[tor-talk] 'How to report bad relays' (blog entry)

Philipp Winter phw at nymity.ch
Thu Jul 31 00:08:56 UTC 2014

On Wed, Jul 30, 2014 at 11:03:03PM +0000, Nusenu wrote:
> > If it's reproducible, we attempt to get in touch with the relay 
> > operator
> Does this imply that you try to fix the issue with an confirmed "bad
> relay" before assigning them the badexit flag?
> (opposed to flagging them first - which means protecting users first and
> then trying to get this fixed? - removing the flags after recovery)

It depends on what's going on.  If we are dealing with bad
configuration, we tend to contact the operator before assigning the
BadExit flag.

If the relay is malicious, we flag it immediately.  Generally, malicious
relays do not have contact information because the operators have no
interest in contributing to the network.  However, a few days ago, we
had a relay which ran HTTPS MitM attacks against bitcoin trading sites.
We assigned the BadExit flag and then contacted the relay operator.  It
turned out that the relay was fine but a server in the same data center
as the relay was compromised and poisoned the ARP cache of all other
servers in the same LAN in order to break into their HTTPS.

> > In severe cases, we [(currently Roger, Peter, Damian, Karsten, and
> >  I)] are also able to remove the relay descriptor from the network
> >  consensus which effectively makes the relay disappear.
> from the comment reply to this sentence:
> > If a sufficient number of directory authority operators agree
> > (which is not always the case), then they are able to disable a
> > selected relay. This happens every other day or week when we
> > discover a malicious or broken relay. Also, our directory authority
> > operators as well as their servers are in different jurisdiction
> > which makes political attacks harder.
> (yes, "a sufficient number of directory authority operators" is
> probably more accurate than "we")
> ..but are you really saying that "every other day or week" the
> majority of dir auth. operators are "removing a relay descriptor from
> the network consensus"?
> (making them "disappear" opposed to giving them i.e. the badexit flag)

No, the "every other day or week" was referring to the BadExit flag.
Note that BadExit does not make a relay disappear -- that's only the
case when the AuthDirReject option is used which happens "every other
month".  A BadExit flag only prevents clients from using the relay as
exit relay.  Such a relay continues to be part of the consensus and can
be selected for other hops.

> If the removal rate is so high ("every other day or week") where can
> we find a list of all relays that have been removed from the consensus
> in the past so far?
> This process should be transparent, no?

That's a good question and a controversial topic.  Personally, I'd like
to see more transparency too but it's a sensitive trade-off.  By making
the process more and more public, we also make it easier for attackers
to adapt their behaviour and become harder to spot.

> I tried to find 'rejected' flagged relays on the following page but
> wasn't successful.
> https://consensus-health.torproject.org/

Rejected relays are not part of the consensus but relays which were
assigned the BadExit flag are.  Just Ctrl+F for "BadExit" on that page.


More information about the tor-talk mailing list