As of January 2014, the Tor anonymity network consists of 5,000 relays of which almost 1,000 are exit relays. As the diagram to the right illustrates, exit relays bridge the gap between the Tor network and the “open” Internet. As a result, exit relays are able to see anonymised network traffic as it is sent by Tor clients.
While most exit relays are innocuous and run by well-meaning volunteers, there are exceptions: In the past, some exit relays were documented to have sniffed and tampered with relayed traffic. The exposed attacks included mostly HTTPS man-in-the-middle (MitM) and SSL stripping.
In this research project, we are monitoring all exit relays for several months in order to expose, document, and thwart malicious or misconfigured relays. In particular, we monitor exit relays with a fast and modular scanner we developed specifically for that purpose. Since September 2013, we discovered several malicious or misconfigured exit relays which are listed below. These exit relays engaged in various attacks such as SSH and HTTPS MitM, HTML injection, and SSL stripping. We also found exit relays which were unintentionally interfering with network traffic because they were subject to DNS censorship.
The following table contains all malicious or misconfigured exit relays we discovered since September 2013. The columns show a relay's truncated unique fingerprint, its country and IP address(es), the attack or misconfiguration, when it was first active, and when we discovered it. For a more detailed analysis of all attacks, please refer to our research paper.
2014-01-21: We should explain what our findings actually mean for Tor
users. While the list below might appear scary, it is important to understand that these are
merely 25 out of more than 1,000 relays over four months! In fact, the exact amount of benign
relays during that time remains an open question as we didn't determine the churn rate. Either way,
it is a very small fraction which means that Tor users are not likely to encounter many such relays
“in the wild”. Furthermore, Tor's path selection algorithm prefers faster relays over
slower ones. Many of the relays listed below contributed little bandwidth which makes them even
less likely to be chosen as exit relay. And even if you, as a user, happen to select a malicious
exit relay, it doesn't mean that everything is lost.
TorBrowser ships with
extensions such as
HTTPS-Everywhere which are able to foil some
HTTPS-based attacks. Finally, all of the attacks we found are of course not limited to the
Tor network. You might very well be more exposed to these attacks on any public WiFi.
|Fingerprint||IP address||Country||Attack||Bandwidth||First active||Discovery|
||18.104.22.168||HTTPS MitM||7.16 MB/s||2013-06-24||2013-07-13|
||22.214.171.124/29||HTTPS MitM||7.16 MB/s||2013-06-11||2013-07-13|
||126.96.36.199||HTTPS MitM||290 KB/s||2013-07-23||2013-09-19|
||188.8.131.52||HTTPS MitM||5.55 MB/s||2013-08-01||2013-09-19|
||184.108.40.206||SSH & HTTPS MitM||1.54 MB/s||2013-08-09||2013-09-23|
||220.127.116.11||HTTPS MitM||334 KB/s||2013-09-26||2013-10-01|
||18.104.22.168||HTTPS MitM||929 KB/s||2013-09-27||2013-10-14|
||22.214.171.124||HTTPS MitM||2.96 MB/s||2013-09-26||2013-10-15|
||126.96.36.199||HTTPS MitM||3.45 MB/s||2013-09-26||2013-10-16|
||188.8.131.52||HTTPS MitM||850 KB/s||2013-08-12||2013-10-16|
||184.108.40.206||HTTPS MitM||287 KB/s||2013-10-23||2013-10-23|
||220.127.116.11||SSL stripping||106 KB/s||2013-06-05||2013-10-31|
||18.104.22.168||HTTPS MitM||1.54 MB/s||2013-11-08||2013-11-09|
||22.214.171.124||HTTPS MitM||721 KB/s||2013-11-08||2013-11-09|
||126.96.36.199||SSH & HTTPS MitM||2.3 MB/s||2013-10-31||2013-11-21|
||188.8.131.52||HTTPS MitM||187 KB/s||2013-11-26||2013-11-26|
||184.108.40.206||HTTPS MitM||838 KB/s||2013-11-26||2013-11-27|
||220.127.116.11/12||HTML injection||182 KB/s||2013-11-23||2013-11-27|
||18.104.22.168||SSH MitM||4.34 MB/s||2013-11-15||2013-11-27|
||22.214.171.124||SSH & HTTPS MitM||60 KB/s||2013-12-02||2013-12-02|
||126.96.36.199||SSH & HTTPS MitM||896 KB/s||2013-12-06||2013-12-08|
||188.8.131.52||SSL stripping||54 KB/s||2013-12-17||2013-12-18|
||184.108.40.206||DNS censorship||538 KB/s||2013-12-22||2014-01-01|
||178.211.39||DNS censorship||204 KB/s||2013-12-28||2014-01-06|
||220.127.116.11||OpenDNS blocking||52 KB/s||2013-12-21||2014-01-06|
Our exit relay scanner
exitmap is freely available under the
GPLv3 license. It is written in pure Python and
makes use of the library
scanner comes with some modules included but if you decide to write your own module,
please contact us so we can include it in the main repository.
Note that if your module makes use of standalone tools such as
OpenSSH, you will need to use
our patch for
You can get a copy of
git clone https://github.com/NullHypothesis/exitmap.git
Our Torbutton patches are also available on GitHub. Please note that the patches are highly experimental and should only be understood as proof of concept. As a result, the code is incomplete and not safe for practical use.
git clone -b multicircuit_verification https://github.com/NullHypothesis/torbutton.git