State of Bad Relay Team - network-health

22 Jul 2019


      Hello everyone,
I'm writing this email to help bootstrap more and more the network health team
by outlining the status of the "bad relay team" as in where and what tools we
use.
After discussions at the Stockholm meeting, this is in the spirit of trying to
gather information in one place (this list) and push the effort to consolidate
everything we (Tor Project) have in that space to, ultimately, our Gitlab
instance. We have a team already there although quite empty at the moment.
https://dip.torproject.org/torproject/network-health
Several tools are being used by the bad relay team. The following I would
consider them in the "critical path" of the bad relay team operations:
1. Malicious HSDir Scanner
This one is in a private git repository on Github. For obvious reasons, we
   don't make it public in order to avoid attackers gaming it. It is run
   regularlry by the team.
I've asked the author if we can move it to dip.tpo under the network health
   team umbrella. Pending...
This tool has dependencies on "eschalot" with custom patches to it and
   custom patches to "tor" as well. These need to be maintained over time and
   thus should also be on dip.tpo.
This also need a tor relay to be run which requires the custom tor patches
   mentionned above and the HSDir flag (which you only get after 96 hours of
   uptime so can't be rebooted often...).
It is an extremely important tool right now for bad HSDir detections so we
   should definitely keep this one well maintained and running as long as v2
   .onion addresses exists.
2. Exitmap
The core of this tool is public here:
https://github.com/NullHypothesis/exitmap
The modules are in a private repository as well. I've also asked the author
   if we can move this tool to dip.tpo. It is also run quite regularlry by the
   team.
3. DocTor
DocTor is a great public that is run by atagar. Any warnings goes on the
   consensus-health@ mailing list.
https://gitweb.torproject.org/doctor.git/
In the case of the bad relay team, custom secret modules exists and run
   daily. This should definitely move to dip.tpo. I have ownership of those so
   easy move.
Overall, this is a good project to move to the Network Health team in my
   opinion, with atagar's permission of course.
4. Sybilwatch
https://github.com/DonnchaC/sybilwatch
This is an extremely useful tool to correlate relays with the same
   characteristics in order to find all the related relays of a detected
   attack.
Own by Donncha and public so probably no need to have it on dip.tpo.
5. Custom Stem Scripts
I made several custom Stem scripts in order to walk the
   consensus/descriptors and extract information which makes it much easier to
   find relay's information to reject/badexit.
https://git.ini-tech.com/stem-scripts.git/tree
Not the cleanest but very useful. I think having them on dip.tpo would be
   useful but not required.
6. Tes
Tool written by meejah. Allows us to detect MITM attacks by relays. It is
   in a private git repository so if meejah wants to move it to dip.tpo, I
   think it would be great! Else, documenting that it exists could be enough.
Other tools exists for a variety of purposes like "trnns" made by phw
(https://github.com/NullHypothesis/trnns) but afaict, not in the critical path
of the bad relay team.
About git repositories:
- dirauth-conf.git
Private. Only a handful of people have commit access to this including all
  directory authorities (9 of them).
This contains many things including the reject/badexit rules that the bad
  relay team submit there and the directory authorities then each take a
  personal decision on applying the rule or not.
This is up to debate I believe if it should fall under "Network Health"
  umbrella or not... Difficult to say but I'm leaning towards "yes"
  considering that it also contains configuration files that dirauth should in
  theory use/apply like consensus parameters which is very "health" to me :).
Now in terms of communication, several mailing list exists:
- bad-relays@lists.torproject.org
Private and with very few people. Coordination happens there for any relay
  rejection/badexit.
It is the advertised list to report malicious relays but also to report that
  your relay is rejected if you are an operator that let say re-used an
  blacklisted IP address.
It is actually hardcoded in tor code and part of the reject reason string
  that a directory authority will send back:
*msg = "Fingerprint is marked rejected -- if you think this is a "
         "mistake please set a valid email address in ContactInfo and "
         "send an email to bad-relays@lists.torproject.org mentioning "
         "your fingerprint(s)?";
*msg = "Suspicious relay address range -- if you think this is a "
           "mistake please set a valid email address in ContactInfo and "
           "send an email to bad-relays@lists.torproject.org mentioning "
           "your address(es) and fingerprint(s)?";
- tor-network-alerts@lists.torproject.org
Private list. Only scanners/bots email that list with alerts. So 1), 2) and
  3) all are configured to email that list with their alerts.
Related discussions happens on bad-relays@
- tor-consensus-health@lists.torproject.org
Public. DocTor report detected issues to that list. No discussions.
- ornetradar@lists.riseup.net
External from TPO. Public. https://lists.riseup.net/www/info/ornetradar
Events are also published here:
  https://nusenu.github.io/OrNetRadar/
Run by "nusenu" volunteer. It has many many detections that we use in order
  to make decision on bad relays.
Those are the active mailing lists that the bad relay team uses/observes.
I believe the above covers it all on the bad relay team side... Thing is that
other volunteers might be running scanners or custom tools so the above really
covers what *I* am aware of.
Cheers!
David
-- 
21BSebbtTMg1u+swxsy4Y2IVWlthi9t/XgN+FybFMe8=