-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
Hello everyone,
Some months ago I encountered a situation where a user running an exit node with a publicly exposed privoxy (intentionally or not, I'm not sure) was constantly receiving a number of requests directed to advertisement networks. Fundamentally, someone is/was running an infrastructure using exposed Privoxies to perform some sort of advertisement fraud.
It's been roughly documented also here: https://b.kentbackman.com/2013/04/15/rotpoion-botnet-powered-by-thousands-of...
Out of interest, I gave a quick look at existing relays and exists and it turns out that there's ~20 nodes exposing Privoxy on public IPs.
Host: 46.65.12.134 (46-65-12-134.zone16.bethere.co.uk) Ports: 8118/open/tcp//privoxy/// Host: 66.146.193.31 (sable.dredel.com) Ports: 8118/open/tcp//privoxy/// Host: 66.180.193.219 (tor-proxy.die.net) Ports: 8118/open/tcp//privoxy/// Host: 69.164.211.18 (nsi.mirt.net) Ports: 8118/open/tcp//privoxy/// Host: 71.246.241.109 (koansys.com) Ports: 8118/open/tcp//privoxy/// Host: 75.137.122.118 (75-137-122-118.dhcp.gnvl.sc.charter.com) Ports: 8118/open/tcp//privoxy/// Host: 78.47.41.125 (maurer-web.wisseberger-jonges.de) Ports: 8118/open/tcp//privoxy/// Host: 81.56.102.224 (perso.schenck.fr) Ports: 8118/open/tcp//privoxy/// Host: 82.45.34.136 (cpc11-hawk13-2-0-cust135.aztw.cable.virginm.net) Ports: 8118/open/tcp//privoxy/// Host: 93.207.83.51 (p5DCF5333.dip0.t-ipconnect.de) Ports: 8118/open/tcp//privoxy/// Host: 95.140.34.187 (medea.tobias.vn) Ports: 8118/open/tcp//privoxy/// Host: 95.140.34.188 (mikrobi.tobias.vn) Ports: 8118/open/tcp//privoxy/// Host: 123.254.105.104 () Ports: 8118/open/tcp//privoxy/// Host: 151.28.124.42 (ppp-42-124.28-151.libero.it) Ports: 8118/open/tcp//privoxy/// Host: 162.243.5.88 () Ports: 8118/open/tcp//privoxy/// Host: 165.154.108.120 () Ports: 8118/open/tcp//privoxy/// Host: 176.31.127.140 (ks396886.kimsufi.com) Ports: 8118/open/tcp//privoxy/// Host: 199.184.154.12 () Ports: 8118/open/tcp//privoxy///
First thing first, I'm interested to know whether there's an actual reason for doing this or if it's something discouraged.
Best, /nex
On 13-11-10 08:04 AM, Claudio wrote:
Some months ago I encountered a situation where a user running an exit node with a publicly exposed privoxy (intentionally or not, I'm not sure) was constantly receiving a number of requests directed to advertisement networks. Fundamentally, someone is/was running an infrastructure using exposed Privoxies to perform some sort of advertisement fraud.
Privoxy has never been part of the Tor relay configuration, AFAIK. Privoxy was discontinued as part of the Tor client configuration a couple of years ago. Therefore such a phenomemon *should not* have anything to do with Tor relays.
However there may be a few rogues who run Tor exits that cache or snoop traffic or who simultaneously run other proxy services (for example misconfigured home exit nodes). The Legal FAQ gives some advice on these issues: https://www.torproject.org/eff/tor-legal-faq.html.en
It's been roughly documented also here: https://b.kentbackman.com/2013/04/15/rotpoion-botnet-powered-by-thousands-of...
Out of interest, I gave a quick look at existing relays and exists and it turns out that there's ~20 nodes exposing Privoxy on public IPs.
Host: 46.65.12.134 (46-65-12-134.zone16.bethere.co.uk) Ports: 8118/open/tcp//privoxy/// Host: 66.146.193.31 (sable.dredel.com) Ports: 8118/open/tcp//privoxy/// Host: 66.180.193.219 (tor-proxy.die.net) Ports: 8118/open/tcp//privoxy/// Host: 69.164.211.18 (nsi.mirt.net) Ports: 8118/open/tcp//privoxy/// Host: 71.246.241.109 (koansys.com) Ports: 8118/open/tcp//privoxy/// Host: 75.137.122.118 (75-137-122-118.dhcp.gnvl.sc.charter.com) Ports: 8118/open/tcp//privoxy/// Host: 78.47.41.125 (maurer-web.wisseberger-jonges.de) Ports: 8118/open/tcp//privoxy/// Host: 81.56.102.224 (perso.schenck.fr) Ports: 8118/open/tcp//privoxy/// Host: 82.45.34.136 (cpc11-hawk13-2-0-cust135.aztw.cable.virginm.net) Ports: 8118/open/tcp//privoxy/// Host: 93.207.83.51 (p5DCF5333.dip0.t-ipconnect.de) Ports: 8118/open/tcp//privoxy/// Host: 95.140.34.187 (medea.tobias.vn) Ports: 8118/open/tcp//privoxy/// Host: 95.140.34.188 (mikrobi.tobias.vn) Ports: 8118/open/tcp//privoxy/// Host: 123.254.105.104 () Ports: 8118/open/tcp//privoxy/// Host: 151.28.124.42 (ppp-42-124.28-151.libero.it) Ports: 8118/open/tcp//privoxy/// Host: 162.243.5.88 () Ports: 8118/open/tcp//privoxy/// Host: 165.154.108.120 () Ports: 8118/open/tcp//privoxy/// Host: 176.31.127.140 (ks396886.kimsufi.com) Ports: 8118/open/tcp//privoxy/// Host: 199.184.154.12 () Ports: 8118/open/tcp//privoxy///
First thing first, I'm interested to know whether there's an actual reason for doing this or if it's something discouraged.
Best, /nex _______________________________________________ tor-relays mailing list tor-relays@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
On Sun, 10 Nov 2013, Claudio wrote:
Host: 66.180.193.219 (tor-proxy.die.net) Ports: 8118/open/tcp//privoxy///
Want to make HTTP requests through these ports and see who will actually proxy content for you?
If you try making a request through this port on tor-proxy.die.net, it won't proxy but rather will take as long as possible to send you a bogus 10 meg reply, acting as what is known as a "tarpit".
In September, I sent a note privately to the contacts of the other 19 Tor nodes that had an open 8118 port, and 5 or so fixed their configs. A few more replied saying that they had all ports open intentionally but weren't really passing traffic.
-- Aaron
On 11/10/2013 08:15 PM, Aaron Hopkins wrote:
On Sun, 10 Nov 2013, Claudio wrote:
Host: 66.180.193.219 (tor-proxy.die.net) Ports: 8118/open/tcp//privoxy///
Want to make HTTP requests through these ports and see who will actually proxy content for you?
If you try making a request through this port on tor-proxy.die.net, it won't proxy but rather will take as long as possible to send you a bogus 10 meg reply, acting as what is known as a "tarpit".
In September, I sent a note privately to the contacts of the other 19 Tor nodes that had an open 8118 port, and 5 or so fixed their configs. A few more replied saying that they had all ports open intentionally but weren't really passing traffic.
You're right, just a few actually do proxy. With a few seconds timeout only 162.243.5.88 and 78.47.41.125 do to me at the moment.
Just out of curiosity, what would be the reason for leaving such port open but inactive?
Thanks, /nex
On Sun, 10 Nov 2013, Claudio wrote:
You're right, just a few actually do proxy. With a few seconds timeout only 162.243.5.88 and 78.47.41.125 do to me at the moment.
Good to know. I don't see a contact for 162.243.5.88 and I sent mail to the contact address listed for 78.47.41.125 in September but didn't get a response.
Just out of curiosity, what would be the reason for leaving such port open but inactive?
For me, it is to try to waste TCP sockets and OS threads of whichever botnet is trying to hit 8118 on all Tor nodes over and over, in an effort to slow them down. Though I'm currently holding open 43000 connections from them, I don't think it has had much of an effect, unfortunately.
See http://en.wikipedia.org/wiki/Tarpit_(networking) for more background. It talks about IP-level and SMTP-level tarpits, but my HTTP tarpit is similar in theory, but operates at the HTTP protocol level.
-- Aaron
I was running a non-exit relay using beta RC version vidalia-relay-bundle-0.2.4.17-rc-0.2.21.exe on win XP
On the "Message Log" console I was seeing hourly entries for TAP and nTor connections.
After over a week, I was getting very low traffic, so rolled back to the stable version vidalia-relay-bundle-0.2.3.25-0.2.21-2.exe to compare, trying to see if would be more useful.
After changing, I no longer see any hourly entries as I did with the beta/RC version. I tried unsuccessfully to find a change log that would indicate this might have been one thing changed.
Can anyone confirm this was a feature of the beta/RC version since the last stable version? or might I have missed some setting somewhere to enable hourly connection stat logging?
BugZ
On Sun, Nov 10, 2013 at 09:58:20PM -0500, gq wrote:
On the "Message Log" console I was seeing hourly entries for TAP and nTor connections.
Yep.
After over a week, I was getting very low traffic, so rolled back to the stable version vidalia-relay-bundle-0.2.3.25-0.2.21-2.exe to compare, trying to see if would be more useful.
After changing, I no longer see any hourly entries as I did with the beta/RC version. I tried unsuccessfully to find a change log that would indicate this might have been one thing changed.
Can anyone confirm this was a feature of the beta/RC version since the last stable version? or might I have missed some setting somewhere to enable hourly connection stat logging?
It is new in 0.2.4.17-rc:
- Track how many "TAP" and "NTor" circuit handshake requests we get, and how many we complete, and log it every hour to help relay operators follow trends in network load. Addresses ticket 9658.
https://trac.torproject.org/projects/tor/ticket/9658
--Roger
Roger that :)
thank you.
On 11/10/2013 10:01 PM, Roger Dingledine wrote:
On Sun, Nov 10, 2013 at 09:58:20PM -0500, gq wrote:
On the "Message Log" console I was seeing hourly entries for TAP and nTor connections.
Yep.
After over a week, I was getting very low traffic, so rolled back to the stable version vidalia-relay-bundle-0.2.3.25-0.2.21-2.exe to compare, trying to see if would be more useful.
After changing, I no longer see any hourly entries as I did with the beta/RC version. I tried unsuccessfully to find a change log that would indicate this might have been one thing changed.
Can anyone confirm this was a feature of the beta/RC version since the last stable version? or might I have missed some setting somewhere to enable hourly connection stat logging?
It is new in 0.2.4.17-rc:
- Track how many "TAP" and "NTor" circuit handshake requests we get, and how many we complete, and log it every hour to help relay operators follow trends in network load. Addresses ticket 9658.https://trac.torproject.org/projects/tor/ticket/9658
--Roger
tor-relays mailing list tor-relays@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
tor-relays@lists.torproject.org
-
Aaron Hopkins -
Claudio -
gq -
krishna e bera -
Roger Dingledine