wiki:doc/badRelays

Version 23 (modified by atagar, 7 years ago) (diff)

DevNull relay was flagged as a BadExit.

Known Bad Relays

This is a summary of tor relays that have been flagged as bad, being either malicious or misconfigured. Its purpose is to use past events to make trends more evident and help aid investigations of future suspicious activity. Most bad relays are caught thanks to our wider community, so many thanks for all your help and vigilance!

In almost all cases we're unable to contact the operator to resolve the issue so if your relay's listed below then please let us know so we can fix the issue.

Bad relays fall into three categories:

  • BadExit - Never use as an exit node (for nodes that appear to mess with exit traffic)
  • Invalid - Never used unless AllowInvalidNodes is set (by default this only allows for middle and rendezvous usage)
  • Reject - Dropped from the consensus entirely

Individual Bans

Nickname Ban Type IP Port Date Reporter Reason
DevNull status BadExit 94.23.152.124 9001 4/21/11 weasel running opendns
gatereloaded status BadExit 194.154.227.109 9001 1/30/11 mikeperry plaintext-only exit policy + no reachable contact
QuantumSevero status BadExit 84.19.176.56 443 1/30/11 mikeperry plaintext-only exit policy + no reachable contact
ElzaTorServer status BadExit 109.202.66.4 9001 1/30/11 mikeperry plaintext-only exit policy + no reachable contact
agitator status BadExit 188.40.77.107 9001 1/15/11 --- sniffing traffic
PrivacyPT status BadExit 84.90.72.186 --- 1/5/11 mikeperry running sslstrip
KnightVison status BadExit 213.247.98.204 --- 1/5/11 mikeperry 403 responses for arbitrary URLs
Unnamed status BadExit 84.46.20.223 --- 1/5/11 mikeperry SSL MITM with Kaspersky AV certs
newworld status BadExit 98.126.68.58 443 12/22/10 mikeperry running sslstrip
Unnamed status BadExit 118.160.19.236 443 11/19/10 mikeperry anti-virus filter is blocking sites (trend-micro)
Unnamed status BadExit --- --- 11/19/10 mikeperry anti-virus filter is blocking sites (trend-micro)
Unnamed status BadExit --- --- 11/19/10 mikeperry anti-virus filter is blocking sites (trend-micro)
Unnamed status BadExit --- --- 11/19/10 mikeperry anti-virus filter is blocking sites (trend-micro)
Unnamed status BadExit --- --- 11/19/10 mikeperry anti-virus filter is blocking sites (trend-micro)
703server status BadExit 173.49.70.62 --- 11/19/10 mikeperry several issues including possible SSL downgrade attack
Tark69 status BadExit 66.169.160.200 443 10/28/10 mikeperry anti-virus filter is blocking sites
Unnamed status BadExit 90.22.200.39 --- 10/24/10 mikeperry dropping TLS connections for multiple sites
ArsenalGear status BadExit 88.207.18.230 --- 7/27/10 susurrusus running sslstrip
FluideGlacial status BadExit 78.229.212.4 9001 7/14/10 mikeperry spurious RST packets
capoteATWO status BadExit 148.88.190.145 9001 4/28/10 phobos, xiando misconfigured
PrivacyNow status BadExit 83.91.86.29 9001 4/14/10 Scott Bennett misconfigured DNS
romainaForever status BadExit 64.191.73.149 9001 --- --- ---
netwroke421d2a status BadExit 64.191.22.197 9001 --- --- ---

Ban Groups

Refered Name Count Ban Type Date Reporter Reason
trotsky 747 Invalid 9/23/10 atagar suspected botnet
network --- BadExit --- --- ---

trotsky

IP Addresses

Between 17-23:00 (UTC) 226 exiting relays, all with largely identical nicknames ("trotsky*") and exit policies were added to the tor network. No family or contact information was set, and the IPs came from several countries (mostly eastern European) making it look like a potential botnet. They disappeared roughly a week later.

On 10/2/10 between 21-20:00 (UTC) another 383 exit relays were added, this time more gradually. Others have periodically appeared outside these windows. These relays appear to be on residential connections, most having very poor connectivity (rransom reports that some are dialup).

network

Unfortunately there isn't documentation for why these relays are bad. They all begin with the nickname "network", reportedly run Windows Server 2003, and only accept IM traffic (jabber and irc on ports 5222, 5223, and 6666-6669).