Re: Exit node connection statistics
Sebastian Hahn: But you are right. Maybe top 100 is too much and I should switch to a top 20 or so? No, you should turn it off. Having those statistics doesn't add any value to the Tor network, you cannot even make broad statements like 30% of all traffic in Tor goes to xy.com, because you see only a tiny fraction and the real usage is likely to be entirely different - think about how different exit policies etc come into play. Generally, it's always recommended to not log unless you have a reason (for example a bug you're trying to find). The question is not, if it adds value to Tor, but if it adds value in general. And if this is the case I cannot tell yet, and I claim you can't either. It's just a first idea. The stats are port specific, so they are independent of exit policies. Since I assume most users don't use specific exit nodes, I believe it's a fair assumption that the stats are more or less representative. So it doesn't tell you anything, that flickr.com for example makes more than 5% during the last days, while the next host is below 1%? Massive abuse is as much a reason as a bug in my eyes. The less verbose your logs are, the less likely it is someone will find them interesting and makes you give them out. This applies to the whole community of relay operators - if it is a well-known fact that most of them log, adversaries might become more persuasive when they ask for logs. I doubt this well-known fact depends on wether somebody is publishing stats. You always have to assume, that a Tor relay might be logging, and so do the investigators. If they become active depends then on wether they were successful before in getting useful logs. My logs are not useful for backtracing, so I don't contribute to this effect. Generally, Tor exit nodes must always be assumed to be malicious, but this of course doesn't mean that once it's a proven fact that an exit is malicious, it will be excluded. Define malicious. The key feature of Tor is, that it doesn't rely on the trustworthiness of the relay operators, else it would be useless. So I think the log issue is being overrated. So, a personal question: What is your motive? Do you feel you have a right to know what people are doing? Because this is where the ice gets really thin... My motive is that of any researcher: learn something. And yes, I do feel that I have the right to know what people are doing, but I don't have the right to know what a person is doing. That's a big difference. The ice gets thin if the Tor-FAQ argues: we feel that we're doing pretty well at striking a balance currently, although we don't have any idea how much abuse is currently happening. (You cannot estimate it by the number of complaints.) There are always side effects, so what side effects does Tor have? Maybe Tor in the end reduces privacy instead of improving it, if you look at the big picture? (For example because it enables data-miners to anonymously break their privacy policies?) If we don't dare to look what actually happens on the wire, with the excuse that Tor is about anonymity, we risk to do the wrong thing. And the good thing is: most of the transport-layer data is already anonymized. If you make studies in the normal carrier networks, you always have to make a big effort to anonymize the data before giving something out. With Tor exit connections that's a lot easier, since the source is already unknown. One could even take up this provocative position: Everybody can operate a Tor node. So everything that a Tor node sees, is public by definition, as it can be seen by a random non-trustworthy person. So it doesn't make a difference from a security point of view, if any information of the traffic is made public. What will become public then is information which is lost anyhow. P2P encryption is essential for sensitive data, with Tor even more, and making all info public would just make that very clear to everybody.
Re: Exit node connection statistics
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Figuring out which exit node you are should be fairly trivial. There are about 1000 exit nodes that exit on port 80, and you are one of them. If I just send loads of http requests through half of those exit nodes to my own server one day and then check if my IP appears on your webpage, I've halved the number of possible exit nodes you are. If I then halve it again and repeat this every day, it should only take about a week and a half. I'll start with a possibility of 1024 exit nodes just for ease of maths: Day 1 : Test 512 of the 1024 remaining exit nodes Day 2 : Test 256 of the 512 remaining exit nodes Day 3 : Test 128 of the 256 remaining exit nodes Day 4 : Test 64 of the 128 remaining exit nodes Day 5 : Test 32 of the 64 remaining exit nodes Day 6 : Test 16 of the 32 remaining exit nodes Day 7 : Test 8 of the 16 remaining exit nodes Day 8 : Test 4 of the8 remaining exit nodes Day 9 : Test 2 of the4 remaining exit nodes Day 10: Test 1 of the2 remaining exit nodes - Success This process becomes quicker if you have more than 1 ip to test with. I'm making the assumption that it can't be that difficult to send enough http requests to get to the 100th or above place on your list. You don't publish total number of connections, only percentage of total, but it seems likely to me that the number of connections made to the site that is number 100 on your list should be easy to exceed. I'm not going to bother of course, because I don't care that much. But just so you know, don't use that same onion address for anything that *needs* to be anonymous, because it wont be. - -- Dawn [EMAIL PROTECTED] wrote: Hi, I don't know if somebody did this before, but I think it is quite interesting, to which hosts most of the exit connections go to. So I set up a statistics script creating a list of the top 100 hosts each day to which Tor users connect to over my node (only for ports 80 and 443). Besides just being interesting, this can also show potential security problems on the top hosts which are being exploited over Tor. For example, during the last weeks rapleaf.com was always at the top, and they keep a huge email-address database. This is probably no incident. The log data necessary for this is being deleted after one day not to compromise the anonymity of the users. I decided to make this accessible through a hidden service only, since I don't want to influence the exit node usage behaviour. This is the address: http://ob44yuhbyysk5xft.onion If you think this is a stupid idea or you have ideas for other interesting stats and for any other comment you can reach me by mplsfox02_AT_sneakemail_DOT_com. I don't know how long I will stay subscribed with or-talk, since I just wanted to seed the information. Spread it as you like. Regards, a Tor exit node operator. -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.6 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFIgKNBcoR2aV1igfIRAs+KAJ94H26Eyc4Dm+nvRdtswIXX3rHTNACeODu8 +SgBlPvn0mX13cyGO62lrQY= =KdYI -END PGP SIGNATURE-
Re: Exit node connection statistics
Am 18.07.2008 um 16:05 schrieb Dawney Smith dawneysmith-at- googlemail.com |tor|: Figuring out which exit node you are should be fairly trivial. There are about 1000 exit nodes that exit on port 80, and you are one of them. Of course you can. And if you are able to bring yourself under the top 100 of 500 exit nodes in one day, you can solve it even in two days. Just use a different destination IP for each exit node, then you don't need the bisection method. ;-) But you are right. Maybe top 100 is too much and I should switch to a top 20 or so?
Re: Exit node connection statistics
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On Jul 18, 2008, at 7:39 PM, [EMAIL PROTECTED] wrote: Of course you can. And if you are able to bring yourself under the top 100 of 500 exit nodes in one day, you can solve it even in two days. Just use a different destination IP for each exit node, then you don't need the bisection method. ;-) But you are right. Maybe top 100 is too much and I should switch to a top 20 or so? No, you should turn it off. Having those statistics doesn't add any value to the Tor network, you cannot even make broad statements like 30% of all traffic in Tor goes to xy.com, because you see only a tiny fraction and the real usage is likely to be entirely different - think about how different exit policies etc come into play. Generally, it's always recommended to not log unless you have a reason (for example a bug you're trying to find). The less verbose your logs are, the less likely it is someone will find them interesting and makes you give them out. This applies to the whole community of relay operators - if it is a well-known fact that most of them log, adversaries might become more persuasive when they ask for logs. Generally, Tor exit nodes must always be assumed to be malicious, but this of course doesn't mean that once it's a proven fact that an exit is malicious, it will be excluded. So, a personal question: What is your motive? Do you feel you have a right to know what people are doing? Because this is where the ice gets really thin... Sebastian -BEGIN PGP SIGNATURE- iEYEARECAAYFAkiA1/kACgkQCADWu989zuZ+aQCfT0Ltx1Bd1NMhpgGd/HKBds4e JecAoJcjDWLX7o2oG4KbDzalyQlCfwJi =KWpa -END PGP SIGNATURE-
Re: Exit node connection statistics
[EMAIL PROTECTED] schrieb: Can you explain what the threat scenario is for what I'm doing? One possible issue comes to my mind here. You mentioned, you delete your logs after 24h (after evaluation). I don't know what exactly you are logging for this interval, but one reason why it is usually useless to search Tor nodes is because they don't keep any (usable) logs. If this changes for some nodes and is known e.g. to law enforcement agencies, that might encourage searching/confiscating of Tor nodes in general and increase risk for any node operator. Regards, Dominik
Re: Exit node connection statistics
Dominik Schaefer: [EMAIL PROTECTED] schrieb: Can you explain what the threat scenario is for what I'm doing? One possible issue comes to my mind here. You mentioned, you delete your logs after 24h (after evaluation). I don't know what exactly you are logging for this interval, but one reason why it is usually useless to search Tor nodes is because they don't keep any (usable) logs. If this changes for some nodes and is known e.g. to law enforcement agencies, that might encourage searching/confiscating of Tor nodes in general and increase risk for any node operator. I just log the exit connections (standard info log of Tor), which is not of much use for investigators, as they have this information already if they found the exit node.
Re: Exit node connection statistics
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 [EMAIL PROTECTED] @ 2008/07/17 09:03: Dominik Schaefer: [EMAIL PROTECTED] schrieb: Can you explain what the threat scenario is for what I'm doing? One possible issue comes to my mind here. You mentioned, you delete your logs after 24h (after evaluation). I don't know what exactly you are logging for this interval, but one reason why it is usually useless to search Tor nodes is because they don't keep any (usable) logs. If this changes for some nodes and is known e.g. to law enforcement agencies, that might encourage searching/confiscating of Tor nodes in general and increase risk for any node operator. I just log the exit connections (standard info log of Tor), which is not of much use for investigators, as they have this information already if they found the exit node. how do investigators know that? my guess is they will see that you are providing these statistics and then also assume that you are logging the incoming connections and now have (more) reasonable cause to seize your equipment in order to facilitate coordinating the full tor-circuit or something. -BEGIN PGP SIGNATURE- iD8DBQFIf8ptXhfCJNu98qARCDoEAKCEYXYGEH3wotoaJiXomB7SfKr/lACZAaTE 6jxIqrg3Fg/uSLnh5gilE+k= =EReq -END PGP SIGNATURE-
Re: Exit node connection statistics
On Mon, Jul 14, 2008 at 11:03 AM, coderman [EMAIL PROTECTED] wrote: Should I snoop on the plaintext that exits through my Tor relay? No. You may be technically capable of modifying the Tor source code or installing additional software to monitor or log plaintext that exits your node. However, Tor relay operators in the U.S. can create legal and possibly even criminal liability for themselves under state or federal wiretap laws if they affirmatively monitor, log, or disclose Tor users' communications, while non-U.S. operators may be subject to similar laws. Do not examine the contents of anyone's communications without first talking to a lawyer. best regards, If he's not concerned with possible legal problems, like if he's staying anonymous, this really doesn't matter. It's really his choice.
Re: Exit node connection statistics
On Mon, Jul 14, 2008 at 8:43 AM, [EMAIL PROTECTED] wrote: Jan Reister: I would probably add your node to my ExcludeNodes entry. I would like to see a discussion about this. So you'd prefer using exit nodes that keep that information for their own? Why? Or do you blindly trust all other Tor operators until they show some bad behaviour? I'm not a friend of two-classes knowledge, and what a Tor node operator can know, everybody can know. Else it's nothing but security by obscurity. Can you explain what the threat scenario is for what I'm doing? IMO not very much at all, as long as your node remains anonymous. You shouldn't be endangering the anonymity of users.
Re: Exit node connection statistics
On Mon, Jul 14, 2008 at 2:38 AM, Jan Reister [EMAIL PROTECTED] wrote: Il 13/07/2008 17:54, [EMAIL PROTECTED] ha scritto: I set up a statistics script creating a list of the top 100 hosts each day to which Tor users connect to over my node (only for ports 80 and 443). I decided to make this accessible through a hidden service only, You should add your relay nick and publish that page on your exit node public IP address. This way users can check that the stats are related to a specific relay. I would probably add your node to my ExcludeNodes entry. Jan If he did that, it would skew the results.
Re: Exit node connection statistics
Il 13/07/2008 17:54, [EMAIL PROTECTED] ha scritto: I set up a statistics script creating a list of the top 100 hosts each day to which Tor users connect to over my node (only for ports 80 and 443). I decided to make this accessible through a hidden service only, You should add your relay nick and publish that page on your exit node public IP address. This way users can check that the stats are related to a specific relay. I would probably add your node to my ExcludeNodes entry. Jan
Re: Exit node connection statistics
Unfortunately, mail mplsfox is not registered as contact of any tor relay, so if mplsfox dont say name of his exit node, there are no chance to get it. There is only one exit node with contact on sneakemail.com: Unnilquadium kjo3tan02 at sneakemail dot com but there not have to be any relationship, of course. Marek On Mon, Jul 14, 2008 at 11:38 AM, Jan Reister [EMAIL PROTECTED] wrote: Il 13/07/2008 17:54, [EMAIL PROTECTED] ha scritto: I set up a statistics script creating a list of the top 100 hosts each day to which Tor users connect to over my node (only for ports 80 and 443). I decided to make this accessible through a hidden service only, You should add your relay nick and publish that page on your exit node public IP address. This way users can check that the stats are related to a specific relay. I would probably add your node to my ExcludeNodes entry. Jan
Re: Exit node connection statistics
Jan Reister: I would probably add your node to my ExcludeNodes entry. I would like to see a discussion about this. So you'd prefer using exit nodes that keep that information for their own? Why? Or do you blindly trust all other Tor operators until they show some bad behaviour? I'm not a friend of two-classes knowledge, and what a Tor node operator can know, everybody can know. Else it's nothing but security by obscurity. Can you explain what the threat scenario is for what I'm doing? In order to advocate Tor it is said that the advantages outweigh the disadvantages, and I agree in general. But I think we know too little about the usage behaviour to make this a strong argument. How much of Tor traffic is illegal? For me personally it would be fine if even 99% is some illegal file sharing or email-address harvesting, if in return just one Chinese blogger is rescued from going to jail. But for others it might be different. I think it's the wrong approach to just close our eyes and say we don't want to know. Surveys on usage behaviour are not generally threatening the anonymity of the users but can help to make the Tor experience better. My personal motivation is that I fully and actively support anonymity in the net, especially for people in authoritarian states, but I don't want to spend my time and efforts for people abusing Tor to download the latest movies because they don't have the balls to do it directly or for spammers who farm for email-addresses. So I'd like to get an idea how the ratio between the two use-cases is and if there is something I can do to improve the situation. I think everybody who supports the usability of Tor by operating a node has every right to try to gather some information about that. And I don't want to keep it for myself but share it with everybody. I'm not argument-resistant. So tell me your views. Best regards.
Re: Exit node connection statistics
On Mon, Jul 14, 2008 at 8:43 AM, [EMAIL PROTECTED] wrote: ... do you blindly trust all other Tor operators until they show some bad behaviour? [that's] nothing but security by obscurity. this is why use of SSL/TLS over Tor is so strongly encouraged. Can you explain what the threat scenario is for what I'm doing? ... I'm not argument-resistant. So tell me your views. the strongest argument is not for the privacy of those who exit your node, but your own personal liability for knowing what exits your node. see the Tor Legal FAQ: https://www.torproject.org/eff/tor-legal-faq.html.en Should I snoop on the plaintext that exits through my Tor relay? No. You may be technically capable of modifying the Tor source code or installing additional software to monitor or log plaintext that exits your node. However, Tor relay operators in the U.S. can create legal and possibly even criminal liability for themselves under state or federal wiretap laws if they affirmatively monitor, log, or disclose Tor users' communications, while non-U.S. operators may be subject to similar laws. Do not examine the contents of anyone's communications without first talking to a lawyer. best regards,
Re: Exit node connection statistics
[EMAIL PROTECTED] ha scritto: Can you explain what the threat scenario is for what I'm doing? Three lines of thought come to my mind: Point # 1: to be relevant, a statement about an exit node should allow fact-checking. For example, if you say you collect and publish traffic stats of your exit node, you should provide your node's nick and publish that info in a way that everybody can check, e.g. in a web page on the node's IP address (BTW, this won't influence your traffic stats since users would connect to an IP that has a Tor node on it). Point # 2: bad exit nodes exist, Tor is designed to limit the impact of a bad node on overall anonymity. Moreover, Tor clients can use the ExcludeNodes directive to avoid using known bad nodes. The Tor Exit Scanner project, moreover, wants to notice misconfigured, broken, and even malicious exit relays. Traffic analysis is bad for anonymity, so if i can prove that node X does traffic inspection, I would avoid using that node. Point # 3: curiosity about one's own relay traffic is normal. You can use ntop, IDS software or whatever to inspect your exit traffic: the bad things will always stand out (ssh scans, web attacks, bittorrent tracker traffic) while the normal users will go unnoticed. This is especially true if you have an NIDS. When you run an exit relay for the public, you should accept that a small fraction of the traffic may be undesirable. If ExitPolicy is not enough for you, you can run a middleman relay. My personal motivation is that [...] I don't want to spend my time and efforts for people abusing Tor [...] So I'd like to get an idea how the ratio between the two use-cases is and if there is something I can do to improve the situation. We can improve the situation by spreading Tor among everyday users and fostering the diversity of its user base. The lame/nice user ratio is very low and it reflects the actual usage patterns on the Internet. Jan
Exit node connection statistics
Hi, I don't know if somebody did this before, but I think it is quite interesting, to which hosts most of the exit connections go to. So I set up a statistics script creating a list of the top 100 hosts each day to which Tor users connect to over my node (only for ports 80 and 443). Besides just being interesting, this can also show potential security problems on the top hosts which are being exploited over Tor. For example, during the last weeks rapleaf.com was always at the top, and they keep a huge email-address database. This is probably no incident. The log data necessary for this is being deleted after one day not to compromise the anonymity of the users. I decided to make this accessible through a hidden service only, since I don't want to influence the exit node usage behaviour. This is the address: http://ob44yuhbyysk5xft.onion If you think this is a stupid idea or you have ideas for other interesting stats and for any other comment you can reach me by mplsfox02_AT_sneakemail_DOT_com. I don't know how long I will stay subscribed with or-talk, since I just wanted to seed the information. Spread it as you like. Regards, a Tor exit node operator.
Re: Exit node connection statistics
Although I'm sure a lot of the paranoid sticklers will be upset by you doing this, I think you should keep doing it. It is a quite interesting project, and as far as I can see, doesn't cause any harm.