[tor-talk] State of bad relays (March 2017)

George Kadianakis desnacked at riseup.net
Fri Mar 3 18:29:22 UTC 2017


Hello list,

in this email we will present you the current state of bad relays on the Tor network.

It should be no surprise that the Tor network is under constant attack. As part
of critical Internet infrastructure, people have been attacking our network in
various ways and for multiple reasons. Some people do it for research purposes,
others to satisfy their curiosity whereas others have flat out malicious intent.

Two common Tor network abuses are:

a) Bad exit nodes sniffing and messing around with client traffic.

b) Bad HSDir nodes. The hidden service hash ring is a particularly juicy
   target, since participating relays get to see the addresses of onion
   services when they publish their descriptors.
   
Both of those attacks require the adversary to setup relays on the network, and
this gives us a chance to catch and block them.

Our elite bad relay hunting team has been chasing down those bad actors and
blocking them from the network. Over the years, we've discovered hundreds of
evil relays that have been attacking the network. Here is a graph that shows
the volume of bad relays we've found over time:

   https://extra.torproject.org/misc/asn/authdir-2017-03-gray.png

The bottom part of the graph shows relays caught participating in exit node
attacks (see (a) above). And the top part of the graph shows relays that have
been conducting HSDir-related attacks (see (b) above) or other miscellaneous
attacks.

As you can see there is quite a number of relays participating in HSDir-related
attacks and finding them has been time consuming. However, the good news is
that these HSDir attacks will be addressed completely and forever when we roll
out Next Generation Hidden Services:
    https://gitweb.torproject.org/torspec.git/tree/proposals/224-rend-spec-ng.txt

With Next Gen Hidden Services, HSDir relays won't be able to learn the
address of onion services anymore, because their descriptors will be
completely encrypted.

Anyway, this was an email to brief you up on our efforts of detecting bad
actors on the network and to let you know that we've got your back.

And don't forget to send your warmest thanks to the 1337 members of our bad
relay hunting team if you ever see them around the network :)

Have a good day!


More information about the tor-talk mailing list