When is a tor exit not an exit

Are all exits real?

I wrote previously about monitoring a fragment of the tor network traffic without actually being a real exit (and therefore limitting the potential of legal trouble). Since the way to do this is rather simple, I decided to check if anyone else is using the same process.


I forced a path through each exit listed in the directory, checking 4 different show-me-my-ip services. In case the returned address didn’t match the advertised one, I checked the same exit the next day. The forced path contained only 2 nodes in the path - one guard I was already connected to and the chosen exit node. I followed up with more checks on the exits that changed over time.

The result is similar to what the torproject provides, I believe, but I also wanted to check if any exits mess with the ip discovery.

This can be done by setting long idle time (MaxCircuitDirtiness) and setting __DisablePredictedCircuits so that new circuits are not created automatically. Then after closing all existing circuit, one was created via (guard, exit) pair and the test was run with curl and the socks socket.


Out of 858 exits checked in the first run, 43 returned ips which didn’t match the advertised ip. 40 of those were still alive the next day and still didn’t match.

There are 3 main (roughly equal in size) categories that I can spot.

Was it useful? BTC: 182DVfre4E7WNk3Qakc4aK7bh4fch51hTY
While you're here, why not check out my project Phishtrack which will notify you about domains with names similar to your business. Learn about phishing campaigns early.