

Tor usage doubles in under a week, and no one knows why - geerlingguy
http://arstechnica.com/security/2013/08/tor-usage-doubles-in-under-a-week-and-no-one-knows-why/

======
cyphunk
I spent some time looking at this. I cant find the source but things appear to
point to the pirate browser from the pirate bay. As mentioned on the tor-talk
mailinglist the pirate bay website is a high ranking site and on the 10th of
august the linked from one of the 10 or so links under the search to the
pirate browser. archive.org cache shows this clearly. So why didnt the uptick
happen until the 19th. I cant explain. Twitter conversations increased around
the 16th. News articles seem constant from the 10th onward.

initially i assumed a conspiracy to flood the network or conduct research when
I read about abnormal spikes for india and brazil but actually looking at the
graphs the huge spikes are across most nations.

for reference i checked the source code for the graphs page and how the data
is compiled and the only data available for user count is country so at the
moment there is no way to do pattern analysis for tor version or the like to
definitively point to the pirate browser.

------
jchung
I was initially worried about end-to-end traffic, but saw that the exit nodes
and bridges haven't increased. If Google search traffic is a fair indicator,
it looks like genuine user growth is driving this. Google searches for "tor"
haven't seemed to move much globally [1] but Russia saw a huge jump starting
on August 16th [2].

Anyone know how to get the same info for Yandex to cross-check?

[1]
[http://www.google.com/trends/explore?q=tor#q=tor&date=today%...](http://www.google.com/trends/explore?q=tor#q=tor&date=today%203-m&cmpt=q)

[2]
[http://www.google.com/trends/explore?q=tor#q=tor&geo=RU&date...](http://www.google.com/trends/explore?q=tor#q=tor&geo=RU&date=today%203-m&cmpt=q)

~~~
zokier
The RU increase is relatively minor compared to the 50-60k user increase in
the US. I find it very difficult to believe that these increases represent new
actual people using Tor for web. The botnet-theory seems far more likely.

~~~
TobbenTM
Using only Google search to measure the increase would not be enough though.
There are other really popular search engines in russian.

------
atmosx
I don't buy it, PirateBrowser can not possibly attract 600k users: If someone
wants to use tor, TorBundle is good enough. It's a crystal-clear botnet
infecting massively computer (java-for-local and something else RPC? for remte
access) running through tor to hide the mothership.

An NSA attack would be possible, but seriously they would get 1 out of 100
targeted users. I don't think its worth the effort and I think they're not so
stupid. Then again they are severely more stupid than what we use to think...
so everything is possible. My money is on the botnet theory though.

~~~
consonants
Stupid? Effectively intercepting telecommunications from not only within and
with the consent of the 'big players' networks, but also assuring they achieve
total surveillance through compromising undersea cables is quite the feat.
Storing data until they have the machine power to break encryption strikes me
as clever and prudent, not stupid.

Stupid is disparaging an entity that has engineered around entire industry and
international infrastructure to accomplish their goals.

But yea, botnet sounds like its right on the money. When does the NSA's Utah
data center go online?

~~~
lsc
>Stupid? Effectively intercepting telecommunications from not only within and
with the consent of the 'big players' networks, but also assuring they achieve
total surveillance through compromising undersea cables is quite the feat.
Storing data until they have the machine power to break encryption strikes me
as clever and prudent, not stupid.

the 'stupid' part is that any random contract sysadmin could pull huge amounts
of data without setting off any alarms. I mean, this isn't some tiny VPS
provider, where you might expect all the admins to have root. This is the
fucking NSA. they should have tight control and logging over who accesses
what, and if they have a master key, the folks with access to that master key
ought to be fully vetted employees, and there ought to be few of those people.

Sure, it's hard to design a system where your sysadmins don't have full
access, but not nearly as hard as everything else they've done.

This is what I find so shocking about the leak. We all knew that the
government was spying on us. The shocking part is that they don't have any
better security than I have when it comes to storing that data.

I mean, this is the leak we know of... how much do you want to bet that
someone else has already used this data for personal gain, without the public
or even the NSA finding out?

It's one thing to keep all my internet history, and use it for
investigations... it's quite another to keep all that data where any random
contractor can come in and fish through it without setting off alarms.

No matter what you think about the rightness or wrongness of the spying
itself, I think we can all agree that if they must collect data, they must
also secure that data, and this leak proves that they have not done so.

------
s_q_b
Relays haven't increased correspondingly, so it's not a straightforward
correlation attack.

Here's a list of hypotheses:

1\. The recent Russian censorship crackdown.

2\. Botnets using Tor to search for vulnerable systems and to hide the C&C
server.

3\. US publicity following the recent NSA news events.

4\. The Pirate Browser's use of Tor.

5\. An OP (client) based vulnerability in the network.

If you have upstream collection on the backbones, then you might be able to
fingerprint hidden services with staggered connection floods (watermarking.)
Also, you may be able to do stream watermarking on the OP->Hidden Service
traffic through the Tor cell delay side channel. That seems very possible.

Edit: Another possibility just occurred to me. You could use the OP clients to
overload the relays you don't control, driving traffic to the attacker's
hostile relays.

Something in my gut says that's not right though... Mostly because this is so
very amateurish, with no slow ramp up of nodes, etc. Then again, the Freedom
Host takedown wasn't exactly a model of subtlety either.

Botnets have started to use Tor in a major way for C&C. Of all the above, (2)
seems most likely.

If someone really wants to find out, stand up a couple exit nodes on EC2 and
watch the exit traffic pcap. That might be a bit dodgy in light of ECPA, but
after all it's just metadata, right? ;)

~~~
praptak
> If someone really wants to find out, stand up a couple exit nodes on EC2 and
> watch the exit traffic pcap.

Ideally it would be someone who has had such set up from before the spike, so
that there is a baseline for computing the increase.

Also, an arbitrary set of exit nodes is obviously not guaranteed to capture
the spike. In fact there might be no spike at all in exit traffic (quote:) _"
So while there are a bunch of new Tor clients running, it would seem they're
not doing much."_

~~~
s_q_b
_So while there are a bunch of new Tor clients running, it would seem they 're
not doing much._

Huh, didn't notice that. Should have seen it from the network bandwidth graph.
It's even more odd in some ways than the OP spike.

I've got a fairly good understanding of the mechanics of the Tor network
having studied it down to the packet level, modified the source for academic
experiments, etc. I can't think of any reason that would compromise anonymity
where it would help to have a whole bunch of mostly idle OPs idling on the
network.

Maybe a botnet C&C with low bandwidth staggered command orders, or maybe it's
infrastructure building for something that hasn't been activated yet. Or of
course the more mundane explanation that lots of people downloaded the clients
after the recent publicity, and don't really use the browser bundles.

------
zokier
Here is an article written one month ago aptly titled "The rise of TOR-based
botnets"

[http://www.welivesecurity.com/2013/07/24/the-rise-of-tor-
bas...](http://www.welivesecurity.com/2013/07/24/the-rise-of-tor-based-
botnets/)

------
TrainedMonkey
I think most likely reason for this one is pretty obvious. If we do not hear
any social effect contributing to the explosion, such as China or India adding
massive numbers of people, then my money would be on somebody getting a
massive botnet on TOR.

------
blake8086
What are the odds it's a global passive adversary sending trackable traffic
through Tor to map out the network?

~~~
quasque
All the Tor relay nodes (except for bridges) are publicly listed in the
directory, how do you mean map out the network?

~~~
blake8086
Ok, I can't think of an attack that could be accomplished by controlling half
the traffic on the network. It doesn't mean there isn't one, but I can't think
of it. I think that was a bad guess on my part.

~~~
krenoten
Guard nodes make it so only a certain number of certain types of nodes are
visible to any client. By controlling a huge number of clients, you are able
to enumerate them much more easily.

[https://lists.torproject.org/pipermail/tor-
dev/2011-October/...](https://lists.torproject.org/pipermail/tor-
dev/2011-October/002986.html)

------
mattkirman
The number of directly connecting users from Russia does appear to have
doubled [1], but this can also be seen in UK user numbers [2]. For such an
increase to be seen globally my hunch is that this is down to either the
Pirate Browser [3] or some other software release - not necessarily a response
to a particular law being passed, NSA leak etc.

[1] [https://metrics.torproject.org/direct-
users.png?start=2013-0...](https://metrics.torproject.org/direct-
users.png?start=2013-05-31&events=off&end=2013-08-29&country=ru)

[2] [https://metrics.torproject.org/direct-
users.png?start=2013-0...](https://metrics.torproject.org/direct-
users.png?start=2013-05-31&events=off&end=2013-08-29&country=gb)

[3] [http://piratebrowser.com/](http://piratebrowser.com/)

~~~
zorked
Interesting, similar jumps happened in every country I tried: Brazil, Vietnam,
US, Argentina, South Africa.

I can't imaging the Pirate Browser thing would be immediately so popular
across so many different cultures, even in countries without net censorship.

~~~
mattkirman
Maybe a botnet has started using Tor for connecting to a central command
server? Might help explain a doubling of nodes but minimal traffic increase.

------
justin_vanw
The number of bytes doubled, not users.

I will wager that some somewhat popular high-bandwidth application (bittorrent
client?) has integrated tor in some way, and they released the version with
that integration about a week ago.

~~~
andrewcooke
no, it's users. [https://metrics.torproject.org/users.html?graph=direct-
users...](https://metrics.torproject.org/users.html?graph=direct-
users&start=2013-08-12&end=2013-08-27&country=all&events=off#direct-users)

------
midnitewarrior
If a government entity had enough tor exit nodes and peers in place, might
they catch some traffic end-to-end, and therefore be able to track usage of
some people?

Any chance that is why usage has jumped?

~~~
gizmo686
I can't speak to the cause of the jump, but a single entity controlling a
large amount of the network is a known weakness in Tor. Essentially, Tor is
designed to be a low-latency system. This means that if someone controls both
the entry and exist node you use, they can correlate the timing of your
packets and de-anonymize you. Having internal nodes problem helps, as would
having ISP access.

~~~
intslack
Here's an overview of the scenario you are talking about:
[https://blog.torproject.org/blog/one-cell-
enough](https://blog.torproject.org/blog/one-cell-enough)

Also, this news has nothing to do with a jump in relays.

Perhaps it's due to
[https://en.wikipedia.org/wiki/PirateBrowser](https://en.wikipedia.org/wiki/PirateBrowser)

------
prawojaz
I started to use the Tor browser bundle this week. Manly because of the whole
NSA/Snowden thing. Plus Tor was a lot in the news from the Freedom Hosting
take down, so I was reminded several times that I should test it out.

Maybe many others experienced the same? At list I have had enough. Obama is
tracing me no more!

~~~
rumdz
I second this. With everything going on in the news recently, I've increased
my VPN and Tor usage.

~~~
cLeEOGPw
I tried tor long time ago, but it was unusable for me due to extremely low
speed.

~~~
teddyh
I suggest you try it again. It's not nearly as slow now as it once was.

~~~
cLeEOGPw
Just tried it. Nothing has changed. Browsing with TOR is ~30 times slower than
normal browsing. It means it takes 2-3 seconds to load google.com, and
30s-1min to load my local news page, 15min.lt. I don't know who downvoted me
for stating this fact, but he either doesn't use TOR or the nodes are near his
physical location.

~~~
teddyh
_Occasionally_ you get a slow path. If this happens and you're in a hurry,
just press the "New Identity" button to get a new random path. It usually
works.

------
16s
A lot of people are moving their hacking attempts under tor. They want to
brute-force your ssh server, rdp, etc. but they don't want to go to prison.

~~~
CWuestefeld
Nothing new there. We've been dealing with bad guys coming through TOR nodes
for at least 1.5 years.

What annoys me more is the people using AWS to send us bad traffic.

~~~
tokenizerrr
Is there no reporting for AWS?

~~~
Karunamon
It's whack-a-mole, basically. Amazon has not been too keen on dealing with
abuse reports that I've seen, and even then, criminals setting up botnets and
exits on AWS are almost certainly using stolen identities.

~~~
IgorPartola
Doesn't Tor let you donate EC2 instances to them? Yes it does:
[https://cloud.torproject.org/](https://cloud.torproject.org/)

~~~
smartwater
Sure, for a bridge. Which isn't an entry or exit node.

------
fmax30
Botnet scraper. Or maybe a zero day in tor that NSA might have discovered and
is trying to exploit it . 600K to 1.2 Million is effectively double the
traffic . But what bothers me is that all of these are clients , if they were
relays then that would make sense.But NSA has gotton more aggressive and out-
front after the leaks though.

edit: fixed typos

------
BWStearns
The linked paper describes an attack on Tor that relies on percentage of
network ownership to deanonymize communications.

I thought that this might be what is going on, but since the increase seems to
be clients and not new nodes I assume that this is not the case, however the
paper is kinda cool anyways.

[https://www.google.com/url?sa=t&rct=j&q=&esrc=s&source=web&c...](https://www.google.com/url?sa=t&rct=j&q=&esrc=s&source=web&cd=1&cad=rja&ved=0CFYQFjAA&url=http%3A%2F%2Fwww.cs.uml.edu%2F~xinwenfu%2Fpaper%2FSPCC10_Fu.pdf&ei=aekfUtXYHcK3sATZiYHwAw&usg=AFQjCNEzs_xMvNaJJv-11R3n9d6CsDlGTg&sig2=AKJFddBDje408MaDEfgmCg&bvm=bv.51495398,d.cWc)

------
chanced
Could this be government bots setup to intercept traffic?

~~~
dublinben
Regular end users wouldn't be of any use in intercepting traffic. That's what
exit nodes are valuable for.

------
nilved
Whenever there's discussion of timing attacks on Tor, somebody always says
"that's impossible unless they were able to monitor a very significant amount
of all Tor traffic. Tor is safe."

Somehow, they don't realize that the NSA's upstream program is exactly that.
They've been intercepting any Internet traffic they can get their hands on all
the way back to 2003. Tor is not safe.

------
andrahtx
I got a real poor internetconection (for free) with about 16kb/s up/down, And
it seems from my position that many of you are fastidiously about "tor is
slow/ slows down my internetusage". I can not say that tor-usage slows
anything for me. Maybe my conection speed does not satisfy any of your
internet claims ?! (traped in a loop -sry, cant fix the prob..)

------
sengstrom
Not to promote botnets but it does benefit TOR to have more nodes operating...
Involuntary recruiting?

~~~
tedks
These are Tor (not TOR) clients, not relays.

------
peanut_merchant
Any (very small) chance we could be seeing something related to this :
[http://www.cs.uml.edu/~xinwenfu/paper/SPCC10_Fu.pdf](http://www.cs.uml.edu/~xinwenfu/paper/SPCC10_Fu.pdf)

------
andrewcooke
pirate browser - [http://piratebrowser.com/](http://piratebrowser.com/) \- was
released on the 10th, and only uses tor when normal access doesn't work (so
would explain the low use).

BUT the increase wasn't til Aug 19 -
[https://metrics.torproject.org/users.html?graph=direct-
users...](https://metrics.torproject.org/users.html?graph=direct-
users&start=2013-08-12&end=2013-08-27&country=all&events=off#direct-users)

~~~
AdrianRossouw
and still, they run it on windows.

haven't these people learnt anything?

~~~
cjh_
The fact it only uses tor when 'normal access' isn't available means for the
majority of usage it isn't adding any privacy.

------
Sami_Lehtinen
Maybe it's the classic rule that to control a network, you'll need to control
at least 50% of it. So now we got (at least) double number of nodes.

------
GigabyteCoin
Did firefox actually implement the default tor change? This mayb be the
reason, if plenty of testers are checking out the new nightly builds?

------
patmcguire
How has no one mentioned Syria yet? Not saying it's related, but the ramp-up
is the only event that fits the time frame.

~~~
awda
The only event _you know of_. I find the botnet idea much more probable, given
the increased usage across many countries.

~~~
marshray
It seems possible someone is revving up the engines on their botnet in
anticipation of some upcoming event.

But this is hardly the first time someone has noticed malware spreading
exponentially over the network. Correlation to current newsworthy events may
be completely accidental.

I do not believe in jumping to conclusions here. It could be location
reporting bias or malware attempting to not piss off (or implicate) certain
parts of IP space. But compare Greece
[https://metrics.torproject.org/users.html?graph=direct-
users...](https://metrics.torproject.org/users.html?graph=direct-
users&start=2013-08-01&end=2013-08-31&country=gr&events=off#direct-users) to
Israel [https://metrics.torproject.org/users.html?graph=direct-
users...](https://metrics.torproject.org/users.html?graph=direct-
users&start=2013-08-01&end=2013-08-31&country=il&events=off#direct-users)

------
PallarelCoedr
Related to the launch of the Pirate Browser perhaps?

------
jijji
its because no one trusts google and people are moving to anonymous proxy
networks as a partial solution

------
damaru
what about someone with all the keys they want using all these nodes to sniff
and de-crypt traffic?

~~~
tomku
These are user nodes, not relays. They see no traffic other than their own.

------
crann
The UDC...

------
benched
Forbes published that interview with the Silk Road operator on August 14.
Maybe a lot of people just learned how to buy drugs online.

[http://www.forbes.com/sites/andygreenberg/2013/08/14/meet-
th...](http://www.forbes.com/sites/andygreenberg/2013/08/14/meet-the-dread-
pirate-roberts-the-man-behind-booming-black-market-drug-website-silk-road/)

------
AznHisoka
Someone is building the next Google!!!! And they're scraping everything, even
top secret documents!

