[tor-talk] SIGAINT email service targeted by 70 bad exit nodes

nusenu nusenu at openmailbox.org
Tue Apr 28 08:36:39 UTC 2015 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

> On Sun, Apr 26, 2015 at 11:19:08AM +0000, nusenu wrote:
>>> On Thu, Apr 23, 2015 at 07:30:57PM +0000, nusenu wrote:
>>>>> Almost all of them were younger than one month and they
>>>>> seem to have joined the network in small batches.  I
>>>>> uploaded Onionoo's JSON-formatted relay descriptors, so
>>>>> everybody can have a look: 
>>>>> <http://www.nymity.ch/badexit/bad_descriptors_2015-04-23.zip>
>>>>
>>>>
>>>>> 
I compared your list (71 FPs) with my list (55 FPs) from
>>>> 2015-04-05 [1], we have an overlap of (only) 30 relays. An 
>>>> overlap of around ~50 would be better.
>>> 
>>> Yes, I remember your list.  Thanks a lot for sharing it, it's 
>>> really helpful!
>>> 
>>> The relays that are in your, but not in my list indeed look
>>> quite similar to the rest.  They don't have a BadExit flag
>>> because nobody has caught them doing something nasty yet.
>> 
>> So you do not think that they are controlled by the same
>> (malicious) entity? (even though some declare their MyFamily
>> accordingly*)
> 
> I'm not sure, unfortunately.
I would appreciate to hear your thoughts on the MyFamily group [2].

Lets make sure that we are on common ground regarding the following
datapoints:

- - you saw their (speaking about the 55 relays [1]) sign up timing/pattern
- - you saw their restart timing/pattern
- - the combination of these two
- - you saw that all of them changed their DirPort setting after [1]


Example:
 - relay: Chifuniro (BadExit)
	aka CC6339702D3AB62DE86F693474FFDB4C22B1FCA0

 - relay: Kyriakos + 3 others (no BadExit flag)
	currently down - shutdown ~20 hours ago
	aka CB1F5320223B1DB51F19717BE95E20AB9BF51523

both signed up on 2015-04-01 within a two hours timeframe
	(2015-04-01 06:00:00  vs. 2015-04-01 08:00:00)

both restarted on 2015-04-04 within a 11 seconds timeframe
	(2015-04-04 01:33:11 vs. 2015-04-04 01:33:22)

other matching properties:
	- AS
	- tor version
	- no contact
	- no family
	- DirPort auto (back then)

Now to actually weight the information above one would have to compare
that with the rest of the network. How likely is it that something
like this happens coincidentally? I didn't do the actual processing
but I'd say the likelihood is low.

Anyway, it is good that relays are not flagged to easily as BadExits.


[1] https://lists.torproject.org/pipermail/tor-talk/2015-April/037384.ht
ml
[2] https://lists.torproject.org/pipermail/tor-talk/2015-April/037587.html


>> The case that one took over legit relays is unlikely since many
>> are rather 'fresh' ones.
> 
> Maybe somebody started a Tor relay after breaking into them?

Is that a reason to *not* flag them as BadExit?
I mentioned the sentence above (compromising legit relays) since that
would/should influence the decision whether a group of relays operated
by one entity should be treated as 'bad' if one behaves 'bad'.


>> Did you (or anyone else?) try to reach out to them via their
>> ISP(s)?
> 
> Not yet, but I hope to get to it later today.

Thanks for doing this, keep us posted.
(I was also about to ask the hoster whether some IPs relate to the
same customer but I'll leave it to you then.)

> It's certainly odd that all these relays were in only a few data
> centers.

Why is that odd? I thought that is good as it makes detection
potentially easier if bad guys use just a single or few ISPs, no?
I was also wondering whether current doctor should trigger on events
like the one on 2015-04-01.
-----BEGIN PGP SIGNATURE-----

iQIcBAEBCgAGBQJVP0aWAAoJEFv7XvVCELh0RUsQAIxCv8BxsIAHthmqSLhejZDt
vkdxvybvYdrQLlGL3F3WGcOzvBcp1D6P2/8tIa02+/9TcuzzrewzmeWTO3Hsj9bc
9Uc/Xf66R40gJPrU9Sj1/AtTPeLWSkMmM8g0H3b9b4pKC/7e/Ukagceir/gB6ayw
oMWvrHc/QUL5Y6ZixGfADdoheN+E5ms3xNX2TKOkla96PMharQZPjLE5/IZNjui8
UJskzmSHLTD9bQ1YZcfPCcQIu1ZIfEQudoXPrKVCidlOZJqdjyu5pStnHuk7oVrD
MfJzpGt+rjMfHqvAospPkELHHJz2GZWAXAaxOYgr+two5Kg5cWmenjzgaIpL8FI4
iQe/rLaMzrLDMDzFzrDNtEQycjasJkaHsz8P7ddi/SGj4+ns8qfJqtjEmHD7B3TF
IKdjxN0CurkKCOmU7hACay7vaSNoK29KglGjefZ4qah0YY8ZLE/x3wxJ9bp9jrxC
paZCsZSoN0Cop9oqXpfm6HeGDKHHGNYGsgWOhHmUF7zk8tYfaKlpF6j94zAU142L
0CUl7lDtv0rTx8ENgXHJhCGoiSSTPOMmHD5P2dwWkNizeCu1eMAPrRn+8OwqmIyI
ybzog2o2kxsA4AwryhySzA3d3RGisW93dDGmL435nWo8pACKmel5+5oEGjGxzKK1
Ky3byI3mG7Seenyt7C+H
=rCPu
-----END PGP SIGNATURE-----

More information about the tor-talk mailing list