ExitSniffer: Towards Comprehensive Security Analysis of Anomalous Binding Relationship of Exit Routers

Tor exit relays are operated by volunteers and the trustworthiness of Tor exit relays need to be revisited in a long-term manner. In this paper, we monitored the Tor network by developing a fast and distributed exit relay scanner (ExitSniffer) to probe all exit relays over a period of 16 months continuously, seeking to expose the anomalous binding relationship phenomena of exit routers simply by comparing the returnIP and consensusIP. We totally find 1983 malicious exit relays which average contribute 10.12% bandwidth of total Tor exit relays bandwidth monthly, resulting tremendous threaten for Tor user's anonymity according to the current path-relay selecting algorithm. There exits two types of anomalous binding relationship consists 35 exit relay families, with different size ranging from 2 to 230, which are neither announced in the consensus document or detected by the Tor network.