Sign in

>25% of the Tor network’s exit capacity has been attacking Tor users

Figure 1: Malicious Tor exit fraction (measured in % of the entire available Tor network exit capacity) over time by this particular malicious entity between July 2020 and April 2021. Peak value: The attacker did manage approx. 27.5% of the Tor networks exit capacity on 2021–02–02. Graph by nusenu (raw data source: Tor Project/onionoo)

In August 2020 I reported about “How Malicious Tor Relays are Exploiting Users in 2020 (Part I)”. Back then I made the hypothesis that the entity behind these malicious tor relays is not going to stop its activities anytime soon. Unfortunately this turned out to be true. In this follow-up post, I will give you an update, share what additional information we learned about the attacker since August 2020 and to what extend they were and still are active on the tor network.

After publishing the previous blog…

>23% of the Tor network’s exit capacity has been attacking Tor users

Figure 1: Confirmed malicious Tor exit capacity (measured in % of the entire available Tor exit capacity) over time (by this particular malicious entity). Graph by nusenu (raw data source:

In December 2019 I wrote about The Growing Problem of Malicious Relays on the Tor Network with the motivation to rise awareness and to improve the situation over time. Unfortunately instead of improving, things have become even worse, specifically when it comes to malicious Tor exit relay activity.

Tor exit relays are the last hop in the chain of 3 relays and the only type of relay that gets to see the connection to the actual destination chosen by the Tor Browser user. The used protocol (i.e. http vs. …

Since there have been some speculations and questions around why all of a sudden I disappeared from twitter I’d figure I give you with my side of the story.

TLDR: I don’t know why my account got suspended and my appeal was turned down.

Initially I created my twitter account in February 2016 but since it required a phone number verification I was not able to actually use it until a year later when someone made a small donation for my first medium blog post that allowed me to pay for an online SMS service to pass the twitter phone…


I’ve a long standing interest in the state of the Tor network. In 2015 I started OrNetRadar to help detect new relay groups and possible Sybil attacks that could pose a risk to Tor users. In 2017 I was asked to join a closed Tor Project mailing list to help confirming reports of malicious Tor relays — a list where I previously submitted suspicious relays to. Soon after joining that list I suggested some improvements but things didn’t change since then. …

“Who controls Tor’s DNS traffic?” revisited

Over a year ago, in April 2018, we looked into Tor’s DNS landscape and confirmed previous observations from 2016 that a significant fraction of tor exit relays make use of public DNS resolvers like Google’s

Now 15 months later, its time to revisit this issue again to find out in what way the DNS landscape on the tor network changed. Did the DNS centralization on the tor network around Google and Cloudflare resolvers increase or decrease?

Data Collection Methodology

The methodology remained largely the same, we built a circuit to every tor exit relay to resolve a hostname while watching the source…

Mapping the RPKI unreachable IP address space.

In the previous post (see that for some more context) we analyzed RPKI INVALID IP address prefixes that are unreachable (no alternative route available) and used number of prefixes-origin pairs as primary metric, but argued that prefix-origin-pair-counts are not the best metric (many small prefixes can distort the picture) and left the task of analyzing unreachable networks by IP address space for the future:

Future Steps

add analysis based on IP space size (not just prefix-origin pair counts)

So this time, instead of using number of prefixes, we take the actual prefix size…

Up until not too long ago basically no network operator actually protected herself by implementing route origin validation (ROV) to make BGP hijacking attacks harder.

Implementing ROV means that BGP prefix-origin pairs are validated against route origin authorizations (ROAs) before they are considered. An autonomous system (AS) performing ROV is less vulnerable to BGP hijacking than an AS not doing so.

Example of a ROA: The following ROA authorizes the AS13335 to announce the prefix (other ASes are not authorized to announce and their prefix would be flagged as INVALID if they were to announce it):

Figure 1: An example of a ROA


ROV is…

Privacy adversaries may use BGP hijacking attacks to gain access to a bigger portion of Tor traffic than they would be able to see otherwise. BGP hijacking can be used to reroute internet traffic (for traffic interception and correlation attacks) or to perform denial of service against specific relays to increase the chance that Tor users select attacker-controlled relays.

The RAPTOR and Counter-RAPTOR papers by Sun et al. studied the effect of BGP attacks on Tor, in their paper they note:

more than 90% of BGP prefixes hosting Tor relays have
prefix length shorter than /24, making them vulnerable to
more-specific prefix…

An Analysis of the Tor DNS Landscape.

Unlike other relays, tor exit relays also take care of name resolution for tor clients. Their DNS configuration actually determines where the tor network’s DNS traffic is send to.

Ever since the tor-dns paper I wanted to take a look at the current state of DNS resolver distributions on the tor network. In their work from 2016 they noted that Google controls a significant share of tor’s DNS traffic.

Here is a plot of their data from 2015-2016 showing Google as the DNS resolver controlling the biggest chunk of the tor network’s DNS traffic:


Now the question is, how is…

A limited number of relay groups can see you enter and exit the Tor network (deanonymization).

TL;DR: If you want to get the list of relevant Tor relays go to the bold URL near the end of this page.

When a Tor client routes traffic through the Tor network he tries to select 3 “random” (mostly) relays (guard, middle and an exit relay). The number of relays is crucial. Using 3 hops should help reduce the risk that a single entity (excluding global passive adversaries) can “see” Alice’s real IP address and the fact that she is talking to Bob…


Tor, Routing Security and DNS Privacy related Topics.

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store