159-exit-scanning.txt 5.2 KB

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142
  1. Filename: 159-exit-scanning.txt
  2. Title: Exit Scanning
  3. Author: Mike Perry
  4. Created: 13-Feb-2009
  5. Status: Open
  6. Overview:
  7. This proposal describes the implementation and integration of an
  8. automated exit node scanner for scanning the Tor network for malicious,
  9. misconfigured, firewalled or filtered nodes.
  10. Motivation:
  11. Tor exit nodes can be run by anyone with an Internet connection. Often,
  12. these users aren't fully aware of limitations of their networking
  13. setup. Content filters, antivirus software, advertisements injected by
  14. their service providers, malicious upstream providers, and the resource
  15. limitations of their computer or networking equipment have all been
  16. observed on the current Tor network.
  17. It is also possible that some nodes exist purely for malicious
  18. purposes. In the past, there have been intermittent instances of
  19. nodes spoofing SSH keys, as well as nodes being used for purposes of
  20. plaintext surveillance.
  21. While it is not realistic to expect to catch extremely targeted or
  22. completely passive malicious adversaries, the goal is to prevent
  23. malicious adversaries from deploying dragnet attacks against large
  24. segments of the Tor userbase.
  25. Scanning methodology:
  26. The first scans to be implemented are HTTP, HTML, Javascript, and
  27. SSL scans.
  28. The HTTP scan scrapes Google for common filetype urls such as exe, msi,
  29. doc, dmg, etc. It then fetches these urls through Non-Tor and Tor, and
  30. compares the SHA1 hashes of the resulting content.
  31. The SSL scan downloads certificates for all IPs a domain will locally
  32. resolve to and compares these certificates to those seen over Tor. The
  33. scanner notes if a domain had rotated certificates locally in the
  34. results for each scan.
  35. The HTML scan checks HTML, Javascript, and plugin content for
  36. modifications. Because of the dynamic nature of most of the web, the
  37. scanner has a number of mechanisms built in to filter out false
  38. positives that are used when a change is noticed between Tor and
  39. Non-Tor.
  40. All tests also share a URL-based false positive filter that
  41. automatically removes results retroactively if the number of failures
  42. exceeds a certain percentage of nodes tested with the URL.
  43. Deployment Stages:
  44. To avoid instances where bugs cause us to mark exit nodes as BadExit
  45. improperly, it is proposed that we begin use of the scanner in stages.
  46. 1. Manual Review:
  47. In the first stage, basic scans will be run by a small number of
  48. people while we stabilize the scanner. The scanner has the ability
  49. to resume crashed scans, and to rescan nodes that fail various
  50. tests.
  51. 2. Human Review:
  52. In the second stage, results will be automatically mailed to
  53. an email list of interested parties for review. We will also begin
  54. classifying failure types into three to four different severity
  55. levels, based on both the reliability of the test and the nature of
  56. the failure.
  57. 3. Automatic BadExit Marking:
  58. In the final stage, the scanner will begin marking exits depending
  59. on the failure severity level in one of three different ways: by
  60. node idhex, by node IP, or by node IP mask. A potential fourth, less
  61. severe category of results may still be delivered via email only for
  62. review.
  63. BadExit markings will be delivered in batches upon completion
  64. of whole-network scans, so that the final false positive
  65. filter has an opportunity to filter out URLs that exhibit
  66. dynamic content beyond what we can filter.
  67. Specification of Exit Marking:
  68. Technically, BadExit could be marked via SETCONF AuthDirBadExit over
  69. the control port, but this would allow full access to the directory
  70. authority configuration and operation.
  71. The approved-routers file could also be used, but currently it only
  72. supports fingerprints, and it also contains other data unrelated to
  73. exit scanning that would be difficult to coordinate.
  74. Instead, we propose that a new badexit-routers file that has three
  75. keywords:
  76. BadExitNet 1*[exitpattern from 2.3 in dir-spec.txt]
  77. BadExitFP 1*[hexdigest from 2.3 in dir-spec.txt]
  78. BadExitNet lines would follow the codepaths used by AuthDirBadExit to
  79. set authdir_badexit_policy, and BadExitFP would follow the codepaths
  80. from approved-router's !badexit lines.
  81. The scanner would have exclusive ability to write, append, rewrite,
  82. and modify this file. Prior to building a new consensus vote, a
  83. participating Tor authority would read in a fresh copy.
  84. Security Implications:
  85. Aside from evading the scanner's detection, there are two additional
  86. high-level security considerations:
  87. 1. Ensure nodes cannot be marked BadExit by an adversary at will
  88. It is possible individual website owners will be able to target certain
  89. Tor nodes, but once they begin to attempt to fail more than the URL
  90. filter percentage of the exits, their sites will be automatically
  91. discarded.
  92. Failing specific nodes is possible, but scanned results are fully
  93. reproducible, and BadExits should be rare enough that humans are never
  94. fully removed from the loop.
  95. State (cookies, cache, etc) does not otherwise persist in the scanner
  96. between exit nodes to enable one exit node to bias the results of a
  97. later one.
  98. 2. Ensure that scanner compromise does not yield authority compromise
  99. Having a separate file that is under the exclusive control of the
  100. scanner allows us to heavily isolate the scanner from the Tor
  101. authority, potentially even running them on separate machines.