Tor Project runs several scanners for this behavior. Arguably, unless your ISP, ISP's ISP, coffee shop, etc., are all 100% on top of their game, this could happen in any one of those environments too.
So they shut down a node, the node operator notices and restarts it.
The problem is that people actually make money from malware. It's not bored college kids showing off skills. It's pros.
So think like a pro. You use a zero day to hack into Verizon to feed malware, get noticed, and your hack gets reversed after an hour.
You open an exit Tor node on a VPS, use it to feed malware, profit. They close it, you re-open it on another host. They play wack-a-mole, and you rake it in.
The thing is that it takes a significant amount of time and bandwidth to get flagged as an exit and included on circuits. So your set of hosts is going to be pretty limited to start; most hosts are pretty hostile to Tor exits as it is, and are going to shut down an exit hosted in their IP space because they don't want to deal with the abuse complaints. In contrast, the exit scanner can be part of the first users of an exit node. You could try to detect the scanner, but the nature of Tor is that this isn't feasible.
In any case, you can solve the problem of distributing software over Tor by setting up a hidden service. The Tor devs have been making noise for a while about creating an "onion service" that isn't hidden, but has the same guarantees as a hidden service (an improved version of exit enclaving).
Last time I checked, the Tor Project's handling of malicious exit nodes was one guy who didn't really care all that much about reports of active MITM attacks that were actually robbing people of money (well, Bitcoins anyway). Just flat out refused to pull the nodes doing it.
Did you check prior to the multiple years of work on the exit scanner? Just lurking on tor-relays and tor-talk shows a lot of responsiveness on the part of the dirauths.
nixos|9 years ago
The problem is that people actually make money from malware. It's not bored college kids showing off skills. It's pros.
So think like a pro. You use a zero day to hack into Verizon to feed malware, get noticed, and your hack gets reversed after an hour.
You open an exit Tor node on a VPS, use it to feed malware, profit. They close it, you re-open it on another host. They play wack-a-mole, and you rake it in.
tedks|9 years ago
In any case, you can solve the problem of distributing software over Tor by setting up a hidden service. The Tor devs have been making noise for a while about creating an "onion service" that isn't hidden, but has the same guarantees as a hidden service (an improved version of exit enclaving).
makomk|9 years ago
tedks|9 years ago