Analyzing TOR-exitnodes for anomalies

TOR logoA few days ago I had a strange encounter with Linux New Media‘s “Linux Magazine” website; depending on whether I used TOR to access their website i got different results. Accessing their site with TOR resulted in getting redirected to some kind of link-farm which made me totally suspicious. I assumed that they’re looking on the source IP-address and deciding for the correct webpage – however, that phenomenon vanished a couple of hours after blogging about it so i assumed that they fixed it.

Later i found a posting on the or-talk mailinglist about someone who was suspecting that certain TOR-nodes might alter webpages and include advertising of some sort. This would’ve been an interesting attack.

I take my own work and my own assumptions very serious. I don’t want to blame the Linux Magazine if they didn’t do it and denouncing their actions as “bigotry“, as I did, is not to be taken ligthly.

For that reason, out of curiosity, interest and for everyone else I started an investigation about if there are any bogus TOR-exitnodes which might alter the content of webpages and if they do, what else they might do.

Theory of operation is simple:

  1. Get a list of known nodes which allow outbound tcp/80 traffic (http://localhost:9030/tor/running-routers is a good start)
  2. Loop over all exitnodes i and get a website A via exitnode i using TOR: “wget http://A.${i}.exit/ -O $i.html
  3. Compare all stored websites (or, let’s say, distinctive parts) with an original

I already checked about 20% of all known exitnodes which were known to one of machines as of today and I certainly will conduct the same experiment a couple of times until publishing a result.

Stay tuned for updates. If there are bogus exitpoints we’ll find; what actions we might take is up to the TOR-operators. I’d suggest putting them on your TOR-nodes blacklist.

Tech Tags:

5 Responses to Analyzing TOR-exitnodes for anomalies

  1. quix0r says:

    What you want to say here is: call that localhost URL and reload it when you see that ads-page (domainsponsor) again? Good idea… :-)

    I will make it here and report that guy’s data here. :-)

  2. quix0r: Heck no! *laugh*
    That would be a bit too much work. I automated the process. I fetched all nodes known to my personal node through the localhost-URL and for every TOR-node mentioned in my node’s routing table i send a request to one certain webpage and store the result to disk.
    You can control what exit-node to use if you append a $nodename.exit to an url; for example, if you want the URL to go through the TOR-node with the nickname “wormhole” (mine), you tell your browser to load
    That’s basically what I’m doing; requesting the same page over and over again through all exit-nodes. When I’m through all the nodes (several hundreds) I check which of those nodes don’t show the original page (simple search for keywords). If i find suspicious content, i investigate further.
    Hope that clarifies it a bit,

  3. Freemor says:

    I think you’ll find this is some sort of blocking/filtering at the websites end I was getting the same “SUSPECTED+UNDESIRABLE+BOT” results from the other day (via tor). all it took to get rid of it was to close out the browser and then upen it again so a new route/exit node was established.

    With seeing your, and others, experience with this it sounds like only certian exit nodes are blocked/filtered.. I certianly haven’t seen any thing that looks like a determined attempt to inject advertising yet… But the ability of an exit node to inject content is certianly a valid concern, and I applaud you efforts to check it out.

  4. TT says:

    “Later i found a posting on the or-talk mailinglist about someone who was suspecting that certain TOR-nodes might alter webpages and include advertising of some sort.”

    If this is right enough then malicious use is obviously something TOR users would like to know about but i think it could be a good thing if the developers of TOR want to start generating some revenue to help fund TOR. I mean theres alot of new applications kicking about that have TOR built in (TORPark Web Browser, AnonOS) that all take its toll on the total bandwidth available. If the developers were to code a small banner into the top of all pages received by the exit node it would help fund more servers for the network.

    I wonder whether the developer have thought about that.

  5. […] Update 2 (Wednesday): Something doesn’t seem to be so right, more people are complaining about the same problem on various websites so that i started an analysis if there’s something wrong with the Tor-system itself. […]

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: