[tor-dev] Questions for the torflow developers

Francois Valiquette wearenone at hotmail.com
Tue Mar 10 19:44:29 UTC 2015


Thank you Philipp and Damian for your response.
I will inform you about the outcome of our work.

Frank

On Mon, Mar 9, 2015 at 8:02 PM Philipp Winter <phw at nymity.ch> wrote:

> On Mon, Mar 09, 2015 at 11:15:21PM +0000, Francois Valiquette wrote:
> > By reading the documentation of torflow, it is yet not clear to me,
> exactly
> > which tests you are doing. One part of my project is to make a
> description
> > of each possible attack an Exit Node can make and a description of a
> > detection/mitigation mechanism for each of the attack but also I would
> like
> > to implement one or more tests that have not been implemented by torflow.
>
> As Damian mentioned, we are mostly using exitmap [0] these days.
> TorFlow is no longer supported and several people had issues getting it
> to run because of bit rot.
>
> > Here is a list of attacks that we think that a malicious Exit Node could
> > do. The list is not complete, we will expand it. I would like to know,
> what
> > type of attacks have you not tested and also, feel free to complete this
> > list.
> >
> > -SSL  and none SSL Sniffing (Session Hijacking, emails, web URL, IRC
> > channel, FTP )
>
> exitmap has no module to detect sniffing but some folks have written
> HoneyConnector [1] for that purpose.  It can detect sniffing for FTP and
> IMAP as long as the adversary later tries to log in with the sniffed
> credentials.
>
> > -Virus Injection (Linux, OSX, Windows, Android)
>
> Something like this is implemented in the patchingCheck module:
> <https://gitweb.torproject.org/user/phw/exitmap.git/tree/
> src/modules/patchingCheck.py>
>
> > -DNS Rebinding
>
> We have a module that checks several domains:
> <https://gitweb.torproject.org/user/phw/exitmap.git/tree/
> src/modules/dns.py>
>
> > -Misc Injection/Tampering: advertisements, JavaScript, etc
> > -SSL MITM with CN
> > -SSL MITM (revoked certificate, expired certificate and untrusted
> > certificate)
> > -SSL Downgrade attacks
> > -SSL stripping
>
> We have modules for these attacks but they aren't available publicly.
> If you are interested, please contact me off-list and I can send them to
> you.
>
> > -Pharming Attacks
> > -Dropping TLS connections
> > -Spurious RST packets
> > -Exploiting Bittorrent Tracker to reveal a user’s real IP
>
> It would be great to see modules for these attacks.  If you are
> interested in extending exitmap, I have a suggestion below.
>
> On a general note, we see two classes of malicious exit relays.  The
> opportunistic attacker typically sets up a fresh relay, starts an
> off-the-shelf MitM tool, and is curious to see what happens.  These
> attacks don't last long and are easy to detect.  It's not that easy with
> the second class, that is attackers who target specific web sites.  All
> other web sites can remain unaffected, which makes it hard find these
> exits.  These attackers make an effort to stay under the radar, e.g.,
> MitM only requests coming from Tor Browser.  As a result, these attacks
> are trickier to detect and after blacklisting such an exit relay, a new
> one often pops up, similar to a game of Whac-A-Mole.
>
> To do better against these attackers, it would be great to have
> "adaptive" scanning modules that are able to pick their own targets.
> For example, such a module could be seeded with a set of domains and it
> then extracts other domains to visit from the HTML code of the seed set.
>
> [0] <https://gitweb.torproject.org/user/phw/exitmap.git/>
> [1] <https://github.com/mmulazzani/HoneyConnector>
>
> Cheers,
> Philipp
> _______________________________________________
> tor-dev mailing list
> tor-dev at lists.torproject.org
> https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-dev
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.torproject.org/pipermail/tor-dev/attachments/20150310/5bffa3c7/attachment.html>


More information about the tor-dev mailing list