Excluded Tor nodes are still being used when their "Country" location field is "?"
I noticed a potential security exploit affecting the latest Tor 0.2.4.6-alpha Qt 4.8.1 (Linux 64-bit) and possibly other versions.
Background: When the ExcludeNodes (or ExcludeExitNodes, etc.) directive is set in the torc file to avoid the relays located in the entire undesirable countries (for example, ExcludeNodes {RU},{US}), Tor relies on the GeoIP database to determine which nodes must be excluded from the circuits.
Problem: Currently about 50-55 relays somehow hide their country attribute, or else the GeoIP database fails to identify their location. Yet Tor includes such nodes in the circuits, and thus they bypass the exclusion. It's a potential security exploit.
Fix needed: The relays with an un-indentified country attribute MUST NOT be allowed in the Tor's circuit pool.
This problem can be visually observed in the Vidalia's Network Map window. Here are the steps to reproduce the problem:
-
Add 'ExcludeNodes {US},{RU}' to the torc file (this is an example, since many of the questioned nodes are in fact originating in the mentioned countries) .
-
Open the Vidalia's Network Map window and look at the list of the relays on left. While most relays correctly display their location country flag, Some relays have a question mark instead of the country flag. When they are selected, the detail info section in the lower middle doesn't show their country info (unlike the normal relays).
To see all of these questionable relays better, sort the listed relays by country - click on the 2nd tab above the relay list, and they will be grouped at the top or at the bottom of list. There are typically 50-55 of these relays.
- Over time, some of these relays without the listed country will be randomly included in the built circuits. I see it often when many developed countries (US, UK, etc.) are excluded. The more countries are excluded, the faster it will happen.
Suspicious relay behavior: I observed these "un-countried" relays over a few days. Most of them remain present and unchanged. However, a few unique relays without the country attribute are added each day, and a few disappear.
Interestingly, they seem to originate from the same IP address segments. Mostly it is the 5.xxx.xxx.xxx, 89., 91., 142., 192., 194., 198. and 199. IP segments.
Some relays share the same name (Unnamed), so it's hard to track them.
One of the relays ($EDFCBC44226B6DE6B28AFDEA6C8C63A3F5050665 [199.254.110.16]) only keeps changing its letter name (I don't see it today, though).
Please address the vulnerability as soon as you can - I'm tired of excluding 3 new individual fingerprints daily. :-)
Thank you!
Trac:
Username: bugcatcher