Hacker News new | past | comments | ask | show | jobs | submit login
Tor usage doubles in under a week, and no one knows why (arstechnica.com)
166 points by geerlingguy on Aug 29, 2013 | hide | past | favorite | 71 comments



I spent some time looking at this. I cant find the source but things appear to point to the pirate browser from the pirate bay. As mentioned on the tor-talk mailinglist the pirate bay website is a high ranking site and on the 10th of august the linked from one of the 10 or so links under the search to the pirate browser. archive.org cache shows this clearly. So why didnt the uptick happen until the 19th. I cant explain. Twitter conversations increased around the 16th. News articles seem constant from the 10th onward.

initially i assumed a conspiracy to flood the network or conduct research when I read about abnormal spikes for india and brazil but actually looking at the graphs the huge spikes are across most nations.

for reference i checked the source code for the graphs page and how the data is compiled and the only data available for user count is country so at the moment there is no way to do pattern analysis for tor version or the like to definitively point to the pirate browser.


I was initially worried about end-to-end traffic, but saw that the exit nodes and bridges haven't increased. If Google search traffic is a fair indicator, it looks like genuine user growth is driving this. Google searches for "tor" haven't seemed to move much globally [1] but Russia saw a huge jump starting on August 16th [2].

Anyone know how to get the same info for Yandex to cross-check?

[1] http://www.google.com/trends/explore?q=tor#q=tor&date=today%...

[2] http://www.google.com/trends/explore?q=tor#q=tor&geo=RU&date...


The RU increase is relatively minor compared to the 50-60k user increase in the US. I find it very difficult to believe that these increases represent new actual people using Tor for web. The botnet-theory seems far more likely.


Using only Google search to measure the increase would not be enough though. There are other really popular search engines in russian.


This might be the reason: "Russia’s FSB mulls ban on ‘Tor’ online anonymity network" http://rt.com/politics/russia-tor-anonymizer-ban-571/


I don't buy it, PirateBrowser can not possibly attract 600k users: If someone wants to use tor, TorBundle is good enough. It's a crystal-clear botnet infecting massively computer (java-for-local and something else RPC? for remte access) running through tor to hide the mothership.

An NSA attack would be possible, but seriously they would get 1 out of 100 targeted users. I don't think its worth the effort and I think they're not so stupid. Then again they are severely more stupid than what we use to think... so everything is possible. My money is on the botnet theory though.


Ethical != stupid.

Don't underestimate someone because you dislike what they do.


Stupid? Effectively intercepting telecommunications from not only within and with the consent of the 'big players' networks, but also assuring they achieve total surveillance through compromising undersea cables is quite the feat. Storing data until they have the machine power to break encryption strikes me as clever and prudent, not stupid.

Stupid is disparaging an entity that has engineered around entire industry and international infrastructure to accomplish their goals.

But yea, botnet sounds like its right on the money. When does the NSA's Utah data center go online?


>Stupid? Effectively intercepting telecommunications from not only within and with the consent of the 'big players' networks, but also assuring they achieve total surveillance through compromising undersea cables is quite the feat. Storing data until they have the machine power to break encryption strikes me as clever and prudent, not stupid.

the 'stupid' part is that any random contract sysadmin could pull huge amounts of data without setting off any alarms. I mean, this isn't some tiny VPS provider, where you might expect all the admins to have root. This is the fucking NSA. they should have tight control and logging over who accesses what, and if they have a master key, the folks with access to that master key ought to be fully vetted employees, and there ought to be few of those people.

Sure, it's hard to design a system where your sysadmins don't have full access, but not nearly as hard as everything else they've done.

This is what I find so shocking about the leak. We all knew that the government was spying on us. The shocking part is that they don't have any better security than I have when it comes to storing that data.

I mean, this is the leak we know of... how much do you want to bet that someone else has already used this data for personal gain, without the public or even the NSA finding out?

It's one thing to keep all my internet history, and use it for investigations... it's quite another to keep all that data where any random contractor can come in and fish through it without setting off alarms.

No matter what you think about the rightness or wrongness of the spying itself, I think we can all agree that if they must collect data, they must also secure that data, and this leak proves that they have not done so.


When does the NSA's Utah data center go online?

"Witness the firepower of this fully armed and operational battle station."


lets be fair, they can still be stupid, achieveing what you have said, getting that kind of access is easy if you are the US govt/NSA/CIA. They have unlimited funds, near zero regulatory oversight and a huge fucking army backing them. So yes they can do this but they can still be stupid.

Now the clever guy is the guy that can get that access without access to the resources of the NSA.


Here is an article written one month ago aptly titled "The rise of TOR-based botnets"

http://www.welivesecurity.com/2013/07/24/the-rise-of-tor-bas...


Relays haven't increased correspondingly, so it's not a straightforward correlation attack.

Here's a list of hypotheses:

1. The recent Russian censorship crackdown.

2. Botnets using Tor to search for vulnerable systems and to hide the C&C server.

3. US publicity following the recent NSA news events.

4. The Pirate Browser's use of Tor.

5. An OP (client) based vulnerability in the network.

If you have upstream collection on the backbones, then you might be able to fingerprint hidden services with staggered connection floods (watermarking.) Also, you may be able to do stream watermarking on the OP->Hidden Service traffic through the Tor cell delay side channel. That seems very possible.

Edit: Another possibility just occurred to me. You could use the OP clients to overload the relays you don't control, driving traffic to the attacker's hostile relays.

Something in my gut says that's not right though... Mostly because this is so very amateurish, with no slow ramp up of nodes, etc. Then again, the Freedom Host takedown wasn't exactly a model of subtlety either.

Botnets have started to use Tor in a major way for C&C. Of all the above, (2) seems most likely.

If someone really wants to find out, stand up a couple exit nodes on EC2 and watch the exit traffic pcap. That might be a bit dodgy in light of ECPA, but after all it's just metadata, right? ;)


> If someone really wants to find out, stand up a couple exit nodes on EC2 and watch the exit traffic pcap.

Ideally it would be someone who has had such set up from before the spike, so that there is a baseline for computing the increase.

Also, an arbitrary set of exit nodes is obviously not guaranteed to capture the spike. In fact there might be no spike at all in exit traffic (quote:) "So while there are a bunch of new Tor clients running, it would seem they're not doing much."


So while there are a bunch of new Tor clients running, it would seem they're not doing much.

Huh, didn't notice that. Should have seen it from the network bandwidth graph. It's even more odd in some ways than the OP spike.

I've got a fairly good understanding of the mechanics of the Tor network having studied it down to the packet level, modified the source for academic experiments, etc. I can't think of any reason that would compromise anonymity where it would help to have a whole bunch of mostly idle OPs idling on the network.

Maybe a botnet C&C with low bandwidth staggered command orders, or maybe it's infrastructure building for something that hasn't been activated yet. Or of course the more mundane explanation that lots of people downloaded the clients after the recent publicity, and don't really use the browser bundles.


I think most likely reason for this one is pretty obvious. If we do not hear any social effect contributing to the explosion, such as China or India adding massive numbers of people, then my money would be on somebody getting a massive botnet on TOR.


What are the odds it's a global passive adversary sending trackable traffic through Tor to map out the network?


All the Tor relay nodes (except for bridges) are publicly listed in the directory, how do you mean map out the network?


I'm speculating heavily, but it might be beneficial to precompute some kind of timing map for a large portion of the network in order to have a baseline for future timing analysis attacks. I only have a very vague idea of how that might be useful, so this is low probability.


Ok, I can't think of an attack that could be accomplished by controlling half the traffic on the network. It doesn't mean there isn't one, but I can't think of it. I think that was a bad guess on my part.


Guard nodes make it so only a certain number of certain types of nodes are visible to any client. By controlling a huge number of clients, you are able to enumerate them much more easily.

https://lists.torproject.org/pipermail/tor-dev/2011-October/...


The number of directly connecting users from Russia does appear to have doubled [1], but this can also be seen in UK user numbers [2]. For such an increase to be seen globally my hunch is that this is down to either the Pirate Browser [3] or some other software release - not necessarily a response to a particular law being passed, NSA leak etc.

[1] https://metrics.torproject.org/direct-users.png?start=2013-0...

[2] https://metrics.torproject.org/direct-users.png?start=2013-0...

[3] http://piratebrowser.com/


Russia went up 15,000 in two weeks. But the world went up from 600k to 1.2M in the same two weeks.

https://metrics.torproject.org/users.html?graph=direct-users...


And usage from Bulgaria increased seven to eight times [1]. This is really strange, I don't know anybody who uses tor on purpose. My money is on a bittorrent client connecting automatically.

[1] https://metrics.torproject.org/direct-users.png?start=2013-0...


Interesting, similar jumps happened in every country I tried: Brazil, Vietnam, US, Argentina, South Africa.

I can't imaging the Pirate Browser thing would be immediately so popular across so many different cultures, even in countries without net censorship.


Maybe a botnet has started using Tor for connecting to a central command server? Might help explain a doubling of nodes but minimal traffic increase.


The number of bytes doubled, not users.

I will wager that some somewhat popular high-bandwidth application (bittorrent client?) has integrated tor in some way, and they released the version with that integration about a week ago.



Where are you getting the bytes doubled and not users?

According to https://metrics.torproject.org/users.html?graph=direct-users... the number of users double, to 1.2 million, in just 2 weeks.


If a government entity had enough tor exit nodes and peers in place, might they catch some traffic end-to-end, and therefore be able to track usage of some people?

Any chance that is why usage has jumped?


I can't speak to the cause of the jump, but a single entity controlling a large amount of the network is a known weakness in Tor. Essentially, Tor is designed to be a low-latency system. This means that if someone controls both the entry and exist node you use, they can correlate the timing of your packets and de-anonymize you. Having internal nodes problem helps, as would having ISP access.


Here's an overview of the scenario you are talking about: https://blog.torproject.org/blog/one-cell-enough

Also, this news has nothing to do with a jump in relays.

Perhaps it's due to https://en.wikipedia.org/wiki/PirateBrowser


The number of exit nodes and bridges hasn't changed nearly as drastically [1].

I'd wager it's a mix of publicity post NSA debacle and more botnets coming online.

[1] https://metrics.torproject.org/network.html


I started to use the Tor browser bundle this week. Manly because of the whole NSA/Snowden thing. Plus Tor was a lot in the news from the Freedom Hosting take down, so I was reminded several times that I should test it out.

Maybe many others experienced the same? At list I have had enough. Obama is tracing me no more!


I second this. With everything going on in the news recently, I've increased my VPN and Tor usage.


I tried tor long time ago, but it was unusable for me due to extremely low speed.


I suggest you try it again. It's not nearly as slow now as it once was.


Just tried it. Nothing has changed. Browsing with TOR is ~30 times slower than normal browsing. It means it takes 2-3 seconds to load google.com, and 30s-1min to load my local news page, 15min.lt. I don't know who downvoted me for stating this fact, but he either doesn't use TOR or the nodes are near his physical location.


Occasionally you get a slow path. If this happens and you're in a hurry, just press the "New Identity" button to get a new random path. It usually works.


Funnily, last time I used it it was so quick I didn't think it was working!


A lot of people are moving their hacking attempts under tor. They want to brute-force your ssh server, rdp, etc. but they don't want to go to prison.


Nothing new there. We've been dealing with bad guys coming through TOR nodes for at least 1.5 years.

What annoys me more is the people using AWS to send us bad traffic.


Is there no reporting for AWS?


It's whack-a-mole, basically. Amazon has not been too keen on dealing with abuse reports that I've seen, and even then, criminals setting up botnets and exits on AWS are almost certainly using stolen identities.


Doesn't Tor let you donate EC2 instances to them? Yes it does: https://cloud.torproject.org/


Sure, for a bridge. Which isn't an entry or exit node.


Botnet scraper. Or maybe a zero day in tor that NSA might have discovered and is trying to exploit it . 600K to 1.2 Million is effectively double the traffic . But what bothers me is that all of these are clients , if they were relays then that would make sense.But NSA has gotton more aggressive and out-front after the leaks though.

edit: fixed typos


Could this be government bots setup to intercept traffic?


Regular end users wouldn't be of any use in intercepting traffic. That's what exit nodes are valuable for.


The linked paper describes an attack on Tor that relies on percentage of network ownership to deanonymize communications.

I thought that this might be what is going on, but since the increase seems to be clients and not new nodes I assume that this is not the case, however the paper is kinda cool anyways.

https://www.google.com/url?sa=t&rct=j&q=&esrc=s&source=web&c...


Whenever there's discussion of timing attacks on Tor, somebody always says "that's impossible unless they were able to monitor a very significant amount of all Tor traffic. Tor is safe."

Somehow, they don't realize that the NSA's upstream program is exactly that. They've been intercepting any Internet traffic they can get their hands on all the way back to 2003. Tor is not safe.


I got a real poor internetconection (for free) with about 16kb/s up/down, And it seems from my position that many of you are fastidiously about "tor is slow/ slows down my internetusage". I can not say that tor-usage slows anything for me. Maybe my conection speed does not satisfy any of your internet claims ?! (traped in a loop -sry, cant fix the prob..)


Not to promote botnets but it does benefit TOR to have more nodes operating... Involuntary recruiting?


These are Tor (not TOR) clients, not relays.


Any (very small) chance we could be seeing something related to this : http://www.cs.uml.edu/~xinwenfu/paper/SPCC10_Fu.pdf


pirate browser - http://piratebrowser.com/ - was released on the 10th, and only uses tor when normal access doesn't work (so would explain the low use).

BUT the increase wasn't til Aug 19 - https://metrics.torproject.org/users.html?graph=direct-users...


and still, they run it on windows.

haven't these people learnt anything?


The fact it only uses tor when 'normal access' isn't available means for the majority of usage it isn't adding any privacy.


they're not using it for privacy; they're using it to avoid dns holes.


Maybe it's the classic rule that to control a network, you'll need to control at least 50% of it. So now we got (at least) double number of nodes.


Did firefox actually implement the default tor change? This mayb be the reason, if plenty of testers are checking out the new nightly builds?


How has no one mentioned Syria yet? Not saying it's related, but the ramp-up is the only event that fits the time frame.


The only event you know of. I find the botnet idea much more probable, given the increased usage across many countries.


It seems possible someone is revving up the engines on their botnet in anticipation of some upcoming event.

But this is hardly the first time someone has noticed malware spreading exponentially over the network. Correlation to current newsworthy events may be completely accidental.

I do not believe in jumping to conclusions here. It could be location reporting bias or malware attempting to not piss off (or implicate) certain parts of IP space. But compare Greece https://metrics.torproject.org/users.html?graph=direct-users... to Israel https://metrics.torproject.org/users.html?graph=direct-users...


Related to the launch of the Pirate Browser perhaps?


its because no one trusts google and people are moving to anonymous proxy networks as a partial solution


what about someone with all the keys they want using all these nodes to sniff and de-crypt traffic?


These are user nodes, not relays. They see no traffic other than their own.


The UDC...


Forbes published that interview with the Silk Road operator on August 14. Maybe a lot of people just learned how to buy drugs online.

http://www.forbes.com/sites/andygreenberg/2013/08/14/meet-th...


Someone is building the next Google!!!! And they're scraping everything, even top secret documents!




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: