[Fwd: High-traffic Colluding Tor Routers in Washington, D.C. Confirmed]

Roger Dingledine arma at mit.edu
Fri Apr 13 16:50:00 UTC 2007


On Fri, Apr 13, 2007 at 03:24:40PM +0700, Vlad SATtva Miller wrote:
> ...However none of the mentioned below router nicknames or fingerprints
> was found in the current local cache file.
> 
> -------- Original Message --------
> Subject: High-traffic Colluding Tor Routers in Washington, D.C.  Confirmed
> Date: Thu, 12 Apr 2007 23:35:52 -0400
> From: Nostra2004 at Safe-mail.net
> To: cypherpunks at jfet.org
> 
> A group of 9 Tor routers also functioning overtly or indirectly as Tor
> exit nodes have been observed colluding on the public Tor network.

Yeah. This happened in mid 2006. I don't know why some random person
just picked it up now.

We (mainly Steven Murdoch and Richard Clayton) tracked down the fellow
running them. It turned out to be an innocent mistake. He's still running
quite a few, on the same network, but now he sets the MyFamily torrc
option on them.

This issue also prompted us to speed up the fix/feature in 0.1.2.1-alpha:
"Automatically avoid picking more than one node from the same
/16 network when constructing a circuit."

http://archives.seul.org/or/talk/Aug-2006/msg00300.html

> Collusion was definitively established by the following method:

For a more interesting (and more conclusive imo) method of deciding
they're the same, check out slide 28 in Steven's slides from his CCS
paper and 23C3 talk, where he investigated these servers:

http://www.cl.cam.ac.uk/~sjm217/talks/ccc06hotornot.pdf

--Roger



More information about the tor-talk mailing list