Marco Ramilli’s Blog: Spotting Malicious Node Relays

TOR is a well known “software” able to protect communications dispatching packets between different relays spread over the world run by a network of volunteers. Because the high rate of anonymity TOR has been used over the past years to cover malicious actions by physical and cyber attackers. TOR, especially through its browser implementation (the TOR Browser), is also know as one of the main (by meaning of the most used) way to get access to the Dark WEB in where “malicious” people buy and sell illegal stuff through dark markets.

Each relay belonging to the network is able to decide if being an ExitPoint (in the following picture represented by the last machine contacting “Bob”) or just a middle relay (in the following picture: a TOR node highlighted by “green cross”) depending on its own configuration status. If the relay decides to be an ExitNode it will expose its own IP address to the public world; it’s usually a good idea alert local police and used ISP about that in order to avoid penalties.

Source: Marco Ramilli’s Blog: Spotting Malicious Node Relays