What the heck is a TOR Exit Node?


When writing about an analysis of the report on the Russian Hacking the other day, the following was mentioned …

…What we’re seeing in this IP data is a wide range of countries and hosting providers. 15% of the IP addresses are Tor exit nodes. These exit nodes are used by anyone who wants to be anonymous online, including malicious actors.

That highlighted bit perhaps catches the eye.

What the heck is a TOR Exit Node?

OK, so let’s take this step by step.

The name TOR is in fact an acronym that stands for “The Onion Router”.

Every interconnected computer out there has a unique number called an IP address. When you connect to another computer, another IP destination, your IP address identifies you to that other computer. This is what happens when you surf the web, it is how it all works under the covers. If however you wish to be anonymous and hide who you are and where you are then the Tor network offers a way of doing exactly that. The Tor Wikipedia page describes it like this …

Onion routing is implemented by encryption in the application layer of a communication protocol stack, nested like the layers of an onion. Tor encrypts the data, including the destination IP address, multiple times and sends it through a virtual circuit comprising successive, randomly selected Tor relays. Each relay decrypts a layer of encryption to reveal only the next relay in the circuit in order to pass the remaining encrypted data on to it. The final relay decrypts the innermost layer of encryption and sends the original data to its destination without revealing, or even knowing, the source IP address. Because the routing of the communication is partly concealed at every hop in the Tor circuit, this method eliminates any single point at which the communicating peers can be determined through network surveillance that relies upon knowing its source and destination.

That’s a lot of words to digest, so let’s try a series of picture.

To answer the question, what both Jane and Bob see is a connection coming from a Tor exit node and they have no idea that the original connection was Alice and no way of finding out (well generally not, I’ll get to that). What is happening here is a series of onion like layers of encryption as data flows through this Tor router. Each node can only decrypt enough to enable it to send to the next node, and not where it came from. If you wanted to perform source identification, then you need to crack the encryption for a path of randomly selected nodes and that will be dynamic and constantly changing.

Not impossible, but it is dam hard to trace.

So what is Tor used for?

Rather obviously the motivation is to remain hidden and to also access the dark web and hidden services. Yes, some just want to remain anonymous, but to be frank, there is rather a lot of it is stuff you really do not want to ever get involved in. As of Jan 2015, the available “hidden services” break down as follows …

However, while the above breaks down the hidden services out there, don’t let the skew your thinking. About 40% of all the actual Tor traffic consists of ordinary people using bittorrent to download movies and TV shows. They just don’t want anybody complaining to their ISP that they are doing this.

If that is your thing then this is really not the best solution because you can be identified.

Is it truly anonymous, does it actually work?

No, it is crackable. For example …

The results presented in the bad apple attack research paper are based on an attack in the wild launched against the Tor network by the authors of the study. The attack targeted six exit nodes, lasted for 23 days, and revealed a total of 10,000 IP addresses of active Tor users. This study is particularly significant because it is the first documented attack designed to target P2P file-sharing applications on Tor.[101] BitTorrent may generate as much as 40% of all traffic on Tor.[102] Furthermore, the bad apple attack is effective against insecure use of any application over Tor, not just BitTorrent.[101]

It does of course crank up the degree of security, but do not be fooled into thinking it makes you 100% anonymous.

Tor Urban Legends

OK, a bit of fun. Like most things in life we tell stories to each other and so there are also Tor Urban Legends.

There are rumours of crowdfunded assassinations and hitmen for hire.

Is any of that actually real?

Bottom Line

Yes, you can just download a Tor browser and start accessing the dark web, but you do need to be aware of a few specific things.

  1. It is not truly anonymous, those who need to crack the network and work out who you are can do so (For example Europol have cracked it, but will not say how because they want to continue doing so).
  2. On the Internet scams abound, but jump into the dark web and it is scams on steroids

Like the rather dodgy side of town where you really do not want to be at night, it is all best avoided if you want to stay safe.

Step one for somebody whose PC is infested with malware is … “OK, let’s start by getting rid of this Tor Browser you have here”.

Leave a Reply