Analyzing TOR-exitnodes for anomalies – results

TOR logoAs my regular readers clearly remember, a couple of days ago i accused the Linux Magazine of bigotry. Later I learned that it’s not only the Linux Magazine, but lot’s of other sites which show a strange behaviour when accessed through the Tor-system.

To check what’s really going on i started an investigation and tested more than a thousand Tor-nodes for strange behaviour. I submitted my results to the or-talk List yesterday:

Date: Thu, 5 Oct 2006 17:56:51 +0200
From: “Alexander W. Janssen” <yalla@ynfonatic.de>
To: or-talk@freehaven.net
Subject: First results of analysis

Hi all,

i checked 1161 nodes in total.

269 of them where responsive exit-nodes, all behaving correctly.

9 exitnodes where responsive, but their had some proxy installed which didn’t behave quite correct when you accessed a webpage with the notation original.url.$nodename.exit; the error-messages varied from “could not resolve” (looks like a DNS-leak to me) over “502 Bad Gateway” through “502 Proxy Error”.

However, in my list of exit-nodes i couldn’t find any host which showed the described behaviour. My test-URL was http://www.linux-magazine.com/.

So there is still some space left for discussion: Did i miss the “bad” or “banned” exitnode?

I tend to agree with Claude; at the moment it doesn’t seem likely that we have some sort of bad exitnodes in place.

However we probably should think if we should install some kind of early warning system. I could imagine something like this: Every client checks once per day some random website on the internet via, let’s say, 10 random exit-nodes and compares the results. If something is wrong the exitnode could be signalled to a real human which could verify the claim.

How do you think about that?

Cheers, Alex.

I stopped my efforts at the moment; I tend to blame Linux Magazine’s webhoster, but no-one knows exactly what’s going on. It’ll just be a matter of time until somehow set’s up rogue Tor-nodes.

Therefore: Dear editor and people from the Linux Magazine, I was in rage. You clearly didn’t deserve to be called “bigot”. I honestly apologize. I don’t know what’s really going on, but maybe you start an investigation on your own.

Alexander “Yalla” Janssen.

Tech Tags:

2 Responses to Analyzing TOR-exitnodes for anomalies – results

  1. TT says:

    Find real address of Tor clients
    http://www.packetstormsecurity.org/0610-advisories/Practical_Onion_Hacking.pdf

    It seems that theres been a security firm running a proof of concept compromised exitnode that injects a web bug into the html that will report back true ip address to their server. Did you maybe end up coming across one of their malicous exit nodes?

  2. testurl says:

    Thanks for finally writing about >Analyzing TOR-exitnodes for anomalies
    – results | Blog of too many things <Loved it!

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: