How Malicious Tor Relays are Exploiting Users in 2020 (Part I)

>23% of the Tor network’s exit capacity has been attacking Tor users

Figure 1: Confirmed malicious Tor exit capacity (measured in % of the entire available Tor exit capacity) over time (by this particular malicious entity). Graph by nusenu (raw data source: https://metrics.torproject.org/onionoo.html)
Figure 2: Confirmed malicious Tor exit fraction over time by ContactInfo (all of them are run by the same entity). Graph by nusenu (raw data source: https://metrics.torproject.org/onionoo.html)
Figure 3: Confirmed malicious Tor exit relay count over time by ContactInfo. Graph by nusenu (raw data source: https://metrics.torproject.org/onionoo.html)
Figure 4: What ISPs did the attacker use? Mostly OVH and FranTech Solutions. Graph by nusenu (raw data source: https://metrics.torproject.org/onionoo.html)

What is this attacker actually exploiting and how does it affect Tor users?

Is the attack over?

Figure 5: Overall advertised exit bandwidth in the Tor network over time shows unusual growth after removal of malicious relays. Graph by nusenu (raw data source: https://metrics.torproject.org/onionoo.html)
Figure 6: Exit fraction and advertised exit bandwidth by known operators/organizations. Graph by nusenu (raw data source: https://metrics.torproject.org/onionoo.html)
Figure 7: Exit fraction from unknown operators since the last removal of malicious exits (2020–06–21) by Autonomous System (showing ASNs >0.5% exit probability only). Two networks are significantly growing: OVH (again) and Liteserver Holding. Graph by nusenu (raw data source: https://metrics.torproject.org/onionoo.html)
Figure 8: Exit fraction by unknown operators since the last removal of malicious exits (2020–06–21) grouped by exit relay contact information (stacked). Showing ContactInfos with >0.5% exit probability only. Exits with no ContactInfo are not included. Graph by nusenu (raw data source: https://metrics.torproject.org/onionoo.html)

Countermeasures

“we lack the tools for tracking and visualizing which relays we trust” — Roger Dingledine

Summary

Acknowledgements

Appendix

--

--

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store