Feeds

Tor traffic torrent: It ain't the Syrians, it's the BOTS

'No humans are behind these clients'

Security for virtualized datacentres

The recent spike in traffic on the Tor anonymizing relay network is probably due to botnet activity rather than any recent political developments, research by Tor Project members has concluded.

The overall number of clients accessing the Tor network on a daily basis has more than doubled since around mid-August, but so far researchers have been at a loss to find any reason for the increase.

Partly this is due of the design of the Tor network itself. Preserving users' anonymity is the whole point of the project, so the network doesn't keep logs of IP addresses or other identifying information that could help pin down where the extra traffic is coming from.

Members of the "Tor Talk" mailing list have posted numerous theories, ranging from increased activism in Syria, to public reaction to recent revelations about US surveillance operations, to an attempt by an unknown force to DDoS the Tor network itself. But according to Tor Project member Roger Dingledine, who has been investigating the matter for the past week or so, none of these is likely to be correct.

"The fact is, with a growth curve like this one, there's basically no way that there's a new human behind each of these new Tor clients," Dingledine wrote in a blog post on Thursday.

Instead, Dingledine believes Tor client software was installed on millions of computers surreptitiously, "pretty much overnight," probably hidden inside some other, as-yet-undetermined software package.

"Since no large software or operating system vendors have come forward to tell us they just bundled Tor with all their users, that leaves me with one conclusion: somebody out there infected millions of computers and as part of their plan they installed Tor clients on them," he wrote.

The most likely explanation is that someone is trying to set up a botnet that uses the Tor network to conceal the source of its packets. The problem, Dingledine observes, is that Tor wasn't really designed with that kind of traffic in mind.

"My first observation is 'holy cow, the network is still working'," he wrote. "I guess all that work we've been doing on scalability was a good idea."

There is still more work to be done, however, and the increase in traffic has caused measurable strain on the network. What steps the Tor Project will take to make the network more resilient to botnets and other anomalous traffic spikes are still open to debate. For now, Dingledine encourages all Tor users to upgrade to Tor 0.2.4, which introduces a new connection-handshaking method that uses fewer CPU resources.

"In parallel, it would be great if botnet researchers would identify the particular characteristics of the botnet and start looking at ways to shut it down (or at least get it off of Tor)," Dingledine says.

"And finally, I still maintain that if you have a multi-million node botnet, it's silly to try to hide it behind the 4000-relay Tor network ... Another facet of solving this problem long-term is helping them to understand that Tor isn't a great answer for their problem." ®

Secure remote control for conventional and virtual desktops

More from The Register

next story
NASTY SSL 3.0 vuln to be revealed soon – sources (Update: It's POODLE)
So nasty no one's even whispering until patch is out
Russian hackers exploit 'Sandworm' bug 'to spy on NATO, EU PCs'
Fix imminent from Microsoft for Vista, Server 2008, other stuff
Forget passwords, let's use SELFIES, says Obama's cyber tsar
Michael Daniel wants to kill passwords dead
FBI boss: We don't want a backdoor, we want the front door to phones
Claims it's what the Founding Fathers would have wanted – catching killers and pedos
Kill off SSL 3.0 NOW: HTTPS savaged by vicious POODLE
Pull it out ASAP, it is SWISS CHEESE
Facebook slurps 'paste sites' for STOLEN passwords, sprinkles on hash and salt
Zuck's ad empire DOESN'T see details in plain text. Phew!
prev story

Whitepapers

Forging a new future with identity relationship management
Learn about ForgeRock's next generation IRM platform and how it is designed to empower CEOS's and enterprises to engage with consumers.
Why cloud backup?
Combining the latest advancements in disk-based backup with secure, integrated, cloud technologies offer organizations fast and assured recovery of their critical enterprise data.
Win a year’s supply of chocolate
There is no techie angle to this competition so we're not going to pretend there is, but everyone loves chocolate so who cares.
High Performance for All
While HPC is not new, it has traditionally been seen as a specialist area – is it now geared up to meet more mainstream requirements?
Intelligent flash storage arrays
Tegile Intelligent Storage Arrays with IntelliFlash helps IT boost storage utilization and effciency while delivering unmatched storage savings and performance.