Analyzing TOR-exitnodes for anomalies

Deephay tudoxxx at gmail.com
Thu Oct 5 13:31:47 UTC 2006 

On 10/5/06, Claude LaFrenière <climenole at gmail.com> wrote:
> Hi  *Alexander W. Janssen*   :
>
> > Hi all,
> >
> > considering that I heard from several people that they notice strange
> > sideeffects since a couple of days - altered webpage, advertisement where no
> > ads should be - I started a little investigation if there are any obviously
> > bogus exitnodes in the wild:
> >
> > http://itnomad.wordpress.com/2006/10/04/analyzing-tor-exitnodes-for-anomalies/
> >
> > I welcome you to start your own investigation; if there are really bogus
> > exitnodes we should be aware of those and we should know their node's nickname
> > to put them on a shitlist.
> >
> > This might leed to an escalation in the future when marketeers realize the
> > possibilities of altering traffic.
> >
> > Comments, ideas, pointers to other projects?
> >
> > Alex.
>
> Hmmm...  Bogus exit nodes or bogus DNS servers ?
>
> Is it possible that the strange side effects comes, not from the exit nodes
> themselves, but from the DNS server used by these exit nodes ?
>
> A kind of DNS poisonning? (From a local DNS server or Remote DNS server...)
> Ref.: http://en.wikipedia.org/wiki/DNS_poisoning
>
> Our suspicions about "bogus exit nodes" must be based on facts
> so I suggest to collect information about this issue here.
>
> What we can do is to report any "strange side effect" including:
>
> the link to the web site
> the resulting link with the redirection like the ones we're talking about
> the exit node used to access this web site
>

Hi all,

I did some google (yahoo either) sarch but did not find the ghost-like
"Linux Magazine" site you have encountered, that means this site could
be quite new (but writing a robots.txt can reject the crawlers if
someone is intend to crime and trying to avoid the others to find the
clues). Also, the logo "linux-magazine.com what you need, when you
need it" is a image or just text?
Maybe it is a DNS poisoning job, maybe some guy runs a local DNS
server as well as a tor node to make some profit by directing us to
this bogus linux-magazine? Interesting.

Deephay

More information about the tor-talk mailing list