Note that this page is no longer maintained! If you want to report a bad relay, have a look at this page.
Known Bad Relays
This is a summary of tor relays that have been flagged as bad, being either malicious or misconfigured. Its purpose is to use past events to make trends more evident and help aid investigations of future suspicious activity. Most bad relays are caught thanks to our wider community, so many thanks for all your help and vigilance!
In almost all cases we're unable to contact the operator to resolve the issue so if your relay's listed below then please let us know so we can fix the issue.
Bad relays fall into three categories:
- BadExit - Never use as an exit node (for nodes that appear to mess with exit traffic)
- Invalid - Never used unless AllowInvalidNodes is set (by default this only allows for middle and rendezvous usage)
- Reject - Dropped from the consensus entirely
What is a bad exit?
A bad exit is one that breaks stuff, either maliciously or through misconfiguration.
Suspected “bad exits” should be reported to tor-assistants@tpo.
The most common misconfiguration I have seen is using OpenDNS as a host's nameserver with what I think is the OpenDNS default config. Services such as OpenDNS lie to you, under the name of protecting you. The result is for instance getting redirected to their webpage when you want to visit evil sites such as https://www.torproject.org/.
One example of either misconfiguration or actual intended malicious behavior is exit nodes that do man in the middle attacks on outgoing https connections, do SSL stripping (i.e. replacing !https:// links with !http:// links), or do man in the middle attacks on other protocols like ssh.
Whenever Directory Authority operators find such nodes, or somebody points them out to an operator, they are given the BadExit label. That will cause Tor clients to avoid them for exit connections. They are still useful and will get used for other positions in a circuit.
The tor directory authority operators who vote on the 'BadExit' flag have the last say on what constitutes being a bad exit. In general we'll flag for the following...
- Tampering with exit traffic in any way. This is often accidental (for instance filtering by anti-virus).
- Only allowing plain-text traffic, for instance just allowing traffic through ports 80 and 143. This is because these relays are highly suspicious to be sniffing traffic. For the discussion on this see this thread.
- Numerous exits that collectively provide a high amount of bandwidth but are obviously related without setting the MyFamily entry.
Individual Bans
As of April 2013 this list is no longer being maintained. The authority operators have decided to coordinate via a torrc one of them considers to be 'secret' (despite that it's essentially public via the consensus). I've made numerous requests to be kept in the loop regarding bad-exiting which have been ignored so I give up on trying to keep track of this. Someone else can take over maintaining it if they have the time.
Nickname | Ban Type | IP | Port | Date | Reporter | Reason |
---|---|---|---|---|---|---|
Unnamed | BadExit | 176.99.12.246 | 9001 | 7/12/13 | phw | SSL MITM with CN as main authority |
Unnamed | BadExit | 109.68.190.231 | 9001 | 6/29/13 | athena | SSL MITM with CN as main authority |
Unnamed | BadExit | 176.99.10.92 | 9001 | 4/10/13 | ----- | SSL MITM |
Unnamed | BadExit | 64.237.42.138 | 9001 | 3/1/13 | ----- | SSL MITM |
Unnamed | BadExit | 141.101.238.182 | 9001 | 1/8/13 | Pierre Richard | SSL MITM |
Unnamed | BadExit | 46.30.42.154 | 9001 | 11/9/12 | ----- | SSL MITM with CN as main authority |
Unnamed | BadExit | 46.30.42.153 | 9001 | 11/9/12 | ----- | SSL MITM with CN as main authority |
HumaniTOR | BadExit | 212.80.35.73 | 9001 | 5/11/12 | arma | connection refused for ports 80 and 443 |
Unnamed | BadExit | 219.90.126.61 | 443 | 5/1/12 | James Hooker | running sslstrip |
ididedittheconfig | BadExit | 94.185.81.130 | 9001 | 4/3/12 | James Hooker | running sslstrip |
UnFilTerD | BadExit | 82.95.57.4 | 8888 | 4/3/12 | James Hooker | running sslstrip |
default | BadExit | 66.165.177.139 | 443 | 3/5/12 | --- | sniffing traffic |
100mbitTOR | BadExit | 109.87.69.138 | --- | 11/6/11 | Sebastian | MITM of SSL |
Secureroute | BadExit | --- | --- | 11/4/11 | mikeperry | MITM of SSL with self-signed cert |
Unnamed | BadExit | 164.41.103.153 | 443 | 9/30/11 | aagbsn | MITM of SSL with a fortinet cert |
QuantumSevero | BadExit | 84.19.176.56 | 443 | 1/30/11 | mikeperry | plaintext-only exit policy + no reachable contact |
ElzaTorServer | BadExit | 109.202.66.4 | 9001 | 1/30/11 | mikeperry | plaintext-only exit policy + no reachable contact |
agitator | BadExit | 188.40.77.107 | 9001 | 1/15/11 | --- | sniffing traffic |
PrivacyPT | BadExit | 84.90.72.186 | --- | 1/5/11 | mikeperry | running sslstrip |
KnightVison | BadExit | 213.247.98.204 | --- | 1/5/11 | mikeperry | 403 responses for arbitrary URLs |
Unnamed | BadExit | 84.46.20.223 | --- | 1/5/11 | mikeperry | SSL MITM with Kaspersky AV certs |
newworld | BadExit | 98.126.68.58 | 443 | 12/22/10 | mikeperry | running sslstrip |
Unnamed | BadExit | 118.160.19.236 | 443 | 11/19/10 | mikeperry | anti-virus filter is blocking sites (trend-micro) |
Unnamed | BadExit | --- | --- | 11/19/10 | mikeperry | anti-virus filter is blocking sites (trend-micro) |
Unnamed | BadExit | --- | --- | 11/19/10 | mikeperry | anti-virus filter is blocking sites (trend-micro) |
Unnamed | BadExit | --- | --- | 11/19/10 | mikeperry | anti-virus filter is blocking sites (trend-micro) |
Unnamed | BadExit | --- | --- | 11/19/10 | mikeperry | anti-virus filter is blocking sites (trend-micro) |
703server | BadExit | 173.49.70.62 | --- | 11/19/10 | mikeperry | several issues including possible SSL downgrade attack |
Tark69 | BadExit | 66.169.160.200 | 443 | 10/28/10 | mikeperry | anti-virus filter is blocking sites |
Unnamed | BadExit | 90.22.200.39 | --- | 10/24/10 | mikeperry | dropping TLS connections for multiple sites |
ArsenalGear | BadExit | 88.207.18.230 | --- | 7/27/10 | susurrusus | running sslstrip |
FluideGlacial | BadExit | 78.229.212.4 | 9001 | 7/14/10 | mikeperry | spurious RST packets |
capoteATWO | BadExit | 148.88.190.145 | 9001 | 4/28/10 | phobos, xiando | misconfigured |
romainaForever | BadExit | 64.191.73.149 | 9001 | --- | --- | --- |
netwroke421d2a | BadExit | 64.191.22.197 | 9001 | --- | --- | --- |
Ban Groups
Referred Name | Count | Ban Type | Date | Reporter | Reason |
---|---|---|---|---|---|
trotsky | 747 | Invalid | 9/23/10 | atagar | suspected botnet |
network | --- | BadExit | --- | --- | --- |
trotsky
Between 17-23:00 (UTC) 226 exiting relays, all with largely identical nicknames ("trotsky*") and exit policies were added to the tor network. No family or contact information was set, and the IPs came from several countries (mostly eastern European) making it look like a potential botnet. They disappeared roughly a week later.
On 10/2/10 between 21-20:00 (UTC) another 383 exit relays were added, this time more gradually. Others have periodically appeared outside these windows. These relays appear to be on residential connections, most having very poor connectivity (rransom reports that some are dialup).
network
- network51b9450 (64.191.53.37:9001)
- network17b661a (64.191.59.245:9001)
Unfortunately there isn't documentation for why these relays are bad. They all begin with the nickname "network", reportedly run Windows Server 2003, and only accept IM traffic (jabber and irc on ports 5222, 5223, and 6666-6669).
Research
- 2014-01-21 article Scientists detect “spoiled onions” trying to sabotage Tor privacy network and the actual paper Spoiled Onions: Exposing Malicious Tor Exit Relays contains the list of relays found.