Become a fan of Slashdot on Facebook


Forgot your password?
Communications Encryption Networking Privacy The Internet

Spoiled Onions: Exposing Malicious Tor Exit Relays 65

An anonymous reader points out this recently published study (PDF) on detecting malicious (or at least suspicious) Tor exit relays. From their conclusions: "After developing a scanner, we closely monitored all ~1000 exit relays over a period of four months. Wed discovered 25 relays which were either outright malicious or simply misconfigured. Interestingly, the majority of the attacks were coordinated instead of being isolated actions of independent individuals. Our results further suggest that the attackers made an active effort to remain under the radar and delay detection." One of the authors, Philipp Winter, wrote a followup blog post to help clarify what the paper's findings mean for Tor users, including this clarification: "First, it's important to understand that 25 relays in four months isn't a lot. It is ultimately a very small fraction of the Tor network. Also, it doesn't mean that 25 out of 1,000 relays are malicious or misconfigured (we weren't very clear on that in the paper). We have yet to calculate the churn rate of exit relays which is the rate at which relays join and leave the network. 1,000 is really just the approximate number of exit relays at any given point in time. So the actual number of exit relays we ended up testing in four months is certainly higher than that. As a user, that means that you will not see many malicious relays 'in the wild."
This discussion has been archived. No new comments can be posted.

Spoiled Onions: Exposing Malicious Tor Exit Relays

Comments Filter:
  • by Anrego ( 830717 ) * on Sunday January 26, 2014 @04:01AM (#46071389)

    My vague understanding of this (and I haven't really been following it so take with salt) is that this really doesn't defeat TOR itself, but merely takes advantage of ones position as an exit node to perform well known man in the middle style attacks.

    TOR is about hiding your identity. The exit node can see what you are sending and receiving, but doesn't know your actual IP (just the IP of the last node in the chain), the entry node knows your IP, but not what you are sending and receiving. This attack doesn't appear to compromise that.

  • Re:Surprised (Score:5, Informative)

    by Anrego ( 830717 ) * on Sunday January 26, 2014 @04:05AM (#46071401)

    There's a reason there are so few..

    Running an exit relay is basically asking for major headaches from law enforcement. You are essentially allowing others to access _any_ content, some of which will very likely be highly illegal such as child porn, through your connection.

  • Re:Confusing Summary (Score:5, Informative)

    by Sqr(twg) ( 2126054 ) on Sunday January 26, 2014 @05:00AM (#46071531)

    25 out of 1000 relays were detectably suspicious. These are the script kiddies who set up an exit node in order to harvest credentials that can be used for fraud etc. Such nodes are easy to detect by verifying https certificates and/or transmitting false credentials over tor and checking if they are used later.

    The really sinister exit nodes are not as easy to detect. Transmit false dissident names and check if the named people are imprisoned and tortured?

  • by Opportunist ( 166417 ) on Sunday January 26, 2014 @06:35AM (#46071685)

    What people must understand is that the exit node is, to the server you're connecting to, essentially "you". In other words, it can see everything your computer could see if taking a look at the packet sent out. Everything a tool like Wireshark running on your computer could come up with is also what this exit node can see. If you send unencrypted traffic through TOR, the exit node will be able to read everything in plain text. That includes all credentials or cookies sent in plaintext.

    More, it can alter and modify the stream. That means it can easily inject cookies itself or other objects. I didn't try it yet, but I would not deem it impossible for an exit node to inject objects that can bypass TOR (like flash and the like) that could eventually compromise the users' identity. At the very least it would be trivial to inject a cookie that contains your TOR surfing habits. If I was a country, I'd try to team up with someone who has a high chance to be surfed to with a "normal" connection like a social media website or a search engine to ferret out someone's TOR surfing habits. If they use the same browser for TOR surfing and normal surfing, it becomes fairly trivial to detect them.

  • Re:Surprised (Score:4, Informative)

    by Anonymous Coward on Sunday January 26, 2014 @08:11AM (#46071941)

    In some countries you are responsible for everything that happens from your wifi endpoint unless you can either identify the culprit using your network or show that you took reasonable steps to secure it against abuse. This translates to every public network I have ever used requiring an account bound to your real identity so the owners can hand over your credentials just like any other service provider can.

  • Re:Confusing Summary (Score:5, Informative)

    by phwinter ( 3513727 ) on Sunday January 26, 2014 @11:47AM (#46072989)
    I am the main author of the referenced paper. We tested more than 1,000 exit relays but don't know the actual number yet. However, it can be determined based on Tor's historical relay descriptors. The reason that's important is because the naive statistic "25 in 1,000 were malicious" is wrong.

Science may someday discover what faith has always known.