How Malicious Tor Relays are Exploiting Users in 2020 (Part I)

>23% of the Tor network’s exit capacity has been attacking Tor users

Figure 1: Confirmed malicious Tor exit capacity (measured in % of the entire available Tor exit capacity) over time (by this particular malicious entity). Graph by nusenu (raw data source: https://metrics.torproject.org/onionoo.html)

The Scale of the malicious Operator

Temporary removal

Persistent

Faking multiple independent relay groups

Figure 2: Confirmed malicious Tor exit fraction over time by ContactInfo (all of them are run by the same entity). Graph by nusenu (raw data source: https://metrics.torproject.org/onionoo.html)
Figure 3: Confirmed malicious Tor exit relay count over time by ContactInfo. Graph by nusenu (raw data source: https://metrics.torproject.org/onionoo.html)

Used Infrastructure

Figure 4: What ISPs did the attacker use? Mostly OVH and FranTech Solutions. Graph by nusenu (raw data source: https://metrics.torproject.org/onionoo.html)

What is this attacker actually exploiting and how does it affect Tor users?

Is the attack over?

Figure 5: Overall advertised exit bandwidth in the Tor network over time shows unusual growth after removal of malicious relays. Graph by nusenu (raw data source: https://metrics.torproject.org/onionoo.html)
Figure 6: Exit fraction and advertised exit bandwidth by known operators/organizations. Graph by nusenu (raw data source: https://metrics.torproject.org/onionoo.html)
Figure 7: Exit fraction from unknown operators since the last removal of malicious exits (2020–06–21) by Autonomous System (showing ASNs >0.5% exit probability only). Two networks are significantly growing: OVH (again) and Liteserver Holding. Graph by nusenu (raw data source: https://metrics.torproject.org/onionoo.html)
Figure 8: Exit fraction by unknown operators since the last removal of malicious exits (2020–06–21) grouped by exit relay contact information (stacked). Showing ContactInfos with >0.5% exit probability only. Exits with no ContactInfo are not included. Graph by nusenu (raw data source: https://metrics.torproject.org/onionoo.html)

Countermeasures

Bad-Relay Handling Situation

Better visualizations for “known” vs. “unknown” network fractions

“we lack the tools for tracking and visualizing which relays we trust” — Roger Dingledine

Short term harm reduction

Long term: Limiting attackers by allocating a minimal network fraction to known operators

Summary

Acknowledgements

Supporting this Research (section added on 2020–08–12)

Appendix

OrNetRadar references to known malicious Tor exit relays by this actor:

Tor, Routing Security and DNS Privacy related Topics. https://nusenu.github.io