[tor-talk] SIGAINT email service targeted by 70 bad exit nodes
Philipp Winter
phw at nymity.ch
Tue Apr 28 00:43:02 UTC 2015
On Sun, Apr 26, 2015 at 11:19:08AM +0000, nusenu wrote:
> > On Thu, Apr 23, 2015 at 07:30:57PM +0000, nusenu wrote:
> >>> Almost all of them were younger than one month and they seem
> >>> to have joined the network in small batches. I uploaded
> >>> Onionoo's JSON-formatted relay descriptors, so everybody can
> >>> have a look:
> >>> <http://www.nymity.ch/badexit/bad_descriptors_2015-04-23.zip>
> >>
> >> I compared your list (71 FPs) with my list (55 FPs) from
> >> 2015-04-05 [1], we have an overlap of (only) 30 relays. An
> >> overlap of around ~50 would be better.
> >
> > Yes, I remember your list. Thanks a lot for sharing it, it's
> > really helpful!
> >
> > The relays that are in your, but not in my list indeed look quite
> > similar to the rest. They don't have a BadExit flag because nobody
> > has caught them doing something nasty yet.
>
> So you do not think that they are controlled by the same (malicious)
> entity? (even though some declare their MyFamily accordingly*)
I'm not sure, unfortunately.
> Or is the requirement to flag them as badexit to catch them red handed?
We don't really have any requirements. Every case is different and
judged individually.
> The case that one took over legit relays is unlikely since many are
> rather 'fresh' ones.
Maybe somebody started a Tor relay after breaking into them?
> Or: Are they still on the network so we can see what they are after? ;)
> (rather hard given the amount of potential targets)
>
> Did you (or anyone else?) try to reach out to them via their ISP(s)?
Not yet, but I hope to get to it later today. It's certainly odd that
all these relays were in only a few data centers.
Cheers,
Philipp
More information about the tor-talk
mailing list