[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [tor-talk] SIGAINT email service targeted by 70 bad exit nodes
-----BEGIN PGP SIGNED MESSAGE-----
>> On Thu, Apr 23, 2015 at 07:30:57PM +0000, nusenu wrote:
>>>> Almost all of them were younger than one month and they seem
>>>> to have joined the network in small batches. I uploaded
>>>> Onionoo's JSON-formatted relay descriptors, so everybody can
>>>> have a look:
I compared your list (71 FPs) with my list (55 FPs) from
>>> 2015-04-05 , we have an overlap of (only) 30 relays. An
>>> overlap of around ~50 would be better.
>> Yes, I remember your list. Thanks a lot for sharing it, it's
>> really helpful!
>> The relays that are in your, but not in my list indeed look
>> quite similar to the rest. They don't have a BadExit flag
>> because nobody has caught them doing something nasty yet.
> So you do not think that they are controlled by the same
> (malicious) entity? (even though some declare their MyFamily
This makes for an interesting counter-example: if the MyFamily
declaration was used as reason for setting BadExit on related exits, a
malicious adversary could set their MyFamily to the same as a good
exit cluster, and then intentionally behave badly, in order to get the
good cluster flagged as BadExit.
My point is, the MyFamily declaration is completely unauthenticated,
and cannot be relied upon for anything more than providing contact
information. There is a newer iteration being discussed that would
prevent relays from joining families without permission, but then a
malicious exit provider would have even less motivation to set it up.
> Or is the requirement to flag them as badexit to catch them red
> The case that one took over legit relays is unlikely since many are
> rather 'fresh' ones.
> Or: Are they still on the network so we can see what they are
> after? ;) (rather hard given the amount of potential targets)
> Did you (or anyone else?) try to reach out to them via their
> *) Why would a malicious entity start to declare a MyFamily at all?
> I guess due to my email from
ml and it does not actually hurt their malicious activities because
> the little groups are in the same /16 anyway. (They do not put all
> their relays in a family)
-----BEGIN PGP SIGNATURE-----
-----END PGP SIGNATURE-----
tor-talk mailing list - email@example.com
To unsubscribe or change other settings go to