[tor-talk] SIGAINT email service targeted by 70 bad exit nodes

Philipp Winter phw at nymity.ch
Tue Apr 28 00:43:02 UTC 2015


On Sun, Apr 26, 2015 at 11:19:08AM +0000, nusenu wrote:
> > On Thu, Apr 23, 2015 at 07:30:57PM +0000, nusenu wrote:
> >>> Almost all of them were younger than one month and they seem
> >>> to have joined the network in small batches.  I uploaded
> >>> Onionoo's JSON-formatted relay descriptors, so everybody can
> >>> have a look: 
> >>> <http://www.nymity.ch/badexit/bad_descriptors_2015-04-23.zip>
> >> 
> >> I compared your list (71 FPs) with my list (55 FPs) from
> >> 2015-04-05 [1], we have an overlap of (only) 30 relays. An
> >> overlap of around ~50 would be better.
> > 
> > Yes, I remember your list.  Thanks a lot for sharing it, it's
> > really helpful!
> > 
> > The relays that are in your, but not in my list indeed look quite 
> > similar to the rest.  They don't have a BadExit flag because nobody
> > has caught them doing something nasty yet.
> 
> So you do not think that they are controlled by the same (malicious)
> entity? (even though some declare their MyFamily accordingly*)

I'm not sure, unfortunately.

> Or is the requirement to flag them as badexit to catch them red handed?

We don't really have any requirements.  Every case is different and
judged individually.

> The case that one took over legit relays is unlikely since many are
> rather 'fresh' ones.

Maybe somebody started a Tor relay after breaking into them?

> Or: Are they still on the network so we can see what they are after? ;)
> (rather hard given the amount of potential targets)
> 
> Did you (or anyone else?) try to reach out to them via their ISP(s)?

Not yet, but I hope to get to it later today.  It's certainly odd that
all these relays were in only a few data centers.

Cheers,
Philipp


More information about the tor-talk mailing list