[tor-project] The Akamai slide Alec posted
David Fifield
david at bamsoftware.com
Fri May 20 16:55:05 UTC 2016
On Fri, May 20, 2016 at 08:56:06AM -0400, Ian Goldberg wrote:
> Does anyone know where we can get more information about the stats
> behind this slide:
>
> https://twitter.com/AlecMuffett/status/730773970383982592
>
> The slide says:
>
> 1:11,500 non-Tor IPs contained malicious requests
> 1:380 Tor exit nodes contained malicious requests
>
> The way it's worded, it sounds like they're saying "1/11500 of the
> non-Tor IP addresses we saw sent malicious requests, and 1/380 of the
> Tor exit node IP addresses we saw sent malicious requests", but I'm
> finding that hard to believe, since 1/380 of the Tor exit node IP
> addresses is ~3 IP addresses. It's unlikely that all malicious Tor
> traffic was confined to 3 exit nodes. (But interesting if true.)
>
> Were they perhaps being a little loose and really meant "1/11500 TCP
> connections coming from non-Tor IP addresses, and 1/380 TCP connections
> coming from Tor exit nodes, contained malicious requests"?
There's an actual written report (Sadia Afroz found the link to the
report). The Tor part starts on page 59.
https://www.stateoftheinternet.com/downloads/pdfs/2015-cloud-security-report-q2.pdf#59
Here are the relevant tables. The heading "Global Rank" in Figure 4-2 is
probably supposed to be "Source". The percentages in Figure 4-4 are off
by a factor of 100; i.e. 1/380=0.0026=0.26%.
The first two figures, 4-2 and 4-3, are explicitly in terms of requests.
Figure 4-4 is a ratio between two "traffic" values but the caption
refers to requests.
Global Rank Legitimate HTTP Requests Frequency
Non-Tor IPs 534,999,725,930 99.96%
Tor exit nodes 228,436,820 00.04%
Figure 4-2: Of the legitimate HTTP requests, excluding static media
files, less than 1% were from Tor exit notes
Source Legitimate HTTP Requests Frequency
Non-Tor IPs 46,530,841 98.74%
Tor exit nodes 596,042 1.26%
Figure 4-3: Of the malicious HTTP requests, 1.26% were from Tor exit
notes
Source Ratio Between Malicious & Legitimate Traffic Frequency
Non-Tor IPs 0.00008697% malicious traffic ~1:11,500
Tor exit nodes 0.00260922% malicious traffic ~1:380
Figure 4-4: Though the traffic levels are much smaller, Tor exit nodes
were much more likely to contain malicious requests
More information about the tor-project
mailing list