|
'''Note that this page is no longer maintained! If you want to report a bad relay, have a look at [https://trac.torproject.org/projects/tor/wiki/doc/ReportingBadRelays this page].'''
|
|
**Note that this page is no longer maintained! If you want to report a bad relay, have a look at [this page](https://trac.torproject.org/projects/tor/wiki/doc/ReportingBadRelays).**
|
|
|
|
|
|
----
|
|
----
|
|
= Known Bad Relays =
|
|
# Known Bad Relays
|
|
This is a summary of tor relays that have been flagged as bad, being either malicious or misconfigured. Its purpose is to use past events to make trends more evident and help aid investigations of future suspicious activity. Most bad relays are caught thanks to our wider community, so many thanks for all your help and vigilance!
|
|
This is a summary of tor relays that have been flagged as bad, being either malicious or misconfigured. Its purpose is to use past events to make trends more evident and help aid investigations of future suspicious activity. Most bad relays are caught thanks to our wider community, so many thanks for all your help and vigilance!
|
|
|
|
|
|
In almost all cases we're unable to contact the operator to resolve the issue so if your relay's listed below then please let us know so we can fix the issue.
|
|
In almost all cases we're unable to contact the operator to resolve the issue so if your relay's listed below then please let us know so we can fix the issue.
|
|
|
|
|
|
Bad relays fall into three categories:
|
|
Bad relays fall into three categories:
|
|
|
|
|
|
* !BadExit - Never use as an exit node (for nodes that appear to mess with exit traffic)
|
|
* BadExit - Never use as an exit node (for nodes that appear to mess with exit traffic)
|
|
* Invalid - Never used unless !AllowInvalidNodes is set (by default this only allows for middle and rendezvous usage)
|
|
* Invalid - Never used unless AllowInvalidNodes is set (by default this only allows for middle and rendezvous usage)
|
|
* Reject - Dropped from the consensus entirely
|
|
* Reject - Dropped from the consensus entirely
|
|
|
|
|
|
== What is a bad exit? ==
|
|
## What is a bad exit?
|
|
A bad exit is one that breaks stuff, either maliciously or through misconfiguration.
|
|
A bad exit is one that breaks stuff, either maliciously or through misconfiguration.
|
|
|
|
|
|
Suspected “bad exits” should be reported to tor-assistants@tpo.
|
|
Suspected “bad exits” should be reported to tor-assistants@tpo.
|
|
|
|
|
|
The most common misconfiguration I have seen is using [http://www.opendns.com/ OpenDNS] as a host's nameserver with what I think is the OpenDNS default config. Services such as OpenDNS lie to you, under the name of protecting you. The result is for instance getting redirected to their webpage when you want to visit evil sites such as https://www.torproject.org/.
|
|
The most common misconfiguration I have seen is using [OpenDNS](http://www.opendns.com/) as a host's nameserver with what I think is the OpenDNS default config. Services such as OpenDNS lie to you, under the name of protecting you. The result is for instance getting redirected to their webpage when you want to visit evil sites such as https://www.torproject.org/.
|
|
|
|
|
|
One example of either misconfiguration or actual intended malicious behavior is exit nodes that do man in the middle attacks on outgoing https connections, do SSL stripping (i.e. replacing !https:// links with !http:// links), or do man in the middle attacks on other protocols like ssh.
|
|
One example of either misconfiguration or actual intended malicious behavior is exit nodes that do man in the middle attacks on outgoing https connections, do SSL stripping (i.e. replacing !https:// links with !http:// links), or do man in the middle attacks on other protocols like ssh.
|
|
|
|
|
... | @@ -26,66 +26,68 @@ Whenever Directory Authority operators find such nodes, or somebody points them |
... | @@ -26,66 +26,68 @@ Whenever Directory Authority operators find such nodes, or somebody points them |
|
The tor directory authority operators who vote on the 'BadExit' flag have the last say on what constitutes being a bad exit. In general we'll flag for the following...
|
|
The tor directory authority operators who vote on the 'BadExit' flag have the last say on what constitutes being a bad exit. In general we'll flag for the following...
|
|
|
|
|
|
* Tampering with exit traffic in any way. This is often accidental (for instance filtering by anti-virus).
|
|
* Tampering with exit traffic in any way. This is often accidental (for instance filtering by anti-virus).
|
|
* Only allowing plain-text traffic, for instance just allowing traffic through ports 80 and 143. This is because these relays are highly suspicious to be sniffing traffic. For the discussion on this see [https://metrics.torproject.org/relay.html?fingerprint=009E71AED2C5580E942AC1743D1C440C5B2C459E this thread].
|
|
* Only allowing plain-text traffic, for instance just allowing traffic through ports 80 and 143. This is because these relays are highly suspicious to be sniffing traffic. For the discussion on this see [this thread](https://metrics.torproject.org/relay.html?fingerprint=009E71AED2C5580E942AC1743D1C440C5B2C459E).
|
|
* Numerous exits that collectively provide a high amount of bandwidth but are obviously related without setting the MyFamily entry.
|
|
* Numerous exits that collectively provide a high amount of bandwidth but are obviously related without setting the MyFamily entry.
|
|
|
|
|
|
== Individual Bans ==
|
|
## Individual Bans
|
|
__As of April 2013 this list is no longer being maintained.__ The authority operators have decided to coordinate via a torrc one of them considers to be 'secret' (despite that it's essentially public via the consensus). I've made numerous requests to be kept in the loop regarding bad-exiting which have been ignored so I give up on trying to keep track of this. Someone else can take over maintaining it if they have the time.
|
|
__As of April 2013 this list is no longer being maintained.__ The authority operators have decided to coordinate via a torrc one of them considers to be 'secret' (despite that it's essentially public via the consensus). I've made numerous requests to be kept in the loop regarding bad-exiting which have been ignored so I give up on trying to keep track of this. Someone else can take over maintaining it if they have the time.
|
|
|
|
|
|
|| **Nickname** || **Ban Type** || **IP** || **Port** || **Date** || **Reporter** || **Reason** ||
|
|
| **Nickname** | **Ban Type** | **IP** | **Port** | **Date** | **Reporter** | **Reason** |
|
|
|| [https://atlas.torproject.org/#details/F8FD29D024A2CB85785EEFC004FF098D5AE05380 Unnamed] || !BadExit || 176.99.12.246 || 9001 || 7/12/13 || phw || SSL MITM with CN as main authority ||
|
|
|--------------|--------------|--------|----------|----------|--------------|------------|
|
|
|| [https://atlas.torproject.org/#details/ACC399C3FEA058C81FCBF4DA5260D9A536FF1993 Unnamed] || !BadExit || 109.68.190.231 || 9001 || 6/29/13 || athena || SSL MITM with CN as main authority ||
|
|
| [Unnamed](https://atlas.torproject.org/#details/F8FD29D024A2CB85785EEFC004FF098D5AE05380) | BadExit | 176.99.12.246 | 9001 | 7/12/13 | phw | SSL MITM with CN as main authority |
|
|
|| [https://atlas.torproject.org/#details/FD24DCAA7679EBE677E72F2CF4C56456D8A5BC8D Unnamed] || !BadExit || 176.99.10.92 || 9001 || 4/10/13 || ----- || SSL MITM ||
|
|
| [Unnamed](https://atlas.torproject.org/#details/ACC399C3FEA058C81FCBF4DA5260D9A536FF1993) | BadExit | 109.68.190.231 | 9001 | 6/29/13 | athena | SSL MITM with CN as main authority |
|
|
|| [https://atlas.torproject.org/#details/2D2D8D2ED1A50666A921F754AEC892A7D2CDEABE Unnamed] || !BadExit || 64.237.42.138 || 9001 || 3/1/13 || [https://trac.torproject.org/8373 -----] || SSL MITM ||
|
|
| [Unnamed](https://atlas.torproject.org/#details/FD24DCAA7679EBE677E72F2CF4C56456D8A5BC8D) | BadExit | 176.99.10.92 | 9001 | 4/10/13 | ----- | SSL MITM |
|
|
|| [https://atlas.torproject.org/#details/90057C9B0AEEB99B62522AF1D8118751555FD5D1 Unnamed] || !BadExit || 141.101.238.182 || 9001 || 1/8/13 || Pierre Richard || SSL MITM ||
|
|
| [Unnamed](https://atlas.torproject.org/#details/2D2D8D2ED1A50666A921F754AEC892A7D2CDEABE) | BadExit | 64.237.42.138 | 9001 | 3/1/13 | [-----](https://trac.torproject.org/8373) | SSL MITM |
|
|
|| [https://atlas.torproject.org/#details/04182F3FAB322811526D04C46082B8DC8A2CD861 Unnamed] || !BadExit || 46.30.42.154 || 9001 || 11/9/12 || ----- || SSL MITM with CN as main authority ||
|
|
| [Unnamed](https://atlas.torproject.org/#details/90057C9B0AEEB99B62522AF1D8118751555FD5D1) | BadExit | 141.101.238.182 | 9001 | 1/8/13 | Pierre Richard | SSL MITM |
|
|
|| [https://atlas.torproject.org/#details/D80CECD698B118ABEF8ADF7FEE046080A1D62902 Unnamed] || !BadExit || 46.30.42.153 || 9001 || 11/9/12 || ----- || SSL MITM with CN as main authority ||
|
|
| [Unnamed](https://atlas.torproject.org/#details/04182F3FAB322811526D04C46082B8DC8A2CD861) | BadExit | 46.30.42.154 | 9001 | 11/9/12 | ----- | SSL MITM with CN as main authority |
|
|
|| [https://atlas.torproject.org/#details/9EBCBF36061B5B4C181112BD7299F7A6C3D5EC9E HumaniTOR] || !BadExit || 212.80.35.73 || 9001 || 5/11/12 || arma || connection refused for ports 80 and 443 ||
|
|
| [Unnamed](https://atlas.torproject.org/#details/D80CECD698B118ABEF8ADF7FEE046080A1D62902) | BadExit | 46.30.42.153 | 9001 | 11/9/12 | ----- | SSL MITM with CN as main authority |
|
|
|| [https://atlas.torproject.org/#details/486EFAD8AEF3360C07877DBE7BA96BF22D304256 Unnamed] || !BadExit || 219.90.126.61 || 443 || 5/1/12 || James Hooker || running sslstrip ||
|
|
| [HumaniTOR](https://atlas.torproject.org/#details/9EBCBF36061B5B4C181112BD7299F7A6C3D5EC9E) | BadExit | 212.80.35.73 | 9001 | 5/11/12 | arma | connection refused for ports 80 and 443 |
|
|
|| [https://atlas.torproject.org/#details/0450B15FFAC9E310AB2A222ADECFEF35F4A65C23 ididedittheconfig] || !BadExit || 94.185.81.130 || 9001 || 4/3/12 || James Hooker || running sslstrip ||
|
|
| [Unnamed](https://atlas.torproject.org/#details/486EFAD8AEF3360C07877DBE7BA96BF22D304256) | BadExit | 219.90.126.61 | 443 | 5/1/12 | James Hooker | running sslstrip |
|
|
|| [https://atlas.torproject.org/#details/FFD2075CC29852C322E1984555CDDFBC6FB1EE80 UnFilTerD] || !BadExit || 82.95.57.4 || 8888 || 4/3/12 || James Hooker || running sslstrip ||
|
|
| [ididedittheconfig](https://atlas.torproject.org/#details/0450B15FFAC9E310AB2A222ADECFEF35F4A65C23) | BadExit | 94.185.81.130 | 9001 | 4/3/12 | James Hooker | running sslstrip |
|
|
|| [https://atlas.torproject.org/#details/C9BE2C39CA4E6F120293C80D2CBE2BC34F3A1F30 default] || !BadExit || 66.165.177.139 || 443 || 3/5/12 || --- || sniffing traffic ||
|
|
| [UnFilTerD](https://atlas.torproject.org/#details/FFD2075CC29852C322E1984555CDDFBC6FB1EE80) | BadExit | 82.95.57.4 | 8888 | 4/3/12 | James Hooker | running sslstrip |
|
|
|| [https://atlas.torproject.org/#details/34ED97E3A217A1A567F261B21B15C1323BE44DC5 100mbitTOR] || !BadExit || 109.87.69.138 || --- || 11/6/11 || Sebastian || MITM of SSL ||
|
|
| [default](https://atlas.torproject.org/#details/C9BE2C39CA4E6F120293C80D2CBE2BC34F3A1F30) | BadExit | 66.165.177.139 | 443 | 3/5/12 | --- | sniffing traffic |
|
|
|| [https://atlas.torproject.org/#details/29290506633292FE318DDA9EA93DE8F452B50C17 Secureroute] || !BadExit || --- || --- || 11/4/11 || mikeperry || MITM of SSL with self-signed cert ||
|
|
| [100mbitTOR](https://atlas.torproject.org/#details/34ED97E3A217A1A567F261B21B15C1323BE44DC5) | BadExit | 109.87.69.138 | --- | 11/6/11 | Sebastian | MITM of SSL |
|
|
|| [https://atlas.torproject.org/#details/EDA829CBA890BBB30FE5BE04779D83044126BA67 Unnamed] || !BadExit || 164.41.103.153 || 443 || 9/30/11 || aagbsn || MITM of SSL with a fortinet cert ||
|
|
| [Secureroute](https://atlas.torproject.org/#details/29290506633292FE318DDA9EA93DE8F452B50C17) | BadExit | --- | --- | 11/4/11 | mikeperry | MITM of SSL with self-signed cert |
|
|
|| [https://atlas.torproject.org/#details/4BF2F90E6E1905E2FB4F371E471422150D722A93 QuantumSevero] || !BadExit || 84.19.176.56 || 443 || 1/30/11 || mikeperry || plaintext-only exit policy + no reachable contact ||
|
|
| [Unnamed](https://atlas.torproject.org/#details/EDA829CBA890BBB30FE5BE04779D83044126BA67) | BadExit | 164.41.103.153 | 443 | 9/30/11 | aagbsn | MITM of SSL with a fortinet cert |
|
|
|| [https://atlas.torproject.org/#details/009E71AED2C5580E942AC1743D1C440C5B2C459E ElzaTorServer] || !BadExit || 109.202.66.4 || 9001 || 1/30/11 || mikeperry || plaintext-only exit policy + no reachable contact ||
|
|
| [QuantumSevero](https://atlas.torproject.org/#details/4BF2F90E6E1905E2FB4F371E471422150D722A93) | BadExit | 84.19.176.56 | 443 | 1/30/11 | mikeperry | plaintext-only exit policy + no reachable contact |
|
|
|| [https://atlas.torproject.org/#details/6C7C819F808AC125C69E1D981F350DCBA44DA8B5 agitator] || !BadExit || 188.40.77.107 || 9001 || 1/15/11 || --- || sniffing traffic ||
|
|
| [ElzaTorServer](https://atlas.torproject.org/#details/009E71AED2C5580E942AC1743D1C440C5B2C459E) | BadExit | 109.202.66.4 | 9001 | 1/30/11 | mikeperry | plaintext-only exit policy + no reachable contact |
|
|
|| [https://atlas.torproject.org/#details/CFF12B35708730135D8B769BF40E9533D0A5768A PrivacyPT] || !BadExit || 84.90.72.186 || --- || 1/5/11 || mikeperry || running sslstrip ||
|
|
| [agitator](https://atlas.torproject.org/#details/6C7C819F808AC125C69E1D981F350DCBA44DA8B5) | BadExit | 188.40.77.107 | 9001 | 1/15/11 | --- | sniffing traffic |
|
|
|| [https://atlas.torproject.org/#details/1EF79D1BEF632CBC251B8D5290EC76B324D893D4 KnightVison] || !BadExit || 213.247.98.204 || --- || 1/5/11 || mikeperry || 403 responses for arbitrary URLs ||
|
|
| [PrivacyPT](https://atlas.torproject.org/#details/CFF12B35708730135D8B769BF40E9533D0A5768A) | BadExit | 84.90.72.186 | --- | 1/5/11 | mikeperry | running sslstrip |
|
|
|| [https://atlas.torproject.org/#details/19F9A138507AED9262F6FE89F80297571D5EEA7D Unnamed] || !BadExit || 84.46.20.223 || --- || 1/5/11 || mikeperry || SSL MITM with Kaspersky AV certs ||
|
|
| [KnightVison](https://atlas.torproject.org/#details/1EF79D1BEF632CBC251B8D5290EC76B324D893D4) | BadExit | 213.247.98.204 | --- | 1/5/11 | mikeperry | 403 responses for arbitrary URLs |
|
|
|| [https://atlas.torproject.org/#details/8CDE3E6EED5DDDEE973046BC8FDA6A2FF04CE13B newworld] || !BadExit || 98.126.68.58 || 443 || 12/22/10 || mikeperry || running sslstrip ||
|
|
| [Unnamed](https://atlas.torproject.org/#details/19F9A138507AED9262F6FE89F80297571D5EEA7D) | BadExit | 84.46.20.223 | --- | 1/5/11 | mikeperry | SSL MITM with Kaspersky AV certs |
|
|
|| [https://atlas.torproject.org/#details/EF70A4B018713E0FB96793BBA9C479C759C1069E Unnamed] || !BadExit || 118.160.19.236 || 443 || 11/19/10 || mikeperry || anti-virus filter is blocking sites (trend-micro) ||
|
|
| [newworld](https://atlas.torproject.org/#details/8CDE3E6EED5DDDEE973046BC8FDA6A2FF04CE13B) | BadExit | 98.126.68.58 | 443 | 12/22/10 | mikeperry | running sslstrip |
|
|
|| [https://atlas.torproject.org/#details/3B738274C761DE3B4DF6C7EE5841CF32AC198976 Unnamed] || !BadExit || --- || --- || 11/19/10 || mikeperry || anti-virus filter is blocking sites (trend-micro) ||
|
|
| [Unnamed](https://atlas.torproject.org/#details/EF70A4B018713E0FB96793BBA9C479C759C1069E) | BadExit | 118.160.19.236 | 443 | 11/19/10 | mikeperry | anti-virus filter is blocking sites (trend-micro) |
|
|
|| [https://atlas.torproject.org/#details/05AF83344B3787D0DCCD47DC4A6A4668142A5F8C Unnamed] || !BadExit || --- || --- || 11/19/10 || mikeperry || anti-virus filter is blocking sites (trend-micro) ||
|
|
| [Unnamed](https://atlas.torproject.org/#details/3B738274C761DE3B4DF6C7EE5841CF32AC198976) | BadExit | --- | --- | 11/19/10 | mikeperry | anti-virus filter is blocking sites (trend-micro) |
|
|
|| [https://atlas.torproject.org/#details/9ACD814943FA0DA8D1C30B812B47B61098A89666 Unnamed] || !BadExit || --- || --- || 11/19/10 || mikeperry || anti-virus filter is blocking sites (trend-micro) ||
|
|
| [Unnamed](https://atlas.torproject.org/#details/05AF83344B3787D0DCCD47DC4A6A4668142A5F8C) | BadExit | --- | --- | 11/19/10 | mikeperry | anti-virus filter is blocking sites (trend-micro) |
|
|
|| [https://atlas.torproject.org/#details/074321FEFF2DD92EB1FA19879B4D7734E0434A01 Unnamed] || !BadExit || --- || --- || 11/19/10 || mikeperry || anti-virus filter is blocking sites (trend-micro) ||
|
|
| [Unnamed](https://atlas.torproject.org/#details/9ACD814943FA0DA8D1C30B812B47B61098A89666) | BadExit | --- | --- | 11/19/10 | mikeperry | anti-virus filter is blocking sites (trend-micro) |
|
|
|| [https://atlas.torproject.org/#details/878C5E5EA39178760C25BC04988109F8FCFCC123 703server] || !BadExit || 173.49.70.62 || --- || 11/19/10 || mikeperry || several issues including possible SSL downgrade attack ||
|
|
| [Unnamed](https://atlas.torproject.org/#details/074321FEFF2DD92EB1FA19879B4D7734E0434A01) | BadExit | --- | --- | 11/19/10 | mikeperry | anti-virus filter is blocking sites (trend-micro) |
|
|
|| [https://atlas.torproject.org/#details/AC08E815CD60590187E41916DF7F8422F621C694 Tark69] || !BadExit || 66.169.160.200 || 443 || 10/28/10 || mikeperry || anti-virus filter is blocking sites ||
|
|
| [703server](https://atlas.torproject.org/#details/878C5E5EA39178760C25BC04988109F8FCFCC123) | BadExit | 173.49.70.62 | --- | 11/19/10 | mikeperry | several issues including possible SSL downgrade attack |
|
|
|| [https://atlas.torproject.org/#details/4D33BFB8B048D22EB948C275AE6D4988DD85342D Unnamed] || !BadExit || 90.22.200.39 || --- || 10/24/10 || mikeperry || dropping TLS connections for multiple sites ||
|
|
| [Tark69](https://atlas.torproject.org/#details/AC08E815CD60590187E41916DF7F8422F621C694) | BadExit | 66.169.160.200 | 443 | 10/28/10 | mikeperry | anti-virus filter is blocking sites |
|
|
|| [https://atlas.torproject.org/#details/4A83491EA620D8DFEFF7F7E06F8CB7B4629FAA89 ArsenalGear] || !BadExit || 88.207.18.230 || --- || 7/27/10 || susurrusus || running sslstrip ||
|
|
| [Unnamed](https://atlas.torproject.org/#details/4D33BFB8B048D22EB948C275AE6D4988DD85342D) | BadExit | 90.22.200.39 | --- | 10/24/10 | mikeperry | dropping TLS connections for multiple sites |
|
|
|| [https://atlas.torproject.org/#details/3D96FD576775B96829557BB6878F8084EBFD6E24 FluideGlacial] || !BadExit || 78.229.212.4 || 9001 || 7/14/10 || mikeperry || spurious RST packets ||
|
|
| [ArsenalGear](https://atlas.torproject.org/#details/4A83491EA620D8DFEFF7F7E06F8CB7B4629FAA89) | BadExit | 88.207.18.230 | --- | 7/27/10 | susurrusus | running sslstrip |
|
|
|| [https://atlas.torproject.org/#details/DD0F0A72A773ED5F2EA298BE0DD1177560F97A9A capoteATWO] || !BadExit || 148.88.190.145 || 9001 || 4/28/10 || phobos, xiando || [http://archives.seul.org/or/relays/Apr-2010/msg00108.html misconfigured] ||
|
|
| [FluideGlacial](https://atlas.torproject.org/#details/3D96FD576775B96829557BB6878F8084EBFD6E24) | BadExit | 78.229.212.4 | 9001 | 7/14/10 | mikeperry | spurious RST packets |
|
|
|| [https://atlas.torproject.org/#details/4A3D306B5E45E501EA726598E5F3A89AE6FE1C72 romainaForever] || !BadExit || 64.191.73.149 || 9001 || --- || --- || --- ||
|
|
| [capoteATWO](https://atlas.torproject.org/#details/DD0F0A72A773ED5F2EA298BE0DD1177560F97A9A) | BadExit | 148.88.190.145 | 9001 | 4/28/10 | phobos, xiando | [misconfigured](http://archives.seul.org/or/relays/Apr-2010/msg00108.html) |
|
|
|| [https://atlas.torproject.org/#details/DB0E1CE11E3AC37EB4190FFDE7653EAE9CBDBF20 netwroke421d2a] || !BadExit || 64.191.22.197 || 9001 || --- || --- || --- ||
|
|
| [romainaForever](https://atlas.torproject.org/#details/4A3D306B5E45E501EA726598E5F3A89AE6FE1C72) | BadExit | 64.191.73.149 | 9001 | --- | --- | --- |
|
|
|
|
| [netwroke421d2a](https://atlas.torproject.org/#details/DB0E1CE11E3AC37EB4190FFDE7653EAE9CBDBF20) | BadExit | 64.191.22.197 | 9001 | --- | --- | --- |
|
|
== Ban Groups ==
|
|
|
|
|| **Referred Name** || **Count** || **Ban Type** || **Date** || **Reporter** || **Reason** ||
|
|
## Ban Groups
|
|
|| trotsky || 747 || Invalid || 9/23/10 || atagar || suspected botnet ||
|
|
| **Referred Name** | **Count** | **Ban Type** | **Date** | **Reporter** | **Reason** |
|
|
|| network || --- || !BadExit || --- || --- || --- ||
|
|
|-------------------|-----------|--------------|----------|--------------|------------|
|
|
|
|
| trotsky | 747 | Invalid | 9/23/10 | atagar | suspected botnet |
|
|
=== trotsky ===
|
|
| network | --- | BadExit | --- | --- | --- |
|
|
[wiki:doc/badRelays/trotskyIps IP Addresses]
|
|
|
|
|
|
### trotsky
|
|
|
|
[IP Addresses](./doc/badRelays/trotskyIps)
|
|
|
|
|
|
Between 17-23:00 (UTC) 226 exiting relays, all with largely identical nicknames ("trotsky*") and exit policies were added to the tor network. No family or contact information was set, and the IPs came from several countries (mostly eastern European) making it look like a potential botnet. They disappeared roughly a week later.
|
|
Between 17-23:00 (UTC) 226 exiting relays, all with largely identical nicknames ("trotsky*") and exit policies were added to the tor network. No family or contact information was set, and the IPs came from several countries (mostly eastern European) making it look like a potential botnet. They disappeared roughly a week later.
|
|
|
|
|
|
On 10/2/10 between 21-20:00 (UTC) another 383 exit relays were added, this time more gradually. Others have periodically appeared outside these windows. These relays appear to be on residential connections, most having very poor connectivity (rransom reports that some are dialup).
|
|
On 10/2/10 between 21-20:00 (UTC) another 383 exit relays were added, this time more gradually. Others have periodically appeared outside these windows. These relays appear to be on residential connections, most having very poor connectivity (rransom reports that some are dialup).
|
|
|
|
|
|
=== network ===
|
|
### network
|
|
* [https://atlas.torproject.org/#details/04AEF228B84A4D5542975D2F218C1E35A5F741A6 network51b9450] (64.191.53.37:9001)
|
|
* [network51b9450](https://atlas.torproject.org/#details/04AEF228B84A4D5542975D2F218C1E35A5F741A6) (64.191.53.37:9001)
|
|
* [https://atlas.torproject.org/#details/FE7C767CBD80069171FD051B434C4A0457E5D920 network17b661a] (64.191.59.245:9001)
|
|
* [network17b661a](https://atlas.torproject.org/#details/FE7C767CBD80069171FD051B434C4A0457E5D920) (64.191.59.245:9001)
|
|
|
|
|
|
Unfortunately there isn't documentation for why these relays are bad. They all begin with the nickname "network", reportedly run Windows Server 2003, and only accept IM traffic (jabber and irc on ports 5222, 5223, and 6666-6669).
|
|
Unfortunately there isn't documentation for why these relays are bad. They all begin with the nickname "network", reportedly run Windows Server 2003, and only accept IM traffic (jabber and irc on ports 5222, 5223, and 6666-6669).
|
|
|
|
|
|
== Research ==
|
|
## Research
|
|
* 2014-01-21 article [http://arstechnica.com/security/2014/01/scientists-detect-spoiled-onions-trying-to-sabotage-tor-privacy-network/ Scientists detect “spoiled onions” trying to sabotage Tor privacy network] and the actual paper [http://www.cs.kau.se/philwint/spoiled_onions/techreport.pdf Spoiled Onions: Exposing Malicious Tor Exit Relays] contains the list of relays found. |
|
* 2014-01-21 article [Scientists detect “spoiled onions” trying to sabotage Tor privacy network](http://arstechnica.com/security/2014/01/scientists-detect-spoiled-onions-trying-to-sabotage-tor-privacy-network/) and the actual paper [Spoiled Onions: Exposing Malicious Tor Exit Relays](http://www.cs.kau.se/philwint/spoiled_onions/techreport.pdf) contains the list of relays found. |
|
\ No newline at end of file |
|
\ No newline at end of file |