Snooping on Tor from Your Load Balancer
- by nlqip
One of the missteps I found was that, by default, the Tor node would accept and relay BitTorrent traffic. My American ISP detected the BitTorrent traffic exiting my node and started sending me emails, and, I suspect, interfering with my network traffic (though I didn’t prove that beyond a suspicion).
Fortunately, the Tor Project gives instructions on how to configure your Tor exit node to filter out torrent and other troublesome traffic.5
I also didn’t want Tor hogging all my bandwidth, so I configured it with what I thought were sane defaults for maximum input and output network volume (100 Mbps in and out).
Initial Tor traffic was sparse and spotty. Perhaps the Tor network doesn’t automatically assume that brand new nodes have good bandwidth, so it slowly ramps up traffic it sends through the node until that node has proven itself. Eventually, after a week or so, I started seeing a steady clip of Tor traffic passing through my exit node—a couple of gigabytes per day.
What Exactly Do I Mean by Snooping?
As connections leave the Tor exit node, they are destined for actual Internet services, usually on well-known ports like HTTP, HTTPS, Email, FTP, IRC, etc. The Tor network is acting like a SNAT, masking all the true IP addresses behind it.
I configured another outbound virtual server on my load balancer to specifically deliver HTTP. Traffic destined for port 80 started flowing through it—it was actually about half the traffic exiting the Tor node.
So, the system was all set up to fully snoop on HTTP connections exiting my Tor node. Things I could have done to that traffic include:
- Record every packet
- Capture usernames and passwords
- Steal session cookies
- Poison web pages
- Inject JavaScript tracking code
- Return malware
- Clickjack websites
- Replace all advertising
I had, in effect, created a forward proxy that could have done a huge number of terrible things to the users.
But as curious as I was, my personal code would not allow me to do any of those things. I always play lawful, good characters in RPGs, which, to me, is the prime indicator of one’s personal moral compass. I’ve surveyed three dozen InfoSec professionals6 about what it would take to move to the dark side, and most, including me, would not turn for any amount of personal gain.
What I did do, though, was insert a little script into the proxy to count the number of unprotected login pages passing through it. I did not record, or even look for, user credentials.
On a typical day, I saw about 2,000 unprotected login pages passing through my Tor exit node.
I found that number extremely high, and worrisome. If a person is concerned enough about privacy to use the Tor network, you’d think they’d also be using HTTPS to protect their network traffic, especially around login pages.
The End of the Experiment
My Tor exit node adventure came to an end one day a few weeks later. With the node humming along in the basement, I was upstairs on my MacBook trying to log into my banking website, but the bank wasn’t accepting my connections. I assumed it was some kind of maintenance issue at the bank, so I waited a couple of days and tried again. Still no luck. And then other sites started denying my connections. One of them was Starbucks, which prevented me from reloading my Starbucks card.
I realized that, duh, my home had been globally marked as a Tor exit node, and sites were (correctly) blocking my traffic. I usually recommend to customers I talk to that they do the same. While, yes, newspapers should accept Tor traffic because they are dealing in a trade where the free flow of news is perhaps a human right, there is probably no good reason for a bank or insurance company to accept Tor traffic. And many reasons not to. An enterprise can block a whole threat surface of nasty hacking traffic just by blocking the thousand or so Tor exit nodes on the Internet.
At first it seemed I could get around the blocking problem by VPNing into work and accessing my online banking page from there. But that would have created a bridge between my Tor exit node and the corporate network, which seemed like a really bad idea. Like the kind of idea that gets you fired. But I couldn’t live without online banking, or many of the other services that were blocking me.
So, reluctantly, I disabled the inbound Tor virtual server and let all the connections bleed off. Then I shut down the pawn shop computer and renewed my ISP lease to get a new IP address.
Was It Worth It?
Ultimately, there was a decent amount of satisfaction to be gained from running the Tor exit node. The project I’d been assigned that ultimately required the user traffic got postponed, which deprioritized the need for the live traffic. But, I saved all the configurations so I can fire it up again at any time and start passing positive traffic on behalf of all the freedom fighters and oppressed journalists in the world.
Source link
lol
One of the missteps I found was that, by default, the Tor node would accept and relay BitTorrent traffic. My American ISP detected the BitTorrent traffic exiting my node and started sending me emails, and, I suspect, interfering with my network traffic (though I didn’t prove that beyond a suspicion). Fortunately, the Tor Project…
Recent Posts
- Schneider Electric Investigating Security ‘Incident’ After Reported Hacker Claims
- CISA Director Jen Easterly Stands Watch in the Cyberwars
- New Android Banking Malware ‘ToxicPanda’ Targets Users with Fraudulent Money Transfers
- Leveraging Wazuh for Zero Trust security
- Synology Urges Patch for Critical Zero-Click RCE Flaw Affecting Millions of NAS Devices