Spoiled Onions:Exposing Malicious T

Spoiled Onions:
Exposing Malicious Tor Exit Relays
Philipp Winter
Karlstad University
Stefan Lindskog
Karlstad University
arXiv:1401.4917v1 [cs.CR] 20 Jan 2014
Abstract
Several hundred Tor exit relays together push more than
1 GiB/s of network traffic. However, it is easy for exit
relays to snoop and tamper with anonymised network
traffic and as all relays are run by independent volun-
teers, not all of them are innocuous. In this paper, we
seek to expose malicious exit relays and document their
actions. First, we monitored the Tor network after devel-
oping a fast and modular exit relay scanner. We imple-
mented several scanning modules for detecting common
attacks and used them to probe all exit relays over a pe-
riod of four months. We discovered numerous malicious
exit relays engaging in different attacks. To reduce the
attack surface users are exposed to, we further discuss
the design and implementation of a browser extension
patch which fetches and compares suspicious X.509 cer-
tificates over independent Tor circuits. Our work makes
it possible to continuously monitor Tor exit relays. We
are able to detect and thwart many man-in-the-middle at-
tacks which makes the network safer for its users. All
our code is available under a free license.
1 Introduction
As of January 2014, nearly 1,000 exit relays [24] dis-
tributed all around the globe serve as part of the Tor
anonymity network [7]. As illustrated in Figure 1, the
purpose of these relays is to establish a bridge between
the Tor network and the “open” Internet. A user’s Tor
circuits, which are encrypted tunnels, terminate at exit
relays and from there, the user’s traffic proceeds to travel
over the open Internet to its final destination. Since exit
relays can see traffic as it is sent by a Tor user, their
role is particularly sensitive compared to entry guards
and middle relays; especially because traffic frequently
lacks end-to-end encryption.
By design, exit relays act as a “man-in-the-middle”
(MitM) in between a user and her destination. This
1
renders it possible for exit relay operators to run vari-
ous MitM attacks such as traffic sniffing, DNS poison-
ing, and SSL-based attacks such as HTTPS MitM and
sslstrip [19]. An additional benefit for attackers is that
exit relays can be set up quickly and anonymously, mak-
ing it very difficult to trace attacks back to their origin.
While it is possible for relay operators to specify con-
tact information such as an email address1 , this is op-
tional. As of January 2014, only 56% out of all 4,962
relays publish contact information. Even fewer relays
have valid contact information.
To thwart a number of popular attacks, Tor-
Browser [23]—the Tor Project’s modified version
of Firefox—ships with extensions such as HTTPS-
Everywhere [8] and NoScript [14]. While HTTPS-
Everywhere provides rules to rewrite HTTP traffic to
HTTPS traffic, NoScript attempts to prevent many script-
based attacks. However, there is little users can do if
web sites implement poor security such as the lack of
site-wide TLS, session cookies being sent in the clear, or
using weak cipher suites in their web server configura-
tion. Often, such bad practices enable attackers to spy on
users’ traffic or, even worse, hijack accounts. Besides,
TorBrowser cannot protect against attacks targeting pro-
tocols such as SSH.
All these attacks are not just of theoretical nature. In
2007, a security researcher published 100 POP3 govern-
ment credentials he captured by sniffing traffic on a set
of exit relays under his control [22]; supposedly to show
the need for end-to-end encryption when using Tor. In
Section 2, we will discuss additional attacks which were
found in the wild.
1.1
What Happens to Bad Exits?
The Tor Project has a way to prevent clients from se-
lecting bad exit relays as the last hop in their three-hop
information can be useful to get in touch with relay oper-
ators, e.g., if they misconfigured their relay.
1 Contact

circuits. After a suspected relay is communicated to the
project, the reported attack is first reproduced. If the at-
tack can be verified, a subset of two (out of all nine) di-
rectory authority operators manually blacklist the relay
using Tor’s AuthDirBadExit configuration option. Every
hour, the directory authorities vote on the network con-
sensus which is a signed list of all relays, the network
is comprised of. Among other information, the consen-
sus includes the BadExit flag. As long as the majority
of the authorities responsible for the BadExit flag, i.e.,
two out of two, agree on the flag being set for a partic-
ular relay, the next network consensus will label the re-
spective relay as BadExit. After the consensus was then
signed by a sufficient number of directory authorities, it
propagates through the network and is eventually used
by all Tor clients after a maximum of three hours. From
then on, clients will no longer select relays labelled as
BadExit as the last hop in their circuits. Note that this
does not mean that BadExit relays become effectively
useless. They keep getting selected by clients as their
entry guards and middle relays. All the malicious relays
we discovered were assigned the BadExit flag.
Note that the BadExit flag is not only given to relays
which are proven to be malicious. It is also assigned to
relays which are misconfigured or are otherwise unable
to fulfil their duty of providing unfiltered Internet access.
A frequent cause of misconfiguration is the use of third-
party DNS resolvers which block certain web site cate-
gories.
Apart from the BadExit flag, directory authorities can
blacklist relays by disabling its Valid flag which prevents
clients from selecting the relay for any hop in its circuit.
This option can be useful to disable relays running a bro-
ken version of Tor or are suspected to engage in end-to-
end correlation attacks.
Entry guard
Encrypted by Tor
Not encrypted by Tor
Tor client
Tor
network
Middle relay
Exit relay
Destination
Figure 1: The structure of a three-hop Tor circuit. Exit
relays constitute the bridge between encrypted circuits
and the open Internet. As a result, exit relay opera-
tors can see—and tamper with—the anonymised traffic
of users.
and implementation of exitmap. Section 4 then presents
the attacks we discovered in the wild. Next, Section 5
proposes the design and implementation of a browser ex-
tension patch which can protect against HTTPS MitM
attacks. Finally, Section 6 concludes this paper.
2
Related Work
1.2 Contributions
The three main contributions of this paper are as follows.
• We discuss the design and implementation of ex-
itmap; a flexible and fast exit relay scanner which is
able to detect several popular MitM attacks.
• Using exitmap, we monitored the Tor network over
a period of four months. We analyse the attacks we
discovered in the wild during that time period.
• We propose the design and prototype of a browser
extension patch which fetches and compares X.509
certificates over diverging Tor circuits. That allows
our patch to detect MitM attacks against HTTPS.
The remainder of this paper is structured as follows.
Section 2 begins by giving an overview of related work.
It is followed by Section 3 which discusses the design
2
While MitM attacks have generally received consider-
able attention in the literature [12, 30], their occurrence
in the Tor network remains largely unexplored. This
is unfortunate as the Tor network enables the study of
real-world MitM attacks which are rare and poorly doc-
umented outside the Tor network.
In 2006, Perry began developing the framework
“Snakes on a Tor” (SoaT) [25]. SoaT is a Tor network
scanner whose purpose—similar to our work—is to de-
tect misbehaving exit relays. Decoy content is first
fetched over Tor, then over a direct Internet connection,
and finally compared. Over time, SoaT was extended
with support for HTTP, HTTPS, SSH and several other
protocols. However, SoaT is no longer maintained and
makes use of deprecated libraries. Compared to SoaT,
our design is more flexible and significantly faster.
Similar to SoaT, Marlinspike implemented tortun-
nel [20]. The tool exposes a local SOCKS interface
which accepts connections from arbitrary applications.
Incoming data is then sent over exit relays using one-hop
circuits. By default, exitmap does not use one-hop cir-
cuits as that could be detected by attackers which could
then act innocuously.
A first attempt to detect malicious exit relays was
made in 2008 by McCoy et al. [21]. The authors estab-
lished decoy connections to servers under their control.
They further controlled the authoritative DNS server re-
sponsible for the decoy hosts’ domain names. As long as
an attacker on an exit relay sniffed network traffic with

reverse DNS lookups being enabled, the authors were
able to map reverse lookups to exit relays by monitor-
ing the authoritative DNS server’s traffic. Using that side
channel, McCoy et al. were able to find one exit re-
lay sniffing POP3 traffic at port 110. However, attack-
ers could avoid that side channel by disabling reverse
lookups. The popular tool tcpdump implements the com-
mand line switch -n for that exact purpose.
In 2011, Chakravarty et al. [3] attempted to detect exit
relays sniffing Tor users’ traffic by systematically trans-
mitting decoy credentials over all active exit relays. Over
a period of ten months, the authors uncovered ten relays
engaging in traffic snooping. Chakravarty et al. could
verify that the operators were sniffing exit traffic because
they were later found to have logged in using the snooped
credentials. While the work of Chakravarty et al. rep-
resents an important first step towards monitoring the
Tor network, their technique only focused on SMTP and
IMAP. At the time of writing, only 20 out of all ∼1,000
exit relays allow exiting to port 25. HTTP appears to be
significantly more popular [