The Growing Problem of Malicious Relays on the Tor Network

Yesterday I found this post on /r/privacy, it has really little upvotes and there’s no mention of it neither on /r/privacytoolsio nor /r/tor. From my point of view, this is a real threat when it comes to the de-anonymization of Tor’s network users.

If you are using Tor network for any kind of logging of any kind of important account I would recommend against it. Maybe I’m not understanding the full-scope of this but this could create correlation and phising attacks, hurting not only the anonymity of its users, but also its privacy and security.


Here are some extracts of the article:


This graph shows the Sybil’s guard capacity over time (~3y). The graph ends at the beginning of Oct 2019 (it intentionally lacks X and Y axis).

At their peak they reached >10% of the Tor network’s guard capacity. A guard relay is the first relay in the chain of 3 Tor relays forming a circuit and the only relay seeing the Tor user’s real IP address, but not seeing the destination accessed by the user.
To give you a feeling about their size in relation to other known operators:
The biggest known guard relay operator as of 2019–12–08 is bellow 2% guard capacity.

After reporting them to the Tor Project they got removed (the once I knew about initially), but it did not take them long to setup new relays soon after.

Until this day (2019–12–08) they are actively running high bandwidth relays on the Tor network. Due to the sheer size of this particular adversary I had some hope that this discovery would act as a wake-up call and finally spark some improvements, unfortunately it did not so far.

Why didn’t we detect them earlier?

Initially their capacity was somewhat limited and most of their capacity got added in the course of the past year but a year is still a very long time for detection.
To avoid detection they spread their relays across multiple hosting providers and added them relatively slowly over a long period of time.
They make use of the biggest Tor hosters (OVH and Hetzner) to blend in with the rest, but they also make use of hosters rarely seen before they joined (i.e. AS20860). In fact their relays made the autonomous system “Iomart Cloud Services” (AS20860) so big, it is now the 6th biggest ASN by guard capacity on the Tor network:


Top 10 ASNs by Guard Capacity: Iomart Cloud Services on position 6. (Data Source: https://metrics.torproject.org/rs.html#aggregate/as)

look im not expert with tor but lately i noticed something called “guard” on relays and if i’m right it made for this thing, because first node taking ur ip so tor just connect to trusted relays to protect your IP and trust me if other relays are even running by NSA it not worth it! (second relay like bridge to connect data between first and last relay and last relay to open the sites) so yeah

If you look at the first graph it says “This graph shows the Sybil’s guard capacity over time”. This is the amount of Tor guard relay they have, from the article:

At their peak they reached >10% of the Tor network’s guard capacity. A guard relay is the first relay in the chain of 3 Tor relays forming a circuit and the only relay seeing the Tor user’s real IP address, but not seeing the destination accessed by the user.
To give you a feeling about their size in relation to other known operators:
The biggest known guard relay operator as of 2019–12–08 is bellow 2% guard capacity.

Also:

In the last year the amount of guard capacity with no ContactInfo increased from < 30% to >45%. Most of this can probably be attributed to the discovered Sybil since they had no ContactInfo.

It is clearly to me, or maybe I’m crazy, that the number of Tor guard relays they have is impressive, and yes, after the first relay there are two more, but what stops them from having access to the other two and therefore creating a correlation attack. And even if they could not access the website that the user is visiting, they know the real IP address of the user, which to me is a great flaw in something like Tor.

It’s not the first time that something similar happens.

In April 2015, a number of user accounts were compromised in what was speculated at the time to be a government-sponsored de-anonymization attack from 70 different exit nodes. A SIGAINT administrator said that the hidden service was not hacked but malicious exit nodes had modified their clearnet page so that its link to the hidden service pointed to an imposter hidden service, effectively tricking users with a phishing attack that harvested login credentials. SIGAINT has since added SSL to their gateway to protect against such attacks.

I think this should be a good additional reason for people to setup Tor relays while, as the post says, more measures are also needed.

1 Like

Setting up more relays is always good as it helps with the anonymization and speed of the service, but by itself I don’t think it’s a solution. More measures are obviously needed, but also Tor authorities need to start giving more attention to the subject since they aren’t doing so.