access. If a provider did this without an explicit
policy and or informing their customers that this was part of their
practices, they could easily be liable for any lost value for every
hosted site that had any decrease in traffic as a result of such
blocking. Second why would any hosting service care who visited its
clients web sites? Who they want as visitors is and should be a matter
of concern only to the sites' owners. A hosting service might assist a
specific site in blocking some type of unwanted traffic, and charge the
customer for the additional service. 

In the case of Cnet, they are a rather major Internet content provider
and I expect they run their own servers. Regardless of who manages
Cnet's servers, they are big enough they would expect full control over
any policies that denied access to any visitor. A query from the right
party to the right people at Cnet should answer conclusively whether or
not Cnet has had any part in this. If so then it should be a Tor / EFF
education matter and if not, then some other theory needs to be
considered. After writing this, I think it makes no sense at all. If
Cnet wanted to block someone they would display some kind of error
message or page; they would never redirect someone to a link farm of
unrelated links. It makes zero business sense to send visitors elsewhere
with no explanation.

I have one more theory or more accurately, a guess. When I was testing
to see if tor was working, I visited grc.com to use the "Sheilds Up"
test. If they showed an IP that wasn't mine, then I could be pretty sure
Tor was working. The first time I visited them, I was surprised when
they determined I was behind a proxy and refused to go any further.
Later, I tried again and this time they just determined a different IP
address than mine. I decided to go ahead and do a "Common Port" scan. I
was appalled. The exit node seemed to have all kinds of open ports - a
lot more than I thought would be proxied by Tor. Unfortunately I did not
think to write down the reverse DNS address or the open ports. 

My thought is that some exit nodes may be compromised without the
operators knowledge. Maintaining good security while running an exit
node does not look like a simple task. I'm reluctant to do more of these
scans because they are an unauthorized port scan against the exit node.
If however I see another of the strange pages discussed in this thread I
will try to capture the page and then quickly do a scan.

George Shaffer