How Malicious Tor Relays are Exploiting Users in 2020 (Part I)

>23% of the Tor network’s exit capacity has been attacking Tor users

Figure 1: Confirmed malicious Tor exit capacity (measured in % of the entire available Tor exit capacity) over time (by this particular malicious entity). Graph by nusenu (raw data source: https://metrics.torproject.org/onionoo.html)

The Scale of the malicious Operator

Temporary removal

Persistent

Faking multiple independent relay groups

Figure 2: Confirmed malicious Tor exit fraction over time by ContactInfo (all of them are run by the same entity). Graph by nusenu (raw data source: https://metrics.torproject.org/onionoo.html)
Figure 3: Confirmed malicious Tor exit relay count over time by ContactInfo. Graph by nusenu (raw data source: https://metrics.torproject.org/onionoo.html)

Used Infrastructure

Figure 4: What ISPs did the attacker use? Mostly OVH and FranTech Solutions. Graph by nusenu (raw data source: https://metrics.torproject.org/onionoo.html)

What is this attacker actually exploiting and how does it affect Tor users?

Is the attack over?

Figure 5: Overall advertised exit bandwidth in the Tor network over time shows unusual growth after removal of malicious relays. Graph by nusenu (raw data source: https://metrics.torproject.org/onionoo.html)
Figure 6: Exit fraction and advertised exit bandwidth by known operators/organizations. Graph by nusenu (raw data source: https://metrics.torproject.org/onionoo.html)
Figure 7: Exit fraction from unknown operators since the last removal of malicious exits (2020–06–21) by Autonomous System (showing ASNs >0.5% exit probability only). Two networks are significantly growing: OVH (again) and Liteserver Holding. Graph by nusenu (raw data source: https://metrics.torproject.org/onionoo.html)
Figure 8: Exit fraction by unknown operators since the last removal of malicious exits (2020–06–21) grouped by exit relay contact information (stacked). Showing ContactInfos with >0.5% exit probability only. Exits with no ContactInfo are not included. Graph by nusenu (raw data source: https://metrics.torproject.org/onionoo.html)

Countermeasures

Bad-Relay Handling Situation

Better visualizations for “known” vs. “unknown” network fractions

“we lack the tools for tracking and visualizing which relays we trust” — Roger Dingledine

Short term harm reduction

Long term: Limiting attackers by allocating a minimal network fraction to known operators

Summary

  • Since the disclosure of large scale attacks on the Tor network (malicious operator did run >10% of Tor’s guard capacity) in December 2019, no improvements with regards to malicious Tor relays have been implemented.
  • The malicious Tor relay operator discussed in this blog post controlled over 23% of the entire Tor network exit capacity (as of 2020–05–22)
  • The malicious operator demonstrated to recover their capacity after initial removal attempts by Tor directory authorities.
  • There are multiple indicators that suggest that the attacker still runs >10% of the Tor network exit capacity (as of 2020–08–08)
  • The reoccurring events of large scale malicious Tor relay operations make it clear that current checks and approaches for bad-relays detection are insufficient to prevent such events from reoccurring and that the threat landscape for Tor users has changed.
  • Multiple specific countermeasures have been proposed to tackle the ongoing issue of malicious relay capacity.
  • It is up to the Tor Project and the Tor directory authorities to act to prevent further harm to Tor users.

Acknowledgements

Supporting this Research (section added on 2020–08–12)

Appendix

OrNetRadar references to known malicious Tor exit relays by this actor:

--

--

Tor, Routing Security and DNS Privacy related Topics. https://nusenu.github.io

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store