Analyzing TOR-exitnodes for anomalies

Claude LaFrenière climenole at gmail.com
Thu Oct 5 12:06:40 UTC 2006 

Hi  *Alexander W. Janssen*   :

> On Wed, Oct 04, 2006 at 08:45:03PM -0400, Claude LaFrenière wrote:
>> Hmmm...  Bogus exit nodes or bogus DNS servers ?
> 
> One or the other way, brute forcing my way through all exit-nodes should
> reveil it. Hopefully...

This is a lot a job. May be a very long investigation.
You need data from the other Tor users about this issue.

> 
>> Is it possible that the strange side effects comes, not from the exit nodes
>> themselves, but from the DNS server used by these exit nodes ?
> 
> Could be either way. Things which popped up in my mind:
> 1) DNS poisoning
> 2) Exit-node is behind a transparent proxy which is compromised or modified in
> some way

Yes!

> 3) Outbound traffic from the exit-node gets DNATed away by some firewall

ok

and the fourth:
some infected exit nodes with trojans, virus, worms...
This limit the investigation to Windows exit nodes !!!  ;-)
(No such things with BSD/Linux  I presume...)

> 
> Things you could do:
> 1) Replacing complete websites with link-farms (that's what happened me)
> 2) Using a modified web-proxy which insert advertisement into the HTML-code
> (possible, it's exactly the reverse of what Privoxy does)
> 3) Filter content
> 4) Replacing valid downloads by trojaned versions
> 5) Replace all pictures of a website with a picture of the goatse-man...
> 6) Modifying text in a subtle way using simple lex-programs (e.g. replace all
> "must" by "could" or "police" by "SS")
> 7) <insert favourite attack here>

Or the German Tor exit nodes seized by the polizei...
Did they return these computers with some "add on" ???
(Hmmm... to much paranoïd I guess...  ;-)  )

>  
>> Our suspicions about "bogus exit nodes" must be based on facts 
>> so I suggest to collect information about this issue here.
> 
> My first run during the night was not very successful, most of the exitnodes
> refused to talk to me. I'm in timezone GMT+2 and that's pretty normal for that
> time of the day, I started another scan just minutes ago. Usually the
> TOR-network is not that congested in the morning.

OK. Let us know if you find somethings interresting.

> 
>> What we can do is to report any "strange side effect" including:
>> 
>> the link to the web site
>> the resulting link with the redirection like the ones we're talking about
>> the exit node used to access this web site
> 
> Aye.

Best regards,

-- 
Claude LaFrenière

More information about the tor-talk mailing list