Please create an account to participate in the Slashdot moderation system


Forgot your password?
Communications Encryption Networking Privacy The Internet

Spoiled Onions: Exposing Malicious Tor Exit Relays 65

An anonymous reader points out this recently published study (PDF) on detecting malicious (or at least suspicious) Tor exit relays. From their conclusions: "After developing a scanner, we closely monitored all ~1000 exit relays over a period of four months. Wed discovered 25 relays which were either outright malicious or simply misconfigured. Interestingly, the majority of the attacks were coordinated instead of being isolated actions of independent individuals. Our results further suggest that the attackers made an active effort to remain under the radar and delay detection." One of the authors, Philipp Winter, wrote a followup blog post to help clarify what the paper's findings mean for Tor users, including this clarification: "First, it's important to understand that 25 relays in four months isn't a lot. It is ultimately a very small fraction of the Tor network. Also, it doesn't mean that 25 out of 1,000 relays are malicious or misconfigured (we weren't very clear on that in the paper). We have yet to calculate the churn rate of exit relays which is the rate at which relays join and leave the network. 1,000 is really just the approximate number of exit relays at any given point in time. So the actual number of exit relays we ended up testing in four months is certainly higher than that. As a user, that means that you will not see many malicious relays 'in the wild."
This discussion has been archived. No new comments can be posted.

Spoiled Onions: Exposing Malicious Tor Exit Relays

Comments Filter:
  • So, they tested around 1000 tor exit nodes, but actually tested many more? 25 of those node might have been malicious or maybe just misconfigured?


    • Re:Confusing Summary (Score:5, Informative)

      by phwinter ( 3513727 ) on Sunday January 26, 2014 @11:47AM (#46072989)
      I am the main author of the referenced paper. We tested more than 1,000 exit relays but don't know the actual number yet. However, it can be determined based on Tor's historical relay descriptors. The reason that's important is because the naive statistic "25 in 1,000 were malicious" is wrong.
      • While this doesn't directly bear on your results, I've been saying for quite a while that there aren't nearly enough Tor exit nodes running at any given time. 1000 seems pretty ridiculously low. I think 10 x or 100 x the current number would be far better.

        While "security through obscurity" is not ideal, isn't this the main purpose of Tor? To serve the purposes of anonymity and security, by burying any signal in a vast sea of noise?

        Your thoughts?
  • ...relay to be compromised to remove the entire point of using Tor, it's certainly besides the point how high the churn rate or how low the chances are, isn't it?

    • by Anrego ( 830717 ) * on Sunday January 26, 2014 @04:01AM (#46071389)

      My vague understanding of this (and I haven't really been following it so take with salt) is that this really doesn't defeat TOR itself, but merely takes advantage of ones position as an exit node to perform well known man in the middle style attacks.

      TOR is about hiding your identity. The exit node can see what you are sending and receiving, but doesn't know your actual IP (just the IP of the last node in the chain), the entry node knows your IP, but not what you are sending and receiving. This attack doesn't appear to compromise that.

      • What you send along to though can include things potentially mor idenifying than your IP might have ever been. The lesson is that there are no magic bullet solutions to anonymity and security which do not involve some degree or reading and learning how things work.
      • by wbr1 ( 2538558 )
        However, by performing a MITM and stripping that encryption, there may be identifying information in those packets. They might not see Joe Bobs IP, but instead snatched his logon creds, shipping address and payment info that was mused at and
        • by Opportunist ( 166417 ) on Sunday January 26, 2014 @06:35AM (#46071685)

          What people must understand is that the exit node is, to the server you're connecting to, essentially "you". In other words, it can see everything your computer could see if taking a look at the packet sent out. Everything a tool like Wireshark running on your computer could come up with is also what this exit node can see. If you send unencrypted traffic through TOR, the exit node will be able to read everything in plain text. That includes all credentials or cookies sent in plaintext.

          More, it can alter and modify the stream. That means it can easily inject cookies itself or other objects. I didn't try it yet, but I would not deem it impossible for an exit node to inject objects that can bypass TOR (like flash and the like) that could eventually compromise the users' identity. At the very least it would be trivial to inject a cookie that contains your TOR surfing habits. If I was a country, I'd try to team up with someone who has a high chance to be surfed to with a "normal" connection like a social media website or a search engine to ferret out someone's TOR surfing habits. If they use the same browser for TOR surfing and normal surfing, it becomes fairly trivial to detect them.

          • Re: (Score:1, Interesting)

            by anti-todo ( 3513619 )
            Sounds like a good reason to tunnel your traffic through a vpn on top of tor, no?
            • by Anonymous Coward

              Only if you purchase and maintain that VPN completely anonymously. Otherwise, that's a great way to de-anonymise yourself real quick.

              • by flonker ( 526111 )

                Also, you are then susceptible to the very same MITM attacks by the VPN provider. (Although they do have an incentive to remain honest.)

        • "" he said, using it as a metasyntactic variable.

          So I says to myself, "who the fuck would register that?" Then I says to myself, "it's the internet, someone must be using it." .gov, .info, .org, .mil, .net are all available.

          The .com is taken.

          Domain Name:
          Registry Domain ID:
          Registrar URL: []
          Updated Date: 2013-06-30T17:14:35Z
          Creation Date: 2006-08-16T02:14:40Z
          Registrar Registration Expiration Date: 2014-08-16T00:00:00Z
          Registrar: FABULOUS.COM PTY LTD.

    • by flonker ( 526111 ) on Sunday January 26, 2014 @04:10AM (#46071427)

      The primary development goal of Tor is to prevent the request from being traced back to the requester. (As a secondary effect, it also bypasses various national/regional content blocking schemes.) Malicious exit relays are detrimental, but in theory the user should be aware of the trust issues involved. I would label this as a user education issue.

      The major points being:

      • If your traffic is on the Internet, unless it is encrypted (such as by SSL), it can be passively monitored with only moderate effort.
      • If you are using Tor to reach the Internet, your traffic can't be traced back to you, but it still goes out over the Internet; see the previous point for more details. Tor can do nothing once the traffic is back on the Internet.
      • Attacks such as sslstrip exist. Be on guard against them.
      • So actually Tor software should warn the user when plaintext stuff is being sent over the network.

        This could be difficult to accomplish. But one easy way is to simply detect plaintext HTTP headers.

    • If all it takes is one relay to be compromised to remove the entire point of using Tor,

      That's not at all what the article is saying. A relay injecting content into your connection does not de-anonymize you. Tor works to guarantee anonymity. It doesn't guarantee that the exit relay isn't watching what's going through it or modifying the connection. That's why it's important to use HTTPS.

  • by Anonymous Coward

    if you can monitor all exit relays?

    • Anyone can use any of the exit relays. That's the point of the relays.

      • But then you never know if someone is eavesdropping you. Right?
        • by gmuslera ( 3436 )
          That is different from the actual situation where you know that someone is eavesdropping you. And you have a list of "bad" exit nodes that you can test, and I bet that can be made a page somewhere that directly tells you that your current Tor connection is unsafe because the exit node.
          • by Qzukk ( 229616 )

            I bet that can be made a page somewhere that directly tells you that your current Tor connection is unsafe because the exit node.

            Except the bad exit node would replace the page with a page telling you that everything is all good.

        • Tor provides anonymity, not protection against eavesdropping. For the latter, you need to use additional endpoint-to-endpoint security like SSL. Of course, you also shouldn't announce to the whole world who you are while browsing with Tor, which is surprisingly harder than some people might think.

  • I am kind of surprised by how small the Tor network is. Only 1000 exit relays? Guess I'll spin up a few.

    • Re:Surprised (Score:5, Informative)

      by Anrego ( 830717 ) * on Sunday January 26, 2014 @04:05AM (#46071401)

      There's a reason there are so few..

      Running an exit relay is basically asking for major headaches from law enforcement. You are essentially allowing others to access _any_ content, some of which will very likely be highly illegal such as child porn, through your connection.

      • Re:Surprised (Score:5, Interesting)

        by AmiMoJo ( 196126 ) * <mojo@world3.nBLUEet minus berry> on Sunday January 26, 2014 @07:11AM (#46071777) Homepage Journal

        How is that any different from running a free wifi service? Note that most of the illegal material is on Tor hidden services so would never leave your exit node at all, and all censorship on your connection remains in place for everyone using it.

        • Re:Surprised (Score:4, Informative)

          by Anonymous Coward on Sunday January 26, 2014 @08:11AM (#46071941)

          In some countries you are responsible for everything that happens from your wifi endpoint unless you can either identify the culprit using your network or show that you took reasonable steps to secure it against abuse. This translates to every public network I have ever used requiring an account bound to your real identity so the owners can hand over your credentials just like any other service provider can.

        • by Anrego ( 830717 ) *

          It doesn't, and many people who run those services have to deal with the same headaches.

          Usually stores/coffee shops/etc deal with it by requiring you to create an account before using the service, or at least logging connections, so they can point the finger away from them when law enforcement comes knocking.

    • Exit relays are trickier to host than just normal relays, because they're the ones police will come asking about when (probably not if) they discover something of interest came from it or was requested by it.
  • This is a followup on [] but the only new content is the blog posting.
    • by mSparks43 ( 757109 ) on Sunday January 26, 2014 @04:56AM (#46071519) Homepage Journal

      "New information" being this isn't 25 of 1,000 nodes.
      its 25 of some unknown number of nodes, of which 1,000 are active at any one time.

      And as I tried to point out last tiime (and am greatful for the opportunity to reiterate)
      exit nodes only account for 100Mbps of tors 3Gbps average traffic (most of the traffic being to hidden services which never go near an exit node)

      So if anything this is testament to the security of

      I guess much of the fear comes from the silkroad take down, but that was foiled by the good old postal service and human error, not the technology itself.

      • > So if anything this is testament to the security of

        I'm afraid not. It's a strong indicator of the underlying _vulnerability_ of the Tor architecture to malicious or mishandled exit nodes.

  • From the very first days of Tor I've assumed that at least one, and probably several different agents (legal and illegal, gov't and private) would be smart or at least interested enough to run a significant percentage of Tor hosts. This is akin to Willie Sutton's reasoning for why he robbed banks - "That's where the money is." Since Tor is of most interest to folks who want to keep things private, that's where people who want to know private things are sure to lurk. In the case of NSA, it's worth doing j

  • Until the last technocrat is strangled by the wiring of the last transhumanist.

Marvelous! The super-user's going to boot me! What a finely tuned response to the situation!