[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [tor-talk] SIGAINT email service targeted by 70 bad exit nodes



-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

> On Thu, Apr 23, 2015 at 07:30:57PM +0000, nusenu wrote:
>>> Almost all of them were younger than one month and they seem
>>> to have joined the network in small batches.  I uploaded
>>> Onionoo's JSON-formatted relay descriptors, so everybody can
>>> have a look: 
>>> <http://www.nymity.ch/badexit/bad_descriptors_2015-04-23.zip>
>> 
>> I compared your list (71 FPs) with my list (55 FPs) from
>> 2015-04-05 [1], we have an overlap of (only) 30 relays. An
>> overlap of around ~50 would be better.
> 
> Yes, I remember your list.  Thanks a lot for sharing it, it's
> really helpful!
> 
> The relays that are in your, but not in my list indeed look quite 
> similar to the rest.  They don't have a BadExit flag because nobody
> has caught them doing something nasty yet.

So you do not think that they are controlled by the same (malicious)
entity? (even though some declare their MyFamily accordingly*)

Or is the requirement to flag them as badexit to catch them red handed?

The case that one took over legit relays is unlikely since many are
rather 'fresh' ones.

Or: Are they still on the network so we can see what they are after? ;)
(rather hard given the amount of potential targets)

Did you (or anyone else?) try to reach out to them via their ISP(s)?


*) Why would a malicious entity start to declare a MyFamily at all?
I guess due to my email from
https://lists.torproject.org/pipermail/tor-talk/2015-April/037384.ht
ml and it does not actually hurt their malicious activities because
the little groups are in the same /16 anyway. (They do not put all
their relays in a family)
-----BEGIN PGP SIGNATURE-----

iQIcBAEBCgAGBQJVPMmsAAoJEFv7XvVCELh0DmgP/2Nl4PnaNoLbI16aEDkajNtk
4Kba6xNSPWYEgJsAFSonn8mRfPG4HR4yHJPiU2ZusHgm7SM5K3/iAb8PSaaef4M1
9D2zlcENFVJxpjQaW/JR6rINDDpj9keHLWh2flGV2jwA/+HxgpI6/go8GJ43xeb9
KSR+Ll0FqfBiTFqpMqiOiaDzQqALHdBexJ/a7KU7t+3L9hrvD5VlR8eBNPYpkI/K
se34lGnHzdhJwHh0zMo5+OByimmb6ITWfkdGY5LogQA/EgbRbh2woS2CeWGI21Lk
xaW1voGpiwHVHgbCNaeYk8Q4f+guKNzOd7mDcMdonrUdVKjvKA+VmiDznlucT0FR
QfVCCkadwbabehgersXWBb0IrLRysBV/mbIElOhaU3tnGXyTrZMcrzWEZaEDEBan
NSeVm6F9foRnzSsvLNy+ljT0A1571e0E7ej91ZGStcuPIjFFMZmOz/Ekce2ZOfC5
hYorrZXStJQkon5oT6nBQIi/BKnadeaaeaWQwdc6edVEw8NLmH8MJPtrF0jRoSVv
aKEXmOvZ9F70aqkXYS5236LCeYBF1h6h9mWS9Z4pkW8AMoyHaEy2lIAomx4KLTJt
19NG5Hzt1/wh2aevXUsZWLvtQAqnVzPFQPZGd92hAmQQHWjZTUAwzHEw8/cwdU59
Uu2ONbYmqdbEeClv4bp0
=0zDD
-----END PGP SIGNATURE-----
-- 
tor-talk mailing list - tor-talk@lists.torproject.org
To unsubscribe or change other settings go to
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk