why join the navy.
In the past few weeks, I have been working on a subject project. In this project, we attempt to monitor and analysis Tor exit relays by detecting the malicious exit relays and looking into the DNS resolution. Based on an existing Tor scanner, we customize and develop our own modules to implement probing all exit relays of the whole Tor network. To be honest, I didn’t expect much that we would find some valuable results in the first place considering the time limit, however, we did eventually get some interesting conclusions!
To start with, Tor is a popular low-latency anonymous communication network for enhancing privacy. It implements this by using a nested so-called “onion” encryption to encrypts traffic data and hide the source IP/ destination IP as well as randomly building the three-hop circuits.
As shown in the figure above. by design, exit relays almost control the whole Tor network traffic on top of TCP connections, in which situation exit relays are easily targeted to snoop and tamper with sensitive network traffic.
On top of that, DNS requests and responses are also heavily reliant on exit relays for resolution and validation, which raises potential concerns regarding centralization and misconfiguration.
So, we define a malicious exit relay is to:
In this case, we want to expose malicious exit relays engaging in man-in-the-middle attacks including SSL/TLS-based attacks, DNS poisoning and traffic sniffing.
We are also interested in the effect of DNS on exit relay:
we try to provide some insights on the effect of DNS on Tor’s anonymity and security by identifying the DNS resolvers and investigating DNSSEC deployment of Tor exit relays.
Well, the most important part is exitmap
Generally, the design of exitmap:
Here we tabled malicious exit relays we found. The columns are, from left to right:
Fingerprint | IP addresses | Location | Attack | Discovery |
---|---|---|---|---|
879E4D04 | 42.3.80.81 | Hong Kong | HTTPS MitM | 2019-10-28 |
D6D6B661 | 185.220.102.8 | Germany | DNS Poisoning | 2019-11-02 |
30966599 | 82.151.193.197 | Russia | Censorship | 2019-10-30 |
Here we exposed a possible HTTPS MitM for the domain grc.com. We detected a HTTPS MitM 7 times coming from the same exit node which returned three different fingerprints of X.509 certificate in total. However, due to human error, our code only recorded the unexpected fingerprint, not the full malicious X.509 certificate.
We also found a possible DNS Poisoning from a German exit relay, as shown in the table.
The final malicious exit relay we detected censors certain websites. When visiting the website http://nytimes.com, instead of upgrading to https://nytimes.com, the exit relay redirected the user to a Russian website over cleartext HTTP. However, it turns out the destination website, in this case, nytimes.com, is blocked in Russia so it just returns HTTP URL with a web page to inform users that this website is blocked due to government policies.
Given the importance of DNS queries heavily relying on exit relays, we aim to investigate how the DNS resolvers of Tor exit relays are currently implemented in terms of companies and countries.
We can see that:
Also, Most DNS Resolvers located in either Western Europe or North America
This might because many websites outsource their DNS setup to providers such as Cloudflare whose points of presence are centred around Western Europe and North America.
The basic design of this project mainly follows the previous work by Philipp Winter and Stefan Lindskog et.al. (2014)[1] as well as Benjamin Greschbach et.al. (2017)[2], thus one of our motivations is to give a comparative analysis with the results of previous work and lead to an up-to-date conclusion on Tor network. Here re some fun facet we found compared wth original paper:
[1] P. Winter, R. Köwer, M. Mulazzani, M. Huber, S. Schrittwieser, S. Lindskog, and E. Weippl, “Spoiled onions: Exposing malicious Tor exit relays,” in PETS. Springer, 2014. URL : https://nymity.ch/tor-dns/pdf/Winter2014b.pdf
[2] Greschbach, B., Pulls, T., Roberts, L., Winter, P., & Feamster, N. (2019). The Effect of DNS on Tor’s Anonymity. Retrieved 3 November 2019, from https://arxiv.org/abs/1609.08187
[3] Guarding your Tor Exit’s DNS. (2019). Retrieved 3 November 2019, from https://blog.daknob.net/guarding-your-tor-exits-dns/
[4] NullHypothesis/exitmap.(2019). Retrieved https://github.com/NullHypothesis/exitmap