

How to handle millions of new Tor clients - conductor
https://blog.torproject.org/blog/how-to-handle-millions-new-tor-clients?

======
richardkeller
Assuming this is a botnet, it would be quite interesting to have the botnet
controller simultaneously turn all of those tor clients into tor relays.

------
mmastrac
Playing the devil's advocate here - isn't this a good thing for the Tor
network? Almost anything that adds traffic to the Tor network will help the
"legit" users further blend into the crowd.

~~~
tommmmmm
It sounds like it's close to hurting performance for legit users. Also, since
we don't know what the botnet operator's planning, it's probably safest for
Tor to try to stop it.

~~~
contingencies
Err, that would be _censorship_ which is against the project's goals.

------
lelf
Some more evidence to the botnet theory: [http://blog.fox-
it.com/2013/09/05/large-botnet-cause-of-rece...](http://blog.fox-
it.com/2013/09/05/large-botnet-cause-of-recent-tor-network-overload/)

------
tempestn
Seems entirely possible that this bot net represents an intentional attack on
Tor. While it doesn't seem nearly as effective as it could be, that may be
intentional as well, both to leave doubt as to its true nature, and to gather
data with some long-term goal (likely eliminating Tor entirely) rather than
simply causing short-term pain.

~~~
dalek_cannes
> Each circuit requires the relays to do expensive public key operations, and
> many of our relays are now maxed out on CPU load.

Yep. That's one way to attack the network.

~~~
computer
My CPU-limited nodes lost several MB/s in bandwidth, which I now suspect is
caused by this.

Note that the handshake is the CPU-limited part, so a CPU-limited node
benefits (in terms of MB/s) from having few clients which use high bandwidth,
the opposite of these bots.

------
channi
NSA trying to make a mess with TOR with all americans as their zombies? It is
funny to see what american government is doing with its citizens. And with
rest of the world. First they create terrorism, and then they"solve" it.

~~~
Abundnce10
Nice. Even if it's not the NSA, I'm surprised people aren't curious about who
it is that's running these bot nets.

------
bitboy2000
Roger doesn't understand botnets at all. The author clearly doesn't care about
Tor itself, just his C&C server, which are more likely to get shutdown. Tor is
exactly what he wants. Anonymity only matters at the server, not all the
zombies.

~~~
j_s
Your comment was a bit confusing to me. I'm going to intrepret 'Roger' as the
writer of the blog entry (not really clear anywhere on the page); and by 'the
author', you mean the botnet owner?

Then the portion of the blog post (at the very end) you are responding to:

    
    
       >
       > I still maintain that if you have a multi-million node botnet, it's silly to try
       > to hide it behind the 4000-relay Tor network. These people should be using their 
       > botnet as a peer-to-peer anonymity system for itself. So I interpret this 
       > incident as continued exploration by botnet developers to try to figure out what 
       > resources, services, and topologies integrate well for protecting botnet 
       > communications. Another facet of solving this problem long-term is helping them 
       > to understand that Tor isn't a great answer for their problem.
       >
       >  [- Roger]
       >
    

where you believe the blog is mistaken on the botnet's use of Tor. You point
out the intention of hiding the owner's control of the botnet vs. your
interpretation of the blog post as claiming the botnet is trying to hide
entirely behind Tor.

My interpretation of the blog post excerpt is that the botnet offers its
creator a chance to run a better Tor than Tor itself... with more nodes and
the option of configuring whatever percentage as entry / relay / exit nodes.

------
the_french
It'd be great if botnets would help the tor network and turn some nodes into
relays (including exit) to help anonymity and capacity, at least they wouldn't
parasite off the network completely.

~~~
hdevalence
No, not really -- that would be a much, much more serious problem for Tor. (As
I understand it,) Tor relies on the assumption that relays are controlled by a
diverse group of people. If one person suddenly adds 3 million Tor relays,
then it doesn't help anonymity at all, since that one person can now monitor a
significant portion of Tor traffic.

If I own every relay on your circuit, I can monitor your traffic; if I own
three million relays, it's almost certain that a significant portion of the
traffic will be running through circuits composed of relays I own.

~~~
thex86
And you do not even need to control all the relays: assuming you control the
first node and the last node in the circuit and as Tor is a low-latency
network, it's trivial to perform timing analysis to find out what someone is
doing on the network.

------
D9u
I just downloaded and installed the Tor Browser Bundle from the Tor Project
site, and am disappointed that the version I was provided is 0.2.3.25. (Linux)

------
revelation
Retry failure modes seem to be a recurrent theme in networking, see e.g.
[http://en.wikipedia.org/wiki/NTP_server_misuse_and_abuse](http://en.wikipedia.org/wiki/NTP_server_misuse_and_abuse)

Instead of hacking relays to prioritize one botnet version over another, they
should properly implement rate-limiting algorithms like exponential backoff in
case of failure.

~~~
the_french
In the case of Tor, the objective is to obtain a valid circuit relatively
quickly so I feel that even exponential backoff would need a low max time to
be practical.

------
RoboTeddy
Could this be a Sybil attack? Can the anonymity of users be compromised by an
attacker that owns some great portion of the nodes?

~~~
tempestn
It may be an attack on the network in the DOS sense, but it should not
compromise anonymity because these bots are simply acting as clients, not
relay (or exit) nodes.

------
Houshalter
Would it be possible to require things requesting access to the tor network to
host their own temporary relay (even if it's really small handling one or two
connections only?)

This would also allow for plausible deniability. If the Tor network was
compromised and half the nodes were owned by the feds or a botnet or something
like that, it would still be impossible to tell if the traffic coming from
your ip was from you or someone else.

------
consonants
<tinfoilhat>I bet an exploit was found that through operating a certain number
of clients Tor's anonymity or hidden services can be compromised</tinfoilhat>

~~~
belorn
Only if the clients becomes relays, which they have not done. It just a bunch
more client requests, and all that those can do is affecting the performance
of the network itself. They can't directly impact others anonymity.

