[tor-relays] Exit Concentration vs Bulk filters?

nusenu nusenu-lists at riseup.net
Sat Jan 4 11:44:00 UTC 2020

> I never heard a real technical reason to avoid
> high concentration of Tor exit capacity. 

Let me give you a few examples why a distributed network is in some ways
more resilient to attacks and harder to observe than a centralized.


If all traffic leaves the tor network at a single or very few places, surveillance becomes a lot easier and cheaper
when compared to a network that is distributed and has many exit locations.

Resiliency against outages

If all capacity is concentrated around just a few locations, local issues/outages have a bigger impact
on the overall availability and capacity of the network.

Resiliency against software vulnerabilities

A single operator tends to setup their systems in a relatively similar manner.
Most of its relays will use the same OS, OS version, SSL library, tor version, hardware architecture
and have a similar good or bad patch level.
In such an environment it is more likely that a single vulnerability affects large portions when compared
to a diverse ecosystem. A homogeneous ecosystem also reduces the cost for exploit development.

Resiliency against security breaches

If an hypothetical operator controlling 1/2 of the network gets compromised the impact is a lot bigger than
if they were to run 1%. The incentive for an attacker to compromise an operator running 50%
of the network is also a lot higher than attacking an operator of 1%.

Risk of detection
The risk of detection is likely higher for an attacker that compromises multiple organizations compared to a single

Cost of attacks
Compromising all relays operated by a single entity is likely cheaper than compromising all relays
run by multiple independent organizations.

Performing a hijacking attack against a single prefix is probably easier than successfully hijacking multiple independent
prefixes with different upstream providers concurrently and harder to remain undetected.

A DDoS attack against a single AS is likely cheaper than against many targets at the same time.

There are also non-technical (organizational and legal) reasons why having a distributed 
network capacity is beneficial to the tor network.

Legally attacking many organizations is more expensive than a single one.
If a single operator no longer has the financial capacity or motivation the removal of their relays should not
have a existential impact on the network.
If the policy of a hoster changes from 'tor relays allowed' to 'tor relays forbidden'
than we better not run all our capacity at a single hoster.

In short, you don't want to make the tor network depend on 1-2 or 10 but many.
So if a few operators disappear the network remains functional and available
and is generally harder to attack.

kind regards,


-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: OpenPGP digital signature
URL: <http://lists.torproject.org/pipermail/tor-relays/attachments/20200104/4c57b5c1/attachment.sig>

More information about the tor-relays mailing list