Analyzing TOR-exitnodes for anomalies

Alexander W. Janssen yalla at ynfonatic.de
Thu Oct 5 07:47:05 UTC 2006 

On Wed, Oct 04, 2006 at 08:45:03PM -0400, Claude LaFrenière wrote:
> Hmmm...  Bogus exit nodes or bogus DNS servers ?

One or the other way, brute forcing my way through all exit-nodes should
reveil it. Hopefully...

> Is it possible that the strange side effects comes, not from the exit nodes
> themselves, but from the DNS server used by these exit nodes ?

Could be either way. Things which popped up in my mind:
1) DNS poisoning
2) Exit-node is behind a transparent proxy which is compromised or modified in
some way
3) Outbound traffic from the exit-node gets DNATed away by some firewall

Things you could do:
1) Replacing complete websites with link-farms (that's what happened me)
2) Using a modified web-proxy which insert advertisement into the HTML-code
(possible, it's exactly the reverse of what Privoxy does)
3) Filter content
4) Replacing valid downloads by trojaned versions
5) Replace all pictures of a website with a picture of the goatse-man...
6) Modifying text in a subtle way using simple lex-programs (e.g. replace all
"must" by "could" or "police" by "SS")
7) <insert favourite attack here>
 
> Our suspicions about "bogus exit nodes" must be based on facts 
> so I suggest to collect information about this issue here.

My first run during the night was not very successful, most of the exitnodes
refused to talk to me. I'm in timezone GMT+2 and that's pretty normal for that
time of the day, I started another scan just minutes ago. Usually the
TOR-network is not that congested in the morning.

> What we can do is to report any "strange side effect" including:
> 
> the link to the web site
> the resulting link with the redirection like the ones we're talking about
> the exit node used to access this web site

Aye.
 
> Claude LaFrenière   

Alex.

-- 
"I am tired of all this sort of thing called science here... We have spent
millions in that sort of thing for the last few years, and it is time it
should be stopped."
 -- Simon Cameron, U.S. Senator, on the Smithsonian Institute, 1901. 
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: Digital signature
URL: <http://lists.torproject.org/pipermail/tor-talk/attachments/20061005/d82d91ff/attachment.pgp>

More information about the tor-talk mailing list