wiki:doc/badRelays

Known Bad Relays

This is a summary of tor relays that have been flagged as bad, being either malicious or misconfigured. Its purpose is to use past events to make trends more evident and help aid investigations of future suspicious activity. Most bad relays are caught thanks to our wider community, so many thanks for all your help and vigilance!

In almost all cases we're unable to contact the operator to resolve the issue so if your relay's listed below then please let us know so we can fix the issue.

Bad relays fall into three categories:

  • BadExit - Never use as an exit node (for nodes that appear to mess with exit traffic)
  • Invalid - Never used unless AllowInvalidNodes is set (by default this only allows for middle and rendezvous usage)
  • Reject - Dropped from the consensus entirely

What is a bad exit?

A bad exit is one that breaks stuff, either maliciously or through misconfiguration.

Suspected “bad exits” should be reported to tor-assistants@tpo.

The most common misconfiguration I have seen is using OpenDNS as a host's nameserver with what I think is the OpenDNS default config. Services such as OpenDNS lie to you, under the name of protecting you. The result is for instance getting redirected to their webpage when you want to visit evil sites such as https://www.torproject.org/.

One example of either misconfiguration or actual intended malicious behavior is exit nodes that do man in the middle attacks on outgoing https connections, do SSL stripping (i.e. replacing https:// links with http:// links), or do man in the middle attacks on other protocols like ssh.

Whenever Directory Authority operators find such nodes, or somebody points them out to an operator, they are given the BadExit label. That will cause Tor clients to avoid them for exit connections. They are still useful and will get used for other positions in a circuit.

The tor directory authority operators who vote on the 'BadExit' flag have the last say on what constitutes being a bad exit. In general we'll flag for the following...

  • Tampering with exit traffic in any way. This is often accidental (for instance filtering by anti-virus).
  • Only allowing plain-text traffic, for instance just allowing traffic through ports 80 and 143. This is because these relays are highly suspicious to be sniffing traffic. For the discussion on this see this thread.
  • Numerous exits that collectively provide a high amount of bandwidth but are obviously related without setting the MyFamily entry.

Individual Bans

As of April 2013 this list is no longer being maintained. The authority operators have decided to coordinate via a torrc one of them considers to be 'secret' (despite that it's essentially public via the consensus). I've made numerous requests to be kept in the loop regarding bad-exiting which have been ignored so I give up on trying to keep track of this. Someone else can take over maintaining it if they have the time.

Nickname Ban Type IP Port Date Reporter Reason
Unnamed BadExit 176.99.12.246 9001 7/12/13 phw SSL MITM with CN as main authority
Unnamed BadExit 109.68.190.231 9001 6/29/13 athena SSL MITM with CN as main authority
Unnamed BadExit 176.99.10.92 9001 4/10/13 ----- SSL MITM
Unnamed BadExit 64.237.42.138 9001 3/1/13 ----- SSL MITM
Unnamed BadExit 141.101.238.182 9001 1/8/13 Pierre Richard SSL MITM
Unnamed BadExit 46.30.42.154 9001 11/9/12 ----- SSL MITM with CN as main authority
Unnamed BadExit 46.30.42.153 9001 11/9/12 ----- SSL MITM with CN as main authority
HumaniTOR BadExit 212.80.35.73 9001 5/11/12 arma connection refused for ports 80 and 443
Unnamed BadExit 219.90.126.61 443 5/1/12 James Hooker running sslstrip
ididedittheconfig BadExit 94.185.81.130 9001 4/3/12 James Hooker running sslstrip
UnFilTerD BadExit 82.95.57.4 8888 4/3/12 James Hooker running sslstrip
default BadExit 66.165.177.139 443 3/5/12 --- sniffing traffic
100mbitTOR BadExit 109.87.69.138 --- 11/6/11 Sebastian MITM of SSL
Secureroute BadExit --- --- 11/4/11 mikeperry MITM of SSL with self-signed cert
Unnamed BadExit 164.41.103.153 443 9/30/11 aagbsn MITM of SSL with a fortinet cert
QuantumSevero BadExit 84.19.176.56 443 1/30/11 mikeperry plaintext-only exit policy + no reachable contact
ElzaTorServer BadExit 109.202.66.4 9001 1/30/11 mikeperry plaintext-only exit policy + no reachable contact
agitator BadExit 188.40.77.107 9001 1/15/11 --- sniffing traffic
PrivacyPT BadExit 84.90.72.186 --- 1/5/11 mikeperry running sslstrip
KnightVison BadExit 213.247.98.204 --- 1/5/11 mikeperry 403 responses for arbitrary URLs
Unnamed BadExit 84.46.20.223 --- 1/5/11 mikeperry SSL MITM with Kaspersky AV certs
newworld BadExit 98.126.68.58 443 12/22/10 mikeperry running sslstrip
Unnamed BadExit 118.160.19.236 443 11/19/10 mikeperry anti-virus filter is blocking sites (trend-micro)
Unnamed BadExit --- --- 11/19/10 mikeperry anti-virus filter is blocking sites (trend-micro)
Unnamed BadExit --- --- 11/19/10 mikeperry anti-virus filter is blocking sites (trend-micro)
Unnamed BadExit --- --- 11/19/10 mikeperry anti-virus filter is blocking sites (trend-micro)
Unnamed BadExit --- --- 11/19/10 mikeperry anti-virus filter is blocking sites (trend-micro)
703server BadExit 173.49.70.62 --- 11/19/10 mikeperry several issues including possible SSL downgrade attack
Tark69 BadExit 66.169.160.200 443 10/28/10 mikeperry anti-virus filter is blocking sites
Unnamed BadExit 90.22.200.39 --- 10/24/10 mikeperry dropping TLS connections for multiple sites
ArsenalGear BadExit 88.207.18.230 --- 7/27/10 susurrusus running sslstrip
FluideGlacial BadExit 78.229.212.4 9001 7/14/10 mikeperry spurious RST packets
capoteATWO BadExit 148.88.190.145 9001 4/28/10 phobos, xiando misconfigured
romainaForever BadExit 64.191.73.149 9001 --- --- ---
netwroke421d2a BadExit 64.191.22.197 9001 --- --- ---

Ban Groups

Referred Name Count Ban Type Date Reporter Reason
trotsky 747 Invalid 9/23/10 atagar suspected botnet
network --- BadExit --- --- ---

trotsky

IP Addresses

Between 17-23:00 (UTC) 226 exiting relays, all with largely identical nicknames ("trotsky*") and exit policies were added to the tor network. No family or contact information was set, and the IPs came from several countries (mostly eastern European) making it look like a potential botnet. They disappeared roughly a week later.

On 10/2/10 between 21-20:00 (UTC) another 383 exit relays were added, this time more gradually. Others have periodically appeared outside these windows. These relays appear to be on residential connections, most having very poor connectivity (rransom reports that some are dialup).

network

Unfortunately there isn't documentation for why these relays are bad. They all begin with the nickname "network", reportedly run Windows Server 2003, and only accept IM traffic (jabber and irc on ports 5222, 5223, and 6666-6669).

Research

Last modified 3 months ago Last modified on Jan 22, 2014 2:52:52 AM