Sybil Attack on 2025-11-20 - please setup your AROIs :)
Hi, as some of you might have noticed, yesterday 2025-11-20 someone added ~900 new tor relays to the tor network. They used nickname schemes from other operators: * NTH * prsv * Quetzalcoatl * for-privacy.net * relayon * DFRI * bauruine ... For this reason I wanted to encourage every operator, especially the large once to setup their AROI. Here is a howto: https://nusenu.github.io/OrNetStats/aroi-setup Why? You get nice timeseries graphs of your relays. example: https://nusenu.github.io/OrNetStats/artikel10.org.html And it helps to **automatically** tell false-friends apart especially since families have become so large that we can no longer use that as a good signal because family must be splitted if they become too large for the descriptor limit. A good example is nothingtohide.nl, all of their relays have a proper AROI configuration and they verify properly: https://nusenu.github.io/OrNetStats/w/contact/aa738469b86e5ea8838d95eb2b8e65... Here are 3 examples of large relay operators where AROI verification fails (partially): If you are one of them or if you know them please ping them if you can: * quetzalcoatl-relays.org https://nusenu.github.io/OrNetStats/w/contact/b32573fcfbc780a4b9ef03425f6764... * emeraldonion https://nusenu.github.io/OrNetStats/w/family/34933fa4f34ef248c84847495870025... * prsv.ch https://nusenu.github.io/OrNetStats/w/contact/65a4a24bfc53c4c6c0d312ce29ab78... kind regards, nusenu -- https://nusenu.github.io
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512
They used nickname schemes from other operators
It looks like they're even doing that for small operators. For example, I only run 5 relays, named forest1 through forest5. They cloned one of my relays, forest3, a total of 6 times. Each forest3 relay has a stolen ContactInfo from some other random operator. Needless to say, I only run one of https://metrics.torproject.org/rs.html#search/forest3. Whoever is doing this may have been testing it out as early as a few weeks ago. I noticed back then that there was another forest3 (the same relay that is being impersonated now) which was down when I noticed it. I assumed it was just a coincidence at the time. It no longer shows in the Metrics page as it has been down for too long. Will these (and the other new relays) be taken down soon? As an aside, it's strange that these are all non-exits. That would indicate a somewhat more sophisticated attack than a typical MITM from rogue exits, but a sophisticated threat actor should realize that adding 900+ relays at once with stolen Nickname and ContactInfo fields would raise red flags. Could it be some naïve researcher with a budget and a lax IRB? I don't understand this. Regards, forest -----BEGIN PGP SIGNATURE----- iQIzBAEBCgAdFiEEvLrj6cuOL+I/KdxYBh18rEKN1gsFAmkgp+kACgkQBh18rEKN 1gs4whAAgVSPlK2JjB+38y6NQSrTpn6WOuFmMmJmT7/WvA9zSUzD5dH+ooiZ6DKx U7fzSMO8uy8d9JlKbxba7w71PG7IPcxciJBM4bWNIa96DNhxp/LEhQfHJ5KnPf8w IMLC6s6DDhIZXeRfFpwgNbNMqImnPh9HbVqBYxjbpqV/NkT5AM8P4HrvySQwz2By Lk5yXSAbu1xj0KFMyRuBKNPBKztXNB/Wc+DSnLMELmfNN2taebkT637LPXi0owP1 +fs+0+sCVnQKarZhm5Vv0ml1pqI166+FPnylSK3DHJ2x1P//PGgi8DMDuShHWwVm 7wvus1KpGaozOXazmgg4hdG7pV+2aqmrWUxRp7wbuD1haX/YZgkjZJkblnEzpz/r upuqtg5TcuDURcPUD5yiQsb1oyt+heIQ7Q9ZZwbERd3Sas8tn/nnTenRO7oEbGWk X7AVraTEzjsu3XhMDZsVMI2oaxSXxOE3F5oYTAt3X0Kmp+i3zCnPdAm2J/cLXHCQ 6haDxS8Zy1+3+yhy+mTpJ2NEUAxrCbqrHgF3ZwuvPlJ6gn5MO9pX1TbsCavuL4T+ acbmz8sWz8JQJHK+4evTrjszRh9HK0FxhxQhsR0zrdsRcXjvOTraO2FXQ72fhmsR CSxTKfoBiwmVJBFMPwrqg+K3pyY+0K9uOOt00bPsAJT9VoU2pqk= =KXAz -----END PGP SIGNATURE-----
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 It looks like all the newly added relays, or at least all the ones that I was looking at, have shut down. I suppose whoever put them up has now realized that they have been detected. Will all the fingerprints be blacklisted anyway? Regards, forest -----BEGIN PGP SIGNATURE----- iQIzBAEBCgAdFiEEvLrj6cuOL+I/KdxYBh18rEKN1gsFAmkgyEIACgkQBh18rEKN 1gsk9BAAkm2wMhguM5xYOU+bHkJn090KcXpbT/3sSeeDYMas2n4npgjZURuLULzZ qVV9Lc9WMXmV5kfmNuzooFbbjb63DdrktGg/5ae74lmkgejY9puKogGdTgdGlSeg mJKOHn0j8VNJEaWtHO1InpvL1AEjNukXpNnQJD4MHW+PGsylcE6MyaLd/XVeOQEG j10l8tfB95h4Enk7FOq6YVPo525VtpGsdrCLbTKWMAqHs8NRigBuXp8iRobpMniM EGkDvIXv+Thv60FGeyqKxL3EvgDf/5dkmQN3Ix4xwsEkz85CwseYBajX7V0tvh2X tdxiZHPUDsCTSqETw2Sw/IhgzfdcnbW7fxeCup9+3qHsePJe4aYasyl41cxpk5U4 VPPgxyOrX2S/x5w3T92P1rFvZ9sdevog8p+kDe4GU5MpiauivS6S32PLGDjAJGX9 fTJJuQOfccX1stJv8M8baBFpvcMHtf/wqHjLEeo/MeNX9xw62ZW8kT/fEhDjtLxe vE54u0MHoy4WGEylouWb9xA0Bvim/zOcISL/79AgRuJXrDQcGdM9bYvJSgBoZe3x b+Jg2vkJMH9jJhhJlhGnM2+B/FneOLq/37BzsqTiabGdyoSyAIJAUVHq5F0THc8E PpUOuBqhjUefI1qBMWt3E4YivigI8Ub9HVirbQhBeEqWQuuUzMo= =tN0q -----END PGP SIGNATURE-----
On Fri, Nov 21, 2025 at 08:15:16PM -0000, forest-relay-contact--- via tor-relays wrote:
It looks like all the newly added relays, or at least all the ones that I was looking at, have shut down. I suppose whoever put them up has now realized that they have been detected. Will all the fingerprints be blacklisted anyway?
Actually, the relays are still running, at least at this moment. (You can check this yourself by telneting to their ORPort.) They appear down on the metrics page because they are no longer in the consensus, because a threshold of the directory authorities are rejecting them (as of about 30 hours ago). --Roger
Helped create tooling and reached out to the largest operators to improve AROI setups. https://aroivalidator.1aeo.com and https://github.com/1aeo/AROIValidator In last 48 hours, ~1k more relays are now validated, total around 3k out of 10k relays (~30%). Chasing down another 500. Still seeing missing validation from larger operators: tuxli: 13 out of 95. Error: Fingerprint not found in rsa-fingerprint.txt (13 relays) 0xcc01.de: 74 out of 74. Error: DNS resolution failure - domain does not resolve (74 relays) relayon: 46 out of 46. Error: SSL/TLS handshake failure (46 relays) digitalcourage.de: 30 out of 30. Error: 404 Not Found for .well-known/tor-relay/rsa-fingerprint.txt www.f3netze.de: 1 out of 25: Error: DNS lookup failed for subdomain artikel5ev.de: 24 out of 24. Error: Fingerprint not found in rsa-fingerprint.txt (24 relays) On Saturday, November 22nd, 2025 at 3:46 PM, Roger Dingledine via tor-relays <tor-relays@lists.torproject.org> wrote:
On Fri, Nov 21, 2025 at 08:15:16PM -0000, forest-relay-contact--- via tor-relays wrote:
It looks like all the newly added relays, or at least all the ones that I was looking at, have shut down. I suppose whoever put them up has now realized that they have been detected. Will all the fingerprints be blacklisted anyway?
Actually, the relays are still running, at least at this moment. (You can check this yourself by telneting to their ORPort.)
They appear down on the metrics page because they are no longer in the consensus, because a threshold of the directory authorities are rejecting them (as of about 30 hours ago).
--Roger
_______________________________________________ tor-relays mailing list -- tor-relays@lists.torproject.org To unsubscribe send an email to tor-relays-leave@lists.torproject.org
On 11/23/25 16:36, Tor at 1AEO via tor-relays wrote:
tuxli: 13 out of 95. Error: Fingerprint not found in rsa-fingerprint.txt (13 relays) digitalcourage.de: 30 out of 30. Error: 404 Not Found for .well-known/tor-relay/rsa-fingerprint.txt
That's because onionoo sometimes returns 13 relays I had shutdown nearly two years ago. And digitalcourage uses the .social tld for AROI and not the .de
participants (5)
-
Bauruine -
forest-relay-contact@cryptolab.net -
nusenu -
Roger Dingledine -
Tor at 1AEO