Opened 5 years ago

Closed 5 years ago

#5039 closed task (wontfix)

What's up with the sybil attack from 0.2.2.32 relays?

Reported by: arma Owned by:
Priority: Medium Milestone:
Component: Metrics/Analysis Version:
Severity: Keywords:
Cc: Actual Points:
Parent ID: Points:
Reviewer: Sponsor:

Description

wanoskarnet points out a bunch of relays from subnets like 188.143.233.0/24 141.8.193.0/24 91.226.30.0/24 81.176.229.0/24 62.76.44.0/24 81.177.170.0/24 62.76.179.0/24 81.177.169.0/24 195.43.95.0/24

There's clearly a trend here. It looks like they're small so we could cut them out of the network without much ill effect.

How many are there total? How much capacity is that? When did they show up? Any other interesting patterns?

Child Tickets

Change History (2)

comment:1 Changed 5 years ago by atagar

Um... I pointed those out almost a month ago ("Automated exit setup?" on January 18th), I also tried to remind people about this in my monthly report without much success. Do we want trac tickets for bad exit reports instead?

Here's the January email I sent which gives more context on these:

Three times now I've seen an odd burst in exits. Here's their attributes:

  • policies are for 80/443, without any contact info
  • the nickname is a string of eight random lowercase letters
  • in the instances I checked they're running git-8522652d8e9213d4
  • the relays in a single burst are from the same subnet, but bursts differ from each other

When I checked the intersection of the git sha1 and nicknames I got a set of 41 relays (see below). Over all there seemed to be 141 relays with that sort of nickname pattern though many could be false positives. This definitely feels like an automated exit setup - maybe tor exits are being set up throughout some college labs?


router ntkhkzec 195.43.95.140 80 0 0
router qfqujolk 31.31.199.85 88 0 0
router rxqxwoxe 195.43.95.143 80 0 0
router zcycbjmz 188.143.232.185 80 0 0
router qyjosdyd 81.177.169.103 80 0 0
router aucxiymi 188.143.233.90 80 0 0
router nkolifbc 81.177.170.123 80 0 0
router frrhvdvo 195.43.95.170 80 0 0
router zxgnqfzu 188.143.232.186 80 0 0
router ojvhkmtn 81.177.170.117 80 0 0
router oentxysy 195.43.95.142 80 0 0
router aygxibjq 195.43.95.169 80 0 0
router dwexhujv 188.143.232.86 80 0 0
router ukycscgk 195.43.95.144 80 0 0
router dhzocibw 81.177.169.123 80 0 0
router tgywrqdg 195.43.95.147 80 0 0
router gksrwwqk 188.143.233.75 80 0 0
router anqziwwf 188.143.233.185 80 0 0
router usmgyadv 195.43.95.171 80 0 0
router rlomobbq 188.143.233.89 80 0 0
router dlrlzdgz 195.43.95.148 80 0 0
router hmynhcfo 81.176.237.109 80 0 0
router dgnlvnml 195.43.95.175 80 0 0
router wxrbychr 81.177.169.113 80 0 0
router vglbujiu 195.43.95.172 80 0 0
router bjrjcjgo 188.143.232.89 80 0 0
router zjjkxodl 188.143.233.183 80 0 0
router moaivzcd 81.177.170.103 80 0 0
router grxvgukd 195.43.95.149 80 0 0
router ydeirwvt 195.43.95.141 80 0 0
router bowtzogi 188.143.232.188 80 0 0
router heqqjacu 195.43.95.145 80 0 0
router eewnumut 188.143.232.87 80 0 0
router xgryuwkq 195.43.95.168 80 0 0
router ebqeqqci 195.43.95.173 80 0 0
router ejfahamw 195.43.95.167 80 0 0
router zzvhctid 195.43.95.174 80 0 0
router mtfoglfy 188.143.233.184 80 0 0
router vkhnqmrz 188.143.233.74 80 0 0
router hhusrjuj 195.43.95.146 80 0 0
router urcfijmz 188.143.232.187 80 0 0

comment:2 Changed 5 years ago by atagar

  • Resolution set to wontfix
  • Status changed from new to closed

I just spoke with Mike and these relays don't look to be clearly malicious. If its collective bandwidth becomes particularly high or we can prove some maliciousness then we'll badexit them. But for now he wants to leave them alone.

I've added a snippet to the bad exits wiki about what constitutes being a bad exit. I'm not a directory authority operator so if we'd like to amend this then we'll need to talk it over with them.

https://trac.torproject.org/projects/tor/wiki/doc/badRelays#Whatisabadexit

Resolving for now. -Damian

Note: See TracTickets for help on using tickets.