On Fri, May 20, 2016 at 08:56:06AM -0400, Ian Goldberg wrote:
Does anyone know where we can get more information about the stats behind this slide:
https://twitter.com/AlecMuffett/status/730773970383982592
The slide says:
1:11,500 non-Tor IPs contained malicious requests 1:380 Tor exit nodes contained malicious requests
The way it's worded, it sounds like they're saying "1/11500 of the non-Tor IP addresses we saw sent malicious requests, and 1/380 of the Tor exit node IP addresses we saw sent malicious requests", but I'm finding that hard to believe, since 1/380 of the Tor exit node IP addresses is ~3 IP addresses. It's unlikely that all malicious Tor traffic was confined to 3 exit nodes. (But interesting if true.)
Were they perhaps being a little loose and really meant "1/11500 TCP connections coming from non-Tor IP addresses, and 1/380 TCP connections coming from Tor exit nodes, contained malicious requests"?
There's an actual written report (Sadia Afroz found the link to the report). The Tor part starts on page 59.
https://www.stateoftheinternet.com/downloads/pdfs/2015-cloud-security-report...
Here are the relevant tables. The heading "Global Rank" in Figure 4-2 is probably supposed to be "Source". The percentages in Figure 4-4 are off by a factor of 100; i.e. 1/380=0.0026=0.26%.
The first two figures, 4-2 and 4-3, are explicitly in terms of requests. Figure 4-4 is a ratio between two "traffic" values but the caption refers to requests.
Global Rank Legitimate HTTP Requests Frequency Non-Tor IPs 534,999,725,930 99.96% Tor exit nodes 228,436,820 00.04% Figure 4-2: Of the legitimate HTTP requests, excluding static media files, less than 1% were from Tor exit notes
Source Legitimate HTTP Requests Frequency Non-Tor IPs 46,530,841 98.74% Tor exit nodes 596,042 1.26% Figure 4-3: Of the malicious HTTP requests, 1.26% were from Tor exit notes
Source Ratio Between Malicious & Legitimate Traffic Frequency Non-Tor IPs 0.00008697% malicious traffic ~1:11,500 Tor exit nodes 0.00260922% malicious traffic ~1:380 Figure 4-4: Though the traffic levels are much smaller, Tor exit nodes were much more likely to contain malicious requests