back to article Tor traffic torrent: It ain't the Syrians, it's the BOTS

The recent spike in traffic on the Tor anonymizing relay network is probably due to botnet activity rather than any recent political developments, research by Tor Project members has concluded. The overall number of clients accessing the Tor network on a daily basis has more than doubled since around mid-August, but so far …


This topic is closed for new posts.
  1. yakitoo

    .... if you have a multi-million node botnet, it's silly to try to hide it behind the 4000-relay Tor network .............

    Unless you are doing traffic handling analysis to assist with tracking of course.

    Can't think who would possibly want to do that though.

    1. frank ly

      Whoever could it be?

      Maybe someone who's trying to establish the IP address and location of 4000 relays of a Tor network? Or, maybe someone who's applying for funding to fight the menace of increasing Tor traffic? Oh, the possibilities.

    2. Matt Bryant Silver badge

      Re: yakitoo

      ".....Can't think who would possibly want to do that though." How about China, Russia, Saudi Arabia, or even the Fwench? Oh, sorry, did that get in the way of your one-country fixation?

  2. Anonymous Coward
    Anonymous Coward

    A "multi-million node botnet"

    Not so nice. But imagine if somebody out there infected millions of computers and set every one up as a Tor relay!

    1. Fibbles

      Re: A "multi-million node botnet"

      "And finally, I still maintain that if you have a multi-million node botnet, it's silly to try to hide it behind the 4000-relay Tor network ..."

      Just what I was thinking. Millions of compromised computers turned into Tor relays.

      There was an article on El reg about it taking the 3 months to identify a heavy Tor user to 95% accuracy with the current 4000 or so nodes. Anyone want to to the maths with, say, 2-3 million nodes?

  3. Anonymous Coward

    Anyone remember the Pirate Bay punting a special version of FireFox with Tor included recently??

    Maybe it is more popular than expected.

    1. Anonymous Coward
      Anonymous Coward

      Hasn't the Tor project offered a bundle of their software with a custom version of Firefox for years?

    2. Henry Wertz 1 Gold badge

      Not Pirate Browser...

      "Anyone remember the Pirate Bay punting a special version of FireFox with Tor included recently??

      Maybe it is more popular than expected."

      Unfortunately not. The register article doesn't mention this, but the blog post they link to has this quote:

      "Others have speculated that it's due to massive adoption of the Pirate Browser (a Tor Browser Bundle fork that discards most of Tor's security and privacy features), but we've talked to the Pirate Browser people and the downloads they've seen can't account for this growth"

  4. Khaptain Silver badge

    Doesn't make sense.

    Those that you the TOR are far more aware about computing than most people, It would be very surprising that those same people are infected by the various BOT malwares....

    Those that are careful about hiding their identity or that keep a low profile are usually clever enough to keep their machines clean.....

    BitTorrent rather than the likely cause

    1. Anonymous Coward
      Anonymous Coward

      Re: Doesn't make sense.

      This is extra traffic; the usual users plus about the same in new connections. It's the new connections that are probably infected.

    2. Old Handle

      Re: Doesn't make sense.

      I don't think you understood quite right. These aren't Tor users infected with a botnet. It's suspect that the botnet itself has installed Tor, most likely so it can access a "hidden service" to receive commands.

      1. Khaptain Silver badge

        Re: Doesn't make sense.

        You are right I didn't see that at all but now that you spell it out, it is very clear, my bad. ( Suddenly my

        eyes open and I realise how blind I have been)......

        The facepalm is for me ...

  5. Anonymous Coward
    Anonymous Coward

    Couldn't they harness this?

    I mean imagine having a million-node Tor network. You could hide the source of your packets in /your own private onion routing system/. Even just having that many end-points would make the system so much more secure that you'd be able to charge crims/spooks for using it.

    Which is probably what'll start happening shortly- criminals using billion-node TOR-like strategies to hide their communications. And the NSA will, once again, be more or less powerless.- monitoring 4,000 nodes is realtively simple, but monitoring 1,000,000 constantly changing (as users cleanse their systems and others get infected) nodes would be a considerable increase in difficulty.

    Remembering that each computer on the node connects to other nodes unknowingly but also carrys legitimate traffic, let's say a node links to 100 other computers a day in both knowing and criminal-TOR-ed traffic. That's a number picked out of the air and would suggest a LOT of traffic or a very low-packet-density routing system. That means the NSA would have to track >100,000,000 nodes rather than the 400,000 nodes that would have to be tracked with the current 4000-node system. You're talking an increase in complexity of 3 orders of magnitude for anyone wanting to build a map of the system for the purposes of monitoring it, and assuming the same traffic you'd have 3 orders of magnitude less traffic per node to work with.

    Unfortunately this just means that taxes will go up in the US to fund a trillion-dollar mega-giga-exaFLOP supercomputer for the spooks...

  6. Steve Knox

    This is a very serious issue

    with ramifications for the stability, security, and privacy of the Tor network.

    So if you find yourself being distracted by the name Roger Dingledine, you should probably not comment here.

    These comments should be reserved for serious discussion, and not juvenile repetition of the name Roger Dingledine.

    Anyone repeating the name Roger Dingledine for comedic effect should be ashamed of himself.

    1. Don Jefe

      Re: This is a very serious issue

      I am so relieved I'm not the only one.

      1. Destroy All Monsters Silver badge
        Big Brother

        Re: This is a very serious issue

        You forgot to mention HITLER and GASSING HIS OWN PEOPLE.

        Just like in MUNICH.

        And don't HITLER forget the CHILDREN being menaced by GASSING by HITLER!

        1. Don Jefe

          Re: This is a very serious issue

          Holy shit! I did Nazi that coming.

  7. Cliff

    Tragedy of the commons

    People acting with selfish interests on a shared resource means it will almost inevitably ultimately be degraded. If you have common grazing rights, why would you graze 10 sheep if you could graze 100 for the same cost? So everyone grazes 100+ sheep, land is degraded as it isn't infinite. Same applies to TOR. The benevolence of the node hosts is abused.

    For more on this...

    1. Old Handle

      Re: Tragedy of the commons

      The potential for this to cause trouble is certainly real, but at the moment, as long as it's still functioning, I'm not sure having the network flooded with junk traffic is such a terrible thing. On the face of it, it would appear that more users, whether bots or human, just makes it that much harder to figure out who's who.

  8. Khaptain Silver badge

    Steve Dingledine Knox will then be forced to move into the Dark Dark Dark Dark Net where the Dingledine name is yet unheard of .......

    If you ever are tempted over to the Dark Dark Dark Dark side and you see that Pseudo you can be pretty damned sure who is using it......

  9. Olius

    Nodes are not relays

    This is something I didn't realise about TOR - there are relays and there are clients. Perhaps if every node joining TOR was a relay, it would be "stronger" (provided the network could do what Gnutella does and have other nodes/relays hold stats on their peers' speed) - then there would not be 4000 relays, there would be millions. And the network could theoretically become faster the larger it got.

    1. phuzz Silver badge

      Re: Nodes are not relays

      But there's no incentive for the botnet creators to act as nodes, so presumably they'd strip out the relay functionality and just leave the client.

  10. Ace Rimmer
    Black Helicopters

    I'm not saying it's a new iteration of PRISM but....

    1st September Reg article regarding tracing nodes by utilising a huge amount of "controlled nodes":

    Given that article is based on the publication of the PDF on Cryptome, which was published in August, around the time that the massive increase in nodes appeared it's altogether possible some entity is trying to flush the identities of the other nodes on the network.

    "The compromise isn't something available to the trivial attacker. The models that Johnson developed assume that an adversary has access either to Internet exchange ports, or controls a number of Autonomous Systems (for example an ISP). However, it's probably reasonable to assume that the instruments of the state could deploy sufficient resources to replicate Johnson's work."

    Assuming that a large quantity of bots (roughly the same number of bots as existing nodes on the network according to the reports) could provide the same level of information, it sounds very much like what's actually happening.

  11. Tom 13

    Maybe Tor should just call the NSA

    They've probably already got it mapped and if they ask nicely maybe they'll tell them who is doing it.

  12. gollux

    State it for what it really is, increased WAGS as to what on earth is happening. Welcome to faith based explanations over increase in traffic on a faith based TORnogrpahy network.

This topic is closed for new posts.

Biting the hand that feeds IT © 1998–2020