[tor-project] The Akamai slide Alec posted
david at bamsoftware.com
Fri May 20 16:55:05 UTC 2016
On Fri, May 20, 2016 at 08:56:06AM -0400, Ian Goldberg wrote:
> Does anyone know where we can get more information about the stats
> behind this slide:
> The slide says:
> 1:11,500 non-Tor IPs contained malicious requests
> 1:380 Tor exit nodes contained malicious requests
> The way it's worded, it sounds like they're saying "1/11500 of the
> non-Tor IP addresses we saw sent malicious requests, and 1/380 of the
> Tor exit node IP addresses we saw sent malicious requests", but I'm
> finding that hard to believe, since 1/380 of the Tor exit node IP
> addresses is ~3 IP addresses. It's unlikely that all malicious Tor
> traffic was confined to 3 exit nodes. (But interesting if true.)
> Were they perhaps being a little loose and really meant "1/11500 TCP
> connections coming from non-Tor IP addresses, and 1/380 TCP connections
> coming from Tor exit nodes, contained malicious requests"?
There's an actual written report (Sadia Afroz found the link to the
report). The Tor part starts on page 59.
Here are the relevant tables. The heading "Global Rank" in Figure 4-2 is
probably supposed to be "Source". The percentages in Figure 4-4 are off
by a factor of 100; i.e. 1/380=0.0026=0.26%.
The first two figures, 4-2 and 4-3, are explicitly in terms of requests.
Figure 4-4 is a ratio between two "traffic" values but the caption
refers to requests.
Global Rank Legitimate HTTP Requests Frequency
Non-Tor IPs 534,999,725,930 99.96%
Tor exit nodes 228,436,820 00.04%
Figure 4-2: Of the legitimate HTTP requests, excluding static media
files, less than 1% were from Tor exit notes
Source Legitimate HTTP Requests Frequency
Non-Tor IPs 46,530,841 98.74%
Tor exit nodes 596,042 1.26%
Figure 4-3: Of the malicious HTTP requests, 1.26% were from Tor exit
Source Ratio Between Malicious & Legitimate Traffic Frequency
Non-Tor IPs 0.00008697% malicious traffic ~1:11,500
Tor exit nodes 0.00260922% malicious traffic ~1:380
Figure 4-4: Though the traffic levels are much smaller, Tor exit nodes
were much more likely to contain malicious requests
More information about the tor-project