159-exit-scanning.txt 5.2 KB

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144
  1. Filename: 159-exit-scanning.txt
  2. Title: Exit Scanning
  3. Version: $Revision$
  4. Last-Modified: $Date$
  5. Author: Mike Perry
  6. Created: 13-Feb-2009
  7. Status: Open
  8. Overview:
  9. This proposal describes the implementation and integration of an
  10. automated exit node scanner for scanning the Tor network for malicious,
  11. misconfigured, firewalled or filtered nodes.
  12. Motivation:
  13. Tor exit nodes can be run by anyone with an Internet connection. Often,
  14. these users aren't fully aware of limitations of their networking
  15. setup. Content filters, antivirus software, advertisements injected by
  16. their service providers, malicious upstream providers, and the resource
  17. limitations of their computer or networking equipment have all been
  18. observed on the current Tor network.
  19. It is also possible that some nodes exist purely for malicious
  20. purposes. In the past, there have been intermittent instances of
  21. nodes spoofing SSH keys, as well as nodes being used for purposes of
  22. plaintext surveillance.
  23. While it is not realistic to expect to catch extremely targeted or
  24. completely passive malicious adversaries, the goal is to prevent
  25. malicious adversaries from deploying dragnet attacks against large
  26. segments of the Tor userbase.
  27. Scanning methodology:
  28. The first scans to be implemented are HTTP, HTML, Javascript, and
  29. SSL scans.
  30. The HTTP scan scrapes Google for common filetype urls such as exe, msi,
  31. doc, dmg, etc. It then fetches these urls through Non-Tor and Tor, and
  32. compares the SHA1 hashes of the resulting content.
  33. The SSL scan downloads certificates for all IPs a domain will locally
  34. resolve to and compares these certificates to those seen over Tor. The
  35. scanner notes if a domain had rotated certificates locally in the
  36. results for each scan.
  37. The HTML scan checks HTML, Javascript, and plugin content for
  38. modifications. Because of the dynamic nature of most of the web, the
  39. scanner has a number of mechanisms built in to filter out false
  40. positives that are used when a change is noticed between Tor and
  41. Non-Tor.
  42. All tests also share a URL-based false positive filter that
  43. automatically removes results retroactively if the number of failures
  44. exceeds a certain percentage of nodes tested with the URL.
  45. Deployment Stages:
  46. To avoid instances where bugs cause us to mark exit nodes as BadExit
  47. improperly, it is proposed that we begin use of the scanner in stages.
  48. 1. Manual Review:
  49. In the first stage, basic scans will be run by a small number of
  50. people while we stabilize the scanner. The scanner has the ability
  51. to resume crashed scans, and to rescan nodes that fail various
  52. tests.
  53. 2. Human Review:
  54. In the second stage, results will be automatically mailed to
  55. an email list of interested parties for review. We will also begin
  56. classifying failure types into three to four different severity
  57. levels, based on both the reliability of the test and the nature of
  58. the failure.
  59. 3. Automatic BadExit Marking:
  60. In the final stage, the scanner will begin marking exits depending
  61. on the failure severity level in one of three different ways: by
  62. node idhex, by node IP, or by node IP mask. A potential fourth, less
  63. severe category of results may still be delivered via email only for
  64. review.
  65. BadExit markings will be delivered in batches upon completion
  66. of whole-network scans, so that the final false positive
  67. filter has an opportunity to filter out URLs that exhibit
  68. dynamic content beyond what we can filter.
  69. Specification of Exit Marking:
  70. Technically, BadExit could be marked via SETCONF AuthDirBadExit over
  71. the control port, but this would allow full access to the directory
  72. authority configuration and operation.
  73. The approved-routers file could also be used, but currently it only
  74. supports fingerprints, and it also contains other data unrelated to
  75. exit scanning that would be difficult to coordinate.
  76. Instead, we propose that a new badexit-routers file that has three
  77. keywords:
  78. BadExitNet 1*[exitpattern from 2.3 in dir-spec.txt]
  79. BadExitFP 1*[hexdigest from 2.3 in dir-spec.txt]
  80. BadExitNet lines would follow the codepaths used by AuthDirBadExit to
  81. set authdir_badexit_policy, and BadExitFP would follow the codepaths
  82. from approved-router's !badexit lines.
  83. The scanner would have exclusive ability to write, append, rewrite,
  84. and modify this file. Prior to building a new consensus vote, a
  85. participating Tor authority would read in a fresh copy.
  86. Security Implications:
  87. Aside from evading the scanner's detection, there are two additional
  88. high-level security considerations:
  89. 1. Ensure nodes cannot be marked BadExit by an adversary at will
  90. It is possible individual website owners will be able to target certain
  91. Tor nodes, but once they begin to attempt to fail more than the URL
  92. filter percentage of the exits, their sites will be automatically
  93. discarded.
  94. Failing specific nodes is possible, but scanned results are fully
  95. reproducible, and BadExits should be rare enough that humans are never
  96. fully removed from the loop.
  97. State (cookies, cache, etc) does not otherwise persist in the scanner
  98. between exit nodes to enable one exit node to bias the results of a
  99. later one.
  100. 2. Ensure that scanner compromise does not yield authority compromise
  101. Having a separate file that is under the exclusive control of the
  102. scanner allows us to heavily isolate the scanner from the Tor
  103. authority, potentially even running them on separate machines.