Re: exitnodes
On 01/09/2010 10:27 PM, Seth Ness wrote: I always restricted my exitnode to the UK, by setting strictexitnodes and having an exitnodes line followed by a list of UK exit nodes names and that works fine. It should, there are 24 exit nodes in the UK at last check. Also, where exactly is the torrc config file I am suppossed to edit on the Mac with the official installtion package? The one I found and used was blank. Depending upon how you installed, look in ~/Library/Vidalia/torrc. -- Andrew Lewman The Tor Project pgp 0x31B0974B Website: https://torproject.org/ Blog: https://blog.torproject.org/ Identi.ca: torproject *** To unsubscribe, send an e-mail to majord...@torproject.org with unsubscribe or-talkin the body. http://archives.seul.org/or/talk/
exitnodes
Hi, I'm using the lates stable release for Mac Os X I always restricted my exitnode to the UK, by setting strictexitnodes and having an exitnodes line followed by a list of UK exit nodes names and that works fine. Recently I tried exitnodes {gb} and Tor cannot connect. Shouldn't this work? Am I missing something? Also, where exactly is the torrc config file I am suppossed to edit on the Mac with the official installtion package? The one I found and used was blank. _ Seth L. Ness M.D., Ph.D. Director, Medical Leader - Pediatrics Neuroscience Therapeutic Area Johnson Johnson Pharmaceutical Research Development L.L.C 920 Route 202 South, (Rm 2379) Raritan, New Jersey 08869 U.S.A. Tel: 908-927-3487 FAX: 609-964-1913 Email: s...@columbia.edu *** To unsubscribe, send an e-mail to majord...@torproject.org with unsubscribe or-talkin the body. http://archives.seul.org/or/talk/
ExitNodes for encrypted connects only are not possible. Why?
In 'git.torproject.org/checkout/tor/master/doc/spec/dir-spec.txt' ExitNodes are defined as: Exit -- A router is called an 'Exit' iff it allows exits to at least two of the ports 80, 443, and 6667 and allows exits to at least one /8 address space. I would like to setup my ExitNode for ports 443, 465, 563, 993, 995 (https, ssmtp, nntps, imaps, pop3s) only, but this is not possible. What's the reason behind this? Is there any chance to loose this restriction in one of the next releases?
Re: ExitNodes for encrypted connects only are not possible. Why?
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On 05/09/2009 11:19 AM, Gitano wrote: In 'git.torproject.org/checkout/tor/master/doc/spec/dir-spec.txt' ExitNodes are defined as: Exit -- A router is called an 'Exit' iff it allows exits to at least two of the ports 80, 443, and 6667 and allows exits to at least one /8 address space. I would like to setup my ExitNode for ports 443, 465, 563, 993, 995 (https, ssmtp, nntps, imaps, pop3s) only, but this is not possible. What's the reason behind this? Is there any chance to loose this restriction in one of the next releases? Feel free to configure your node to exit to those 5 ports only. That makes your node an exit node for connections to those ports. Your node won't get the Exit flag, though, but that's not required for being an exit node. The Exit flag is used by clients for path selection. Relays with the Exit flag are selected less often for non-exit positions, so that their bandwidth is saved for exiting connections. That means that your node will be selected more often as middle node and less often as exit node compared to relays that have the Exit flag. It's unlikely that the criteria you pasted above will be changed. There need to be some criteria, and if almost every node matches them, the flag would be useless. Hope that helps! - --Karsten -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.9 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iEYEARECAAYFAkoFTeEACgkQ0M+WPffBEmX4jgCgncZIgKLe1t4nK3Fau0NWirws eCgAnRC4XUqHvaBHpv9WZ9y1hP+JZb6T =yEhk -END PGP SIGNATURE-
Re: ExitNodes for encrypted connects only are not possible. Why?
Karsten Loesing wrote: Feel free to configure your node to exit to those 5 ports only. That makes your node an exit node for connections to those ports. Your node won't get the Exit flag, though, but that's not required for being an exit node. The Exit flag is used by clients for path selection. Relays with the Exit flag are selected less often for non-exit positions, so that their bandwidth is saved for exiting connections. That means that your node will be selected more often as middle node and less often as exit node compared to relays that have the Exit flag. Thank you for illuminating this. I will do so. It's unlikely that the criteria you pasted above will be changed. There need to be some criteria, and if almost every node matches them, the flag would be useless. Ok, but adding one more 'secure' port beside 443 would be enough in this case.
Re: ExitNodes for encrypted connects only are not possible. Why?
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On 05/09/2009 01:38 PM, Gitano wrote: It's unlikely that the criteria you pasted above will be changed. There need to be some criteria, and if almost every node matches them, the flag would be useless. Ok, but adding one more 'secure' port beside 443 would be enough in this case. I'm not sure what you are trying to achieve with that. The idea is not to flag as many nodes that permit exiting as Exit nodes. The idea is to relieve the exit nodes carrying most of the exit traffic from acting as middle nodes, so that they can push more exit traffic. The same is done for guard nodes, by the way. It's unlikely that your node would carry as much exit traffic with the five ports you mentioned as compared to other nodes that already meet the requirements for the Exit flag. Of course the requirements could be lowered to assign the Exit flag to more relays. But it defeats the purpose if too many nodes have that flag. In the end, all nodes would see the same load as before, without the Exit flag. I'm not saying that the current definition for the Exit flag is perfect. But right now we lack good data to come up with a better definition. Best, - --Karsten -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.9 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iEYEARECAAYFAkoFvy8ACgkQ0M+WPffBEmXMawCgkzkbYdk1J4F6y7VSxdfxUKTm LeoAoMNHbXYG6BqSIFu2dpq3VQ+He56t =O2DW -END PGP SIGNATURE-
When will be ExitNodes {...} feature be released ?
As far as I know the ExitNodes {..} feature for determining the countrys exit nationality is currently in alpha stage. When will it be stable and released (approx)? Is it a matter of days/weeks/month/years? Thank you Ben
RE: Choose exitnodes in country x
pickaproxy.com and geospoofing.com will be offering this functionality as a server-side service - you will be able to choose an exit node in country/state/city/ISP/Org so that the server can then setup a long-lived Tor circuit for you - you will then be advised on how to configure your workstation proxy settings, with regard to port number and domain/host name. This does not require you to install Tor on your machine, or to upgrade it when new versions come around. Nor will Vidalia or Privoxy be required on the workstation. We will offer options to use stunnel or OpenVPN connections to our server (your proxy). And we're looking at using polipo (on the server) to speed things up. We have multiple sources of geolocation data so they will be more accurate than the open source GeoIP library - we pay for them where the license requires us to. . . . Wesley Kenzie WebMaster, showmyip.com, etc. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Robert Hogan Sent: July 3, 2007 12:58 PM To: [EMAIL PROTECTED] Subject: Re: Choose exitnodes in country x On Tuesday 03 July 2007 15:35:21 you wrote: Hello, it would be nice to have the ability to choose only exitnodes in country X. Additional to ExitNodes nickname, ... something like this ExitCountry country, ... would be nice. country should be the official TLD code I think http://www.iana.org/root-whois/index.html There is more and more censorship at websites that only allows visitors from specific countries or show different content. As Jonathan Yu pointed out there is no particularly reliable method for choosing by country, geoip is the closest match out there. TorK uses geoip to offer a 'Citizen Of' feature, where you choose the country you want to 'browse the internet from', i.e. use exitnodes from only that country. -- Browse Anonymously Anywhere - http://anonymityanywhere.com TorK- KDE Anonymity Manager - http://tork.sf.net KlamAV - KDE Anti-Virus- http://www.klamav.net
RE: Choose exitnodes in country x
Hi Wesley - I'm going to presume that your email isn't advertising a commercial service, which I'd certainly find to be in dubious taste, both from the standpoint of inappropriate advertising, and from the moral standpoint of profiting from the goodwill of others. However - could you say a word-or-five about the privacy and anonymity implications of connecting directly to your well known site, and then asking for a specific exit node? It seems to me that you're not only encouraging people to make highly identifiable connections to a single location (stunnel or OpenVPN to your servers), which would then be an excellent target for compromising anonymity - but you're also then encouraging people to reduce their anonymity by selecting extremely specific exit nodes, making it again, easier to identify and target them. I note that you're saying that Vidalia and Privoxy won't be required - is your plan to run all of the user traffic through your server, and then through the Tor network? A comment on the implications of using a caching web proxy for Tor users on your server would be interesting as well. cheers! On Wed, 4 Jul 2007, Wesley Kenzie wrote: pickaproxy.com and geospoofing.com will be offering this functionality as a server-side service - you will be able to choose an exit node in country/state/city/ISP/Org so that the server can then setup a long-lived Tor circuit for you - you will then be advised on how to configure your workstation proxy settings, with regard to port number and domain/host name. This does not require you to install Tor on your machine, or to upgrade it when new versions come around. Nor will Vidalia or Privoxy be required on the workstation. We will offer options to use stunnel or OpenVPN connections to our server (your proxy). And we're looking at using polipo (on the server) to speed things up. We have multiple sources of geolocation data so they will be more accurate than the open source GeoIP library - we pay for them where the license requires us to. . . . Wesley Kenzie WebMaster, showmyip.com, etc. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Robert Hogan Sent: July 3, 2007 12:58 PM To: [EMAIL PROTECTED] Subject: Re: Choose exitnodes in country x On Tuesday 03 July 2007 15:35:21 you wrote: Hello, it would be nice to have the ability to choose only exitnodes in country X. Additional to ExitNodes nickname, ... something like this ExitCountry country, ... would be nice. country should be the official TLD code I think http://www.iana.org/root-whois/index.html There is more and more censorship at websites that only allows visitors from specific countries or show different content. As Jonathan Yu pointed out there is no particularly reliable method for choosing by country, geoip is the closest match out there. TorK uses geoip to offer a 'Citizen Of' feature, where you choose the country you want to 'browse the internet from', i.e. use exitnodes from only that country. -- Browse Anonymously Anywhere - http://anonymityanywhere.com TorK- KDE Anonymity Manager - http://tork.sf.net KlamAV - KDE Anti-Virus- http://www.klamav.net == A cat spends her life conflicted between a deep, passionate and profound desire for fish and an equally deep, passionate and profound desire to avoid getting wet. This is the defining metaphor of my life right now.
RE: Choose exitnodes in country x
You are correct - this is not just to be a commercial service. We do not intend to offer a completely anonymous service, but rather to extend the existing usefulness of Tor to more users and to provide functionality which we are always being asked about - namely how to spoof being in a particular geographic location. We will make it as clear as we can where anonymity can be compromised or exposed, much as Tor already does on it's download page. Our server(s) will function as an entry point to the Tor network, but if we can find a way to afford to scale it then we will distribute these to various locations so there will be multiple and (relatively) randomly selected servers and port numbers. The use of polipo will be optional - again we will make everyone aware of it's implications. I have seen how it improves the speed and responsiveness of using Tor, so would like to make that available to people who want it. Basically we see that not everyone needs or wants 100% anonymity, and we do not intend to only target that market. In fact, is it even possible anywhere with anything right now? We're also listening to what our users want, so welcome comments and cat calls :) . . . Wesley -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Cat Okita Sent: July 4, 2007 4:22 PM To: [EMAIL PROTECTED] Cc: or-talk@freehaven.net Subject: RE: Choose exitnodes in country x Hi Wesley - I'm going to presume that your email isn't advertising a commercial service, which I'd certainly find to be in dubious taste, both from the standpoint of inappropriate advertising, and from the moral standpoint of profiting from the goodwill of others. However - could you say a word-or-five about the privacy and anonymity implications of connecting directly to your well known site, and then asking for a specific exit node? It seems to me that you're not only encouraging people to make highly identifiable connections to a single location (stunnel or OpenVPN to your servers), which would then be an excellent target for compromising anonymity - but you're also then encouraging people to reduce their anonymity by selecting extremely specific exit nodes, making it again, easier to identify and target them. I note that you're saying that Vidalia and Privoxy won't be required - is your plan to run all of the user traffic through your server, and then through the Tor network? A comment on the implications of using a caching web proxy for Tor users on your server would be interesting as well. cheers! On Wed, 4 Jul 2007, Wesley Kenzie wrote: pickaproxy.com and geospoofing.com will be offering this functionality as a server-side service - you will be able to choose an exit node in country/state/city/ISP/Org so that the server can then setup a long-lived Tor circuit for you - you will then be advised on how to configure your workstation proxy settings, with regard to port number and domain/host name. This does not require you to install Tor on your machine, or to upgrade it when new versions come around. Nor will Vidalia or Privoxy be required on the workstation. We will offer options to use stunnel or OpenVPN connections to our server (your proxy). And we're looking at using polipo (on the server) to speed things up. We have multiple sources of geolocation data so they will be more accurate than the open source GeoIP library - we pay for them where the license requires us to. . . . Wesley Kenzie WebMaster, showmyip.com, etc. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Robert Hogan Sent: July 3, 2007 12:58 PM To: [EMAIL PROTECTED] Subject: Re: Choose exitnodes in country x On Tuesday 03 July 2007 15:35:21 you wrote: Hello, it would be nice to have the ability to choose only exitnodes in country X. Additional to ExitNodes nickname, ... something like this ExitCountry country, ... would be nice. country should be the official TLD code I think http://www.iana.org/root-whois/index.html There is more and more censorship at websites that only allows visitors from specific countries or show different content. As Jonathan Yu pointed out there is no particularly reliable method for choosing by country, geoip is the closest match out there. TorK uses geoip to offer a 'Citizen Of' feature, where you choose the country you want to 'browse the internet from', i.e. use exitnodes from only that country. -- Browse Anonymously Anywhere - http://anonymityanywhere.com TorK - KDE Anonymity Manager - http://tork.sf.net KlamAV- KDE Anti-Virus- http://www.klamav.net == A cat spends her life conflicted between a deep, passionate and profound desire for fish and an equally deep, passionate and profound desire to avoid getting wet. This is the defining metaphor of my life right now.
Re: Analyzing TOR-exitnodes for anomalies
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Claude LaFrenière @ 2006/10/06 12:24: For the moment nothings prove that any exit nodes are responsibles for this. We have to do somethings based on facts not fears... How about this then? when navigating to www.ezboard.com the proper page is loaded and displayed. verified by comparing the IP address of www.ezboard.com found with and without tor_resolve.exe. however, after entering your username/password and logging in from that page, the request is handled by login.ezboard.com, which resolved to 64.74.223.198 !! the correct IP for login.ezboard.com is 209.66.118.157. also, the now in-famous URL with the flanding.domainsponsor.com and SUSPECTED+UNDESIRABLE+BOT junk in it was shown as the address. i think 64.74.223.198 possibly now hijacked the ezboard login information! unfortunately during this time i was scurrying about trying to reset my password and wasn't able to get the IP of the exit node i was using. I suggest, If the facts prove that some exit nodes are responsible, that we keep them temporarely, instead of immediatly blocking them, and use them as guinea pig to study their behaviour and prevent that kind of abuse in the future. Consider this as a laboratory experience with cyber-rats ! ;-) Better than [EMAIL PROTECTED] IMHO. :) fact or fear, then? ;) using un-encrypted authentication over Tor is dumb to begin with, but this really emphasizes it i think! this is too unfortunate as many sites still do not use SSL but sometimes Tor users still at least need location privacy. so i for one hope we can dispose of these cyber-rats soon. -BEGIN PGP SIGNATURE- iQA/AwUBRSjCiV4XwiTbvfKgEQKToQCgteioKfQmvUf98AfyhVWEWvJhsB0AoJUB Sr9b930B8WcsJb5Tb9WurqIR =wKWZ -END PGP SIGNATURE-
Re: Analyzing TOR-exitnodes for anomalies
Hi *Taka Khumbartha* : Claude LaFrenière @ 2006/10/06 12:24: For the moment nothings prove that any exit nodes are responsibles for this. We have to do somethings based on facts not fears... How about this then? when navigating to www.ezboard.com the proper page is loaded and displayed. verified by comparing the IP address of www.ezboard.com found with and without tor_resolve.exe. however, after entering your username/password and logging in from that page, the request is handled by login.ezboard.com, which resolved to 64.74.223.198 !! the correct IP for login.ezboard.com is 209.66.118.157. also, the now in-famous URL with the flanding.domainsponsor.com and SUSPECTED+UNDESIRABLE+BOT junk in it was shown as the address. i think 64.74.223.198 possibly now hijacked the ezboard login information! unfortunately during this time i was scurrying about trying to reset my password and wasn't able to get the IP of the exit node i was using. I suggest, If the facts prove that some exit nodes are responsible, that we keep them temporarely, instead of immediatly blocking them, and use them as guinea pig to study their behaviour and prevent that kind of abuse in the future. Consider this as a laboratory experience with cyber-rats ! ;-) Better than [EMAIL PROTECTED] IMHO. :) fact or fear, then? ;) using un-encrypted authentication over Tor is dumb to begin with, but this really emphasizes it i think! this is too unfortunate as many sites still do not use SSL but sometimes Tor users still at least need location privacy. so i for one hope we can dispose of these cyber-rats soon. I found some interesting information about this IP address: 64.74.223.198 *A) First IP query* ... *The domain name for the specified IP address could not be found* Initiating server query ... Looking up the domain name for IP: 64.74.223.198 (The domain name for the specified IP address could not be found.) Connecting to the server on standard HTTP port: 80 [Connected] Requesting the server's default page. The server returned the following response headers: HTTP/1.1 200 OK Connection: close Date: Sun, 08 Oct 2006 13:45:07 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 p3p: CP=CAO PSA OUR Set-Cookie: Domain=; path=/ Set-Cookie: Domain=223.198; path=/ Set-Cookie: RSAddParams=; path=/ Set-Cookie: RSAddParams=dmxargs=03u3hs9yoaj11qQTDDRRATT40txSy0lsLQ7K3oUg2iAcp4horctsrlkG-ApV8QOKsyB5kP__xvek2IXUyHdaJqI5t6tpKyTKqmJSm0V1DPfpDBHppNXjFKlH8Sm7L3Lvyapfvaaamj6pVRlFechgR5wQkDC7RuB1FqstRZKAhV_EEOZz2zXNybkrsnzAUBfdG-SGB5P-a_1VrJSpHZrlPphCK4r9B1PifOr4w0kNtM-iN3vw-1z6vF07LDwbhPYYYipjk4t0GvDN-nzq_34xVXdgP61cH_Vg..; path=/ Set-Cookie: LastURL=; path=/ Set-Cookie: LastURL=http://64.74.223.198/default.pk; path=/ Set-Cookie: RefPage=; path=/ Set-Cookie: RefPage=0; path=/ Set-Cookie: PCAddParams=; path=/ Set-Cookie: PCAddParams=dmxargs=03u3hs9yoaj11qQTDDRRATT40txSy0lsLQ7K3oUg2iAcp4horctsrlkG-ApV8QOLsy4P_hv7-Pr0nxC0mQbrRNRFdvltLWSTVU5KX2igoZz9K4IzNJi8ZJUk_i03au5b_Jml89plqaTqnFGUV5GGA3nECQcLum4EUWiy1VkhCFf8Qy5svbJc15uVuyjMB8AsGjfpD7srWalaqzkqcjCVxx06BFfV-c6hhPIV-YaUe2n_Rp91Yfp5-Hi3Flw4NEnnMMb0xecb6DOC3en1a_24zSfcIfV1IA; path=/ Set-Cookie: SessionHitCount=; path=/ Set-Cookie: SessionHitCount=1; path=/ Set-Cookie: ActionsTaken=; path=/ Set-Cookie: ActionsTaken=D A1 22L ; path=/ Cache-Control: no-cache Pragma: no-cache Expires: -1 Content-Type: text/html; charset=utf-8 Content-Length: 2381 Vary: Accept-Encoding Content-Encoding: gzip Query complete. *B) Here I found the domain name: enom* *and the Hosting provider: internap* http://www.ipv6tools.com/tools/whois.ch?ip=64.74.223.198src=ShowIP Location: United States [City: Oakland, California] NOTE: More information appears to be available at NET-64-74-223-0-1. Internap Network Services PNAP-SEA-BLOCK4 (NET-64-74-0-0-1) 64.74.0.0 - 64.74.255.255 eNom INAP-SJE-ENOM-3077 (NET-64-74-223-0-1) 64.74.223.0 - 64.74.223.255 http://www.dnsstuff.com/tools/whois.ch?ip=!NET-64-74-223-0-1server=whois.arin.net CustName: eNom Address:2002 156th Ave NE City: Bellevue StateProv: WA PostalCode: 98008 Country:US RegDate:2005-09-23 Updated:2005-09-23 NetRange: 64.74.223.0 - 64.74.223.255 http://www.dnsstuff.com/tools/whois.ch?ip=!INO3-ARINserver=whois.arin.nettype=P Name: InterNap Network Operations Center Handle: INO3-ARIN Company:Internap Network Operations Center Address:Internap Network Services From: http://www.completewhois.com/hijacked/index.htm http://www.completewhois.com/cgi-bin/whois.cgi Completewhois.Com Whois Server, Version 0.91a33, compiled on May 28, 2006 Unknown domain: 64.74.223.198 [IPv4 whois information for 64.74.223.198 ] [whois.arin.net] Internap Network Services PNAP-SEA-BLOCK4 (NET-64-74-0-0-1)
Re: Analyzing TOR-exitnodes for anomalies
On Thu, 2006-10-05 at 11:41, Alexander W. Janssen wrote: OK, well, i checked that whistlersmother as well and got this picture: http://cjoint.com/data/kfr4jmDAsY.htm I've read or skimmed the entire thread which seems to have ended midday Thu, 10-5. Friday morning I clicked on a Cnet newsletter link: http://ct.cnet-ssa.cnet.com/clicks?t=13228073-17329da91d4282a70255804e6ba2f6d5-bfs=5fs=0 Tor was enabled in Firefox and I got a page almost identical to the one Alexander posted above, except it it had Cnet.com at the top. At some subsequent time I copied the URL into an open copy of Firefox, and got a somewhat similar page, except it had a variety of graphic content that made the page look much slicker. I wondered what was going on. Is Cnet blocking anonymous traffic? I tried a browser not using Tor, and got a normal Cnet page with the expected content. I then tried three other anonymizing services, The Cloak, Anonymouse, and HideMyAss with the same URL. All got the same correct result as the non Tor browser. While reading this thread, when I saw Alexander's screen capture, I realized that was just about what I'd seen Friday morning and tried Firefox with Tor again and saw the expected Cnet page. I've tried multiple times since, over a couple hours and each time got the right page. I am very skeptical of one of the hypotheses, that web hosting services are blocking Tor access. If a provider did this without an explicit policy and or informing their customers that this was part of their practices, they could easily be liable for any lost value for every hosted site that had any decrease in traffic as a result of such blocking. Second why would any hosting service care who visited its clients web sites? Who they want as visitors is and should be a matter of concern only to the sites' owners. A hosting service might assist a specific site in blocking some type of unwanted traffic, and charge the customer for the additional service. In the case of Cnet, they are a rather major Internet content provider and I expect they run their own servers. Regardless of who manages Cnet's servers, they are big enough they would expect full control over any policies that denied access to any visitor. A query from the right party to the right people at Cnet should answer conclusively whether or not Cnet has had any part in this. If so then it should be a Tor / EFF education matter and if not, then some other theory needs to be considered. After writing this, I think it makes no sense at all. If Cnet wanted to block someone they would display some kind of error message or page; they would never redirect someone to a link farm of unrelated links. It makes zero business sense to send visitors elsewhere with no explanation. I have one more theory or more accurately, a guess. When I was testing to see if tor was working, I visited grc.com to use the Sheilds Up test. If they showed an IP that wasn't mine, then I could be pretty sure Tor was working. The first time I visited them, I was surprised when they determined I was behind a proxy and refused to go any further. Later, I tried again and this time they just determined a different IP address than mine. I decided to go ahead and do a Common Port scan. I was appalled. The exit node seemed to have all kinds of open ports - a lot more than I thought would be proxied by Tor. Unfortunately I did not think to write down the reverse DNS address or the open ports. My thought is that some exit nodes may be compromised without the operators knowledge. Maintaining good security while running an exit node does not look like a simple task. I'm reluctant to do more of these scans because they are an unauthorized port scan against the exit node. If however I see another of the strange pages discussed in this thread I will try to capture the page and then quickly do a scan. George Shaffer
Re: Analyzing TOR-exitnodes for anomalies
Yesterday, I linked to Slashdot and got a bogus page in German. Restarting my Tor client (i.e., getting a new set of circuits) got me to the real Slashdot page. ??? Clifnor -- http://www.fastmail.fm - Choose from over 50 domains or use your own
Re: Analyzing TOR-exitnodes for anomalies
Greetings! Been experiencing this particular issue since Sunday following the topic here. From 05-Oct: exiting from hotmail account redirected link: http://g.msn.com/frame.aspx?u=http%3a%2f%2flanding.domainsponsor.com%3fa_id%3d1637%26domainname%3dmsn.com%26adultfilter%3doff%26popunder%3doffr=SUSPECTED+UNDESIRABLE+BOT tor exit node: whistlersmother First notice this problem on sunday when the clusty homepage was transformed with porno-style images also had the same catch phrase what you need, when you need it. Unfortunately didn't note the re-directed url on that occassion. I'm quite happy to report further examples as when they occur. Please, if there is any other technical data I can send with these reports let me know what to include (if that's useful).
Re: Analyzing TOR-exitnodes for anomalies
Hi *Stephen* : Greetings! Been experiencing this particular issue since Sunday following the topic here. From 05-Oct: exiting from hotmail account redirected link: http://g.msn.com/frame.aspx?u=http%3a%2f%2flanding.domainsponsor.com%3fa_id%3d1637%26domainname%3dmsn.com%26adultfilter%3doff%26popunder%3doffr=SUSPECTED+UNDESIRABLE+BOT tor exit node: whistlersmother First notice this problem on sunday when the clusty homepage was transformed with porno-style images also had the same catch phrase what you need, when you need it. Unfortunately didn't note the re-directed url on that occassion. I'm quite happy to report further examples as when they occur. Please, if there is any other technical data I can send with these reports let me know what to include (if that's useful). Hmmm... I had this problem with Whistlemother exit node and this site: http://www.iamaphex.net with the same frame.aspx?u=http%3a%2f%2flanding.domainsponsor.com blah blah blah filter ... =SUSPECTED+UNDESIRABLE+BOT My hypothesis was a filter used by Web sites hosting service. But now you find the same frame with Hotmail... *Therefore my hypothesis was wrong* Did this comes from this exit node? From the DNS server (local or remote) of this exit node? From some nodes between? Or what ? I have no idea for the moment. May be Alexander W. Janssen have an idea? Thank you Stephen to help us to fix this problem. Best regards, -- Claude LaFrenière
Re: Analyzing TOR-exitnodes for anomalies
Hmmm... I had this problem with Whistlemother exit node and this site: http://www.iamaphex.net with the same frame.aspx?u=http%3a%2f%2flanding.domainsponsor.com blah blah blah filter ... =SUSPECTED+UNDESIRABLE+BOT i have the same experience using whistlersmother for the same site. -- KlamAV - An Anti-Virus Manager for KDE - http://www.klamav.net TorK - A Tor Controller For KDE - http://tork.sf.net
Re: Analyzing TOR-exitnodes for anomalies
On Friday 06 October 2006 19:21, Robert Hogan wrote: Hmmm... I had this problem with Whistlemother exit node and this site: http://www.iamaphex.net with the same frame.aspx?u=http%3a%2f%2flanding.domainsponsor.com blah blah blah filter ... =SUSPECTED+UNDESIRABLE+BOT i have the same experience using whistlersmother for the same site. And I have the same experience with practically every other exit node I try for this site. So whistlersmother is not the problem... -- KlamAV - An Anti-Virus Manager for KDE - http://www.klamav.net TorK - A Tor Controller For KDE - http://tork.sf.net
Re: Analyzing TOR-exitnodes for anomalies
Hi *Robert Hogan* : On Friday 06 October 2006 19:21, Robert Hogan wrote: Hmmm... I had this problem with Whistlemother exit node and this site: http://www.iamaphex.net with the same frame.aspx?u=http%3a%2f%2flanding.domainsponsor.com blah blah blah filter ... =SUSPECTED+UNDESIRABLE+BOT i have the same experience using whistlersmother for the same site. And I have the same experience with practically every other exit node I try for this site. So whistlersmother is not the problem... Hmmm... Personnaly I don't believed that Whistlemother (or any other nodes) are responsible for this... It looks like web server filter or DNS server filter... But now how to explain the same behaviour with a web site like http://www.iamaphex.net and a web site like hotmail.com ??? They don't share the same web hosting service... Is this a new filter for Web sites or Web Hosting ? An other question: How this filter spot a Tor exit like Whistlemother? I guess it's based on the IP address of this exit node. (Or the browser referer sent to the web site... ??? ) Since no exit nodes have a control on what is doing by Tor users, Is it possible that some bad guys had used Tor for unacceptable things and put the Whistlemother Ip address into a black list of this hypothetical filter ??? One way to check this is to compare exit nodes with a fixed IP address with the exit nodes with a dynamic Ip address and if this make a difference. If an exit node with a dynamic IP address is not spoted as a bad IP in the hypothetical bad list fliter, therefore the filter is based on IP address Many test must be done before to prove this. ... If the behaviour of Fixed Ip address exit nodes and the behaviour of Dynamics Ip address exit nodes are the same therefore a) the hypothetical filter is not based on Ip address b) there is no such filter but somethings else... ??? [not sure ...] :-\ ( !!! Hmmm.. I to revised my formal logic manuals a little bit .. ;-) ) It's hard to find enough data about this problem because there's no way to easily reproduce it. :) -- Claude LaFrenière
Re: Analyzing TOR-exitnodes for anomalies
Hi *M* : How can I see which exit node is using? Check this with Vidalia ... http://www.debian-administration.org/ was mutilated by exit node into something similar that you are reporting. Quite alarming trend. Please let us remain calm like Norwegian sailors in the storm. I think that badly behaving exit nodes should be excluded automagically. How, I dont know =). For the moment nothings prove that any exit nodes are responsibles for this. We have to do somethings based on facts not fears... I suggest, If the facts prove that some exit nodes are responsible, that we keep them temporarely, instead of immediatly blocking them, and use them as guinea pig to study their behaviour and prevent that kind of abuse in the future. Consider this as a laboratory experience with cyber-rats ! ;-) Better than [EMAIL PROTECTED] IMHO. :) -- Claude LaFrenière
Re: Analyzing TOR-exitnodes for anomalies
ok i have played now for more than an half hour with nonsense domainnames. every time the connection goes through an exit node located in texas, one time in the state new york and one time in denver i have got the advertising page. maybe it will be a nice test, that someone unsing the same ISP - and in that case maybe the same dns-route - that one of this strange exit nodes have will test what happened when the write a not registered url? I have also got the advertising one or two times when I was connecting to an exisiting page. But it seemes that nonsenses domainames are a good way for testing cause you can reproduce the advertising. much fun bernd Am 06.10.2006 um 21:34 schrieb bagelcat: hmm. I think this is a problem with some dns-server on second/third level wich make a link to that domainsponsor.com when they are asked for a not registered url. Is it possible?
Re: Analyzing TOR-exitnodes for anomalies
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Maybe a problem with a DNS- Server? Greetz Missi Eben(am 6. 10. 2006 um 22:26 Uhr)hast du eingetippt: ok i have played now for more than an half hour with nonsense domainnames. every time the connection goes through an exit node located in texas, one time in the state new york and one time in denver i have got the advertising page. maybe it will be a nice test, that someone unsing the same ISP - and in that case maybe the same dns-route - that one of this strange exit nodes have will test what happened when the write a not registered url? I have also got the advertising one or two times when I was connecting to an exisiting page. But it seemes that nonsenses domainames are a good way for testing cause you can reproduce the advertising. much fun bernd Am 06.10.2006 um 21:34 schrieb bagelcat: hmm. I think this is a problem with some dns-server on second/third level wich make a link to that domainsponsor.com when they are asked for a not registered url. Is it possible? - -- Webseite: http://www.entartete-kunst.com/ The monitor is plugged into the serial port Songverfehlung des Tages: Paradise Lost - Isolate -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.3 (MingW32) Comment: Ich habe nichts zu verbergen! iD8DBQFFJrz5WTjnF57KrgIRAl+jAJ4u6iBQDLgToostA4XgUcCFYpu01wCfTLFe st2haUI1FQt/xTpQSnqKBww= =XAot -END PGP SIGNATURE-
Re: Analyzing TOR-exitnodes for anomalies
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 How can I see which exit node is using? Check this with Vidalia ... Thanks for the info. I think that badly behaving exit nodes should be excluded automagically. How, I dont know =). For the moment nothings prove that any exit nodes are responsibles for this. We have to do somethings based on facts not fears... I suggest, If the facts prove that some exit nodes are responsible, that we keep them temporarely, instead of immediatly blocking them, and use them as guinea pig to study their behaviour and prevent that kind of abuse in the future. I admit it, perhaps I was too hastily blaming anomalities on exit node without thinking it over. I was just pissed off (ok, thats not an excuse)... Sorry for any inconvience =) M ps: ugghh, my eBay account was freezed 'cause I used it via tor... I', using transparent tor and added some of eBays servers to exclude list but theres ton of them.. -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.3-cvs (MingW32) Comment: GnuPT 2.7.6 Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFFJsD/6fSN8IKlpYoRAjp0AJ9+yg59gUqIBBgL9PHLRJe4nO8PDwCgm+QO T0xDBZVpF0QyDVJ9ytBcc50= =fX5t -END PGP SIGNATURE-
Re: Analyzing TOR-exitnodes for anomalies
bagelcat wrote: ok i have played now for more than an half hour with nonsense domainnames. every time the connection goes through an exit node located in texas, one time in the state new york and one time in denver i have got the advertising page. I remember something about a major DNS server that was abusing its power and redirecting requests for nonexistent domains to advertising pages. Also, ISPs sometimes redirect bad requests: http://blogs.earthlink.net/2006/08/handling_dead_domains_1.php ..and get lots of flak for it. (Not nearly enough, I say!) I also came across a note that ISPs may be randomly redirecting requests for existing sites to domainsponsor.com in a bid to up their profits: http://www.infosyssec.com/forum/viewtopic.php?p=11395sid=436f73bb85d55318bf53f7ff80fc64e9 - Tim McCormack
Re: Analyzing TOR-exitnodes for anomalies
-BEGIN PGP SIGNED MESSAGE- Hash: RIPEMD160 I am not adding anything useful, but I wish to add my feeling about this situation that people are so rapidly responding to a threat so early. :) tor will never die if people like you all are on it. (which reminds me i've blathered about writing a dns proxy patch for tor so dns leaks are a thing of the past, and i bloody better do something serious about it DANGIT!) dns poisoning is of course a bigger problem than tor, there has been discussion about the 'splitting of the root' some months ago as it turns out that dns servers will give out different addresses depending on the nation of locality. This is a very serious problem and extends beyond the domain of the tor network. I have no idea where to point people with regard to this subject but I hope someone who has a bee in their bonnet about it will very shortly. Claude LaFrenière wrote: Hi *Alexander W. Janssen* : Hi all, considering that I heard from several people that they notice strange sideeffects since a couple of days - altered webpage, advertisement where no ads should be - I started a little investigation if there are any obviously bogus exitnodes in the wild: http://itnomad.wordpress.com/2006/10/04/analyzing-tor-exitnodes-for-anomalies/ I welcome you to start your own investigation; if there are really bogus exitnodes we should be aware of those and we should know their node's nickname to put them on a shitlist. This might leed to an escalation in the future when marketeers realize the possibilities of altering traffic. Comments, ideas, pointers to other projects? Alex. Hmmm... Bogus exit nodes or bogus DNS servers ? Is it possible that the strange side effects comes, not from the exit nodes themselves, but from the DNS server used by these exit nodes ? A kind of DNS poisonning? (From a local DNS server or Remote DNS server...) Ref.: http://en.wikipedia.org/wiki/DNS_poisoning Our suspicions about bogus exit nodes must be based on facts so I suggest to collect information about this issue here. What we can do is to report any strange side effect including: the link to the web site the resulting link with the redirection like the ones we're talking about the exit node used to access this web site :) -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.5 (GNU/Linux) iD8DBQFFJLAmGkOzwaes7JsRA508AJ0bN6BhDB86etVVlYPwk5/ae7a7GQCfRqZl KUW45IG2fHmy59wYA5bbA04= =usn6 -END PGP SIGNATURE-
Re: Analyzing TOR-exitnodes for anomalies
On Wed, Oct 04, 2006 at 08:45:03PM -0400, Claude LaFrenière wrote: Hmmm... Bogus exit nodes or bogus DNS servers ? One or the other way, brute forcing my way through all exit-nodes should reveil it. Hopefully... Is it possible that the strange side effects comes, not from the exit nodes themselves, but from the DNS server used by these exit nodes ? Could be either way. Things which popped up in my mind: 1) DNS poisoning 2) Exit-node is behind a transparent proxy which is compromised or modified in some way 3) Outbound traffic from the exit-node gets DNATed away by some firewall Things you could do: 1) Replacing complete websites with link-farms (that's what happened me) 2) Using a modified web-proxy which insert advertisement into the HTML-code (possible, it's exactly the reverse of what Privoxy does) 3) Filter content 4) Replacing valid downloads by trojaned versions 5) Replace all pictures of a website with a picture of the goatse-man... 6) Modifying text in a subtle way using simple lex-programs (e.g. replace all must by could or police by SS) 7) insert favourite attack here Our suspicions about bogus exit nodes must be based on facts so I suggest to collect information about this issue here. My first run during the night was not very successful, most of the exitnodes refused to talk to me. I'm in timezone GMT+2 and that's pretty normal for that time of the day, I started another scan just minutes ago. Usually the TOR-network is not that congested in the morning. What we can do is to report any strange side effect including: the link to the web site the resulting link with the redirection like the ones we're talking about the exit node used to access this web site Aye. Claude LaFrenière Alex. -- I am tired of all this sort of thing called science here... We have spent millions in that sort of thing for the last few years, and it is time it should be stopped. -- Simon Cameron, U.S. Senator, on the Smithsonian Institute, 1901. signature.asc Description: Digital signature
Re: Analyzing TOR-exitnodes for anomalies
Currently i'm improving my torstat page to mark nodes with bad http-behavior, using automatic http-throughput comparison of every http-servicing exit-node against a reference exit-node. Then it's up to the users to add a ExcludeNodes statement in torrc using this information. Greets Alexander W. Janssen schrieb: Comments, ideas, pointers to other projects? signature.asc Description: OpenPGP digital signature
Re: Analyzing TOR-exitnodes for anomalies
Hi *Alexander W. Janssen* : On Wed, Oct 04, 2006 at 08:45:03PM -0400, Claude LaFrenière wrote: Hmmm... Bogus exit nodes or bogus DNS servers ? One or the other way, brute forcing my way through all exit-nodes should reveil it. Hopefully... This is a lot a job. May be a very long investigation. You need data from the other Tor users about this issue. Is it possible that the strange side effects comes, not from the exit nodes themselves, but from the DNS server used by these exit nodes ? Could be either way. Things which popped up in my mind: 1) DNS poisoning 2) Exit-node is behind a transparent proxy which is compromised or modified in some way Yes! 3) Outbound traffic from the exit-node gets DNATed away by some firewall ok and the fourth: some infected exit nodes with trojans, virus, worms... This limit the investigation to Windows exit nodes !!! ;-) (No such things with BSD/Linux I presume...) Things you could do: 1) Replacing complete websites with link-farms (that's what happened me) 2) Using a modified web-proxy which insert advertisement into the HTML-code (possible, it's exactly the reverse of what Privoxy does) 3) Filter content 4) Replacing valid downloads by trojaned versions 5) Replace all pictures of a website with a picture of the goatse-man... 6) Modifying text in a subtle way using simple lex-programs (e.g. replace all must by could or police by SS) 7) insert favourite attack here Or the German Tor exit nodes seized by the polizei... Did they return these computers with some add on ??? (Hmmm... to much paranoïd I guess... ;-) ) Our suspicions about bogus exit nodes must be based on facts so I suggest to collect information about this issue here. My first run during the night was not very successful, most of the exitnodes refused to talk to me. I'm in timezone GMT+2 and that's pretty normal for that time of the day, I started another scan just minutes ago. Usually the TOR-network is not that congested in the morning. OK. Let us know if you find somethings interresting. What we can do is to report any strange side effect including: the link to the web site the resulting link with the redirection like the ones we're talking about the exit node used to access this web site Aye. Best regards, -- Claude LaFrenière
Re: Analyzing TOR-exitnodes for anomalies
On Thu, Oct 05, 2006 at 09:31:47PM +0800, Deephay wrote: Also, the logo linux-magazine.com what you need, when you need it is a image or just text? Exactly the same page is at http://www.wdr.tv/. The content of that page is (gathered with tcpdump): frameset rows=100%,* frameborder=no border=0 framespacing=0 frame src=http://searchportal.information.com/?a_id=20223domainname=wdr.tv; /frameset I don't know what the variable a_id is about - maybe a customer-id? However, domainname can be set to any arbitrary value. This seems to be the company behind it: http://oversee.net/ Maybe it is a DNS poisoning job, maybe some guy runs a local DNS server as well as a tor node to make some profit by directing us to this bogus linux-magazine? Interesting. Maybe, that would be an explantion considering how the searchportal-thing is working. However, I'm 75% through my second run with no results so far. Will keep you updated. Deephay Alex. -- I am tired of all this sort of thing called science here... We have spent millions in that sort of thing for the last few years, and it is time it should be stopped. -- Simon Cameron, U.S. Senator, on the Smithsonian Institute, 1901. signature.asc Description: Digital signature
Re: Analyzing TOR-exitnodes for anomalies
Hi *Alexander W. Janssen* : Got it ! I was going to this web site: http://www.iamaphex.net (This is the web site for Torcap, a program to socksify application in Windows O.S.) with the exit node exit node: whistlermother Info: http://node2.xenobite.eu/torstat.php 1195whistlersmother 204.13.236.244 US [X] 9001 0 Running Yes / Guard Yes / Authority No / Fast Yes /Exit Yes / Stable Yes / Valid Yes / V2Dir No http://serifos.eecs.harvard.edu/cgi-bin/exit.pl?textonly=1 US *whistlersmother 204.13.236.244 Exit policies: 22 53 80 110- 143 443 5190 6667 I got this: http://www.iamaphex.net/frame.aspx?u=http%3a%2f%2flanding.domainsponsor.com%3fa_id%3d1637%26domainname%3diamaphex.net%26adultfilter%3doff%26popunder%3doffr=SUSPECTED+UNDESIRABLE+BOT I found no information on that flanding.domainsponsor.com ... With the exit node l3cht3rn3t3 I got this: Picture (remain avalaible for 504 hours) http://cjoint.com/?kfrqWbKjxa The link in the botton of the page is an email address: [EMAIL PROTECTED] With this automatic email object :Inquiring about the domain 'iamaphex.net', with status: CustomVIP With the exit node waabbeel I got this: Picture (remain avalaible for 504 hours) http://cjoint.com/?kfrydRFG6Q and the link on the page is for a web sites hosting: https://www.1blu.de/start.php With the exit node s3j3gm I got the same site... and so on... May be the problem comes from Web sites host server and their sponsors... Looks like a security filter ... :-\ So the problem seems to be related to web hosting not the exit nodes... :) -- Claude LaFrenière
Analyzing TOR-exitnodes for anomalies
Hi all, considering that I heard from several people that they notice strange sideeffects since a couple of days - altered webpage, advertisement where no ads should be - I started a little investigation if there are any obviously bogus exitnodes in the wild: http://itnomad.wordpress.com/2006/10/04/analyzing-tor-exitnodes-for-anomalies/ I welcome you to start your own investigation; if there are really bogus exitnodes we should be aware of those and we should know their node's nickname to put them on a shitlist. This might leed to an escalation in the future when marketeers realize the possibilities of altering traffic. Comments, ideas, pointers to other projects? Alex. -- I am tired of all this sort of thing called science here... We have spent millions in that sort of thing for the last few years, and it is time it should be stopped. -- Simon Cameron, U.S. Senator, on the Smithsonian Institute, 1901. signature.asc Description: Digital signature
Re: Analyzing TOR-exitnodes for anomalies
Hi *Alexander W. Janssen* : Hi all, considering that I heard from several people that they notice strange sideeffects since a couple of days - altered webpage, advertisement where no ads should be - I started a little investigation if there are any obviously bogus exitnodes in the wild: http://itnomad.wordpress.com/2006/10/04/analyzing-tor-exitnodes-for-anomalies/ I welcome you to start your own investigation; if there are really bogus exitnodes we should be aware of those and we should know their node's nickname to put them on a shitlist. This might leed to an escalation in the future when marketeers realize the possibilities of altering traffic. Comments, ideas, pointers to other projects? Alex. Hmmm... Bogus exit nodes or bogus DNS servers ? Is it possible that the strange side effects comes, not from the exit nodes themselves, but from the DNS server used by these exit nodes ? A kind of DNS poisonning? (From a local DNS server or Remote DNS server...) Ref.: http://en.wikipedia.org/wiki/DNS_poisoning Our suspicions about bogus exit nodes must be based on facts so I suggest to collect information about this issue here. What we can do is to report any strange side effect including: the link to the web site the resulting link with the redirection like the ones we're talking about the exit node used to access this web site :) -- Claude LaFrenière