Hacker News new | past | comments | ask | show | jobs | submit login
TorFlow (uncharted.software)
261 points by bemmu on Jan 20, 2016 | hide | past | web | favorite | 71 comments

Very classy visualization! Have a look at the code that determines the visual flow of data between relays: https://github.com/unchartedsoftware/torflow/blob/master/pub...

I think it doesn't exactly reflect how paths are chosen based on relay bandwidth scores, if we compare to the actual path selection algorithm: http://tor.stackexchange.com/a/114

I might be missing something, but it seems that relay same-family and same-/16-subnet exclusions are ignored. This might bias the visualization to increase the apparent traffic between popular nodes, while in reality, the traffic should be slightly more evened out with less popular nodes. Hard to tell if this effect makes any visible difference without analyzing the data, though. Either way, because of the way the code is structured, it shouldn't be too hard to fix: just simulate full paths instead of single connections between nodes.

Thanks for this! I opened an issue for it.


Clear proof TOR is used by the evil one, and that cryptography should be banned: http://i.imgur.com/NXT0OOJ.png

Brightest spots in capitals are probably caused by IP geolocation. Whois for many IPs returns main ISP HQ address which usually is based in the capital city. Also, geolocation tools will return capital city if no specific information other than country is available.

I think they could improve they ip2address tool, because I would expect some bright spot at hetzner datacenter and it's not there (while whois for IPs of my servers there returns proper location of the datacenter).

Nevertheless, awesome visualization.

It's a pentagram, don't you see?

Still can't see it. This feels like one of those magic eyes where I'm the only one that can't see it....

It's an upright one (not inverted), so it represents virtue/protection/etc.

Was just making a joke but thanks for your comment :). The joke was that it looks like a pentagram - but clearly it's just because the big European capitals are formed in that way. That just means Evil has been corrupting the elite of Europe since before Tor...

No idea how good the data is, I assume it's good, but in my mind this is impressive just on the visual representation of it alone. What a fantastically beautiful display of information, the UI is great all around!

One suggestion for the UI: when you click a + on an option, the minus should be at the bottom of the expanded option, so that you don't have to move the mouse to close the expansion.

A disproportionate amount of traffic seems to be passing through Monrovia, Liberia compared to the rest of African continent and even more developed places like Australia. Can anybody shed some light on this ?

That traffic is from IPredator's relay, which is currently the top exit node by consensus (https://globe.torproject.org/#/top10).

There are less than 50 relays in Australia and none of them come close to IPredator. Every AU relay combined has a middle probability of 0.0246% and an exit probability of 0.0060%.

IPredator alone has an exit probability of 2.1961%.

(You can see these stats with Tor Compass: https://compass.torproject.org/)

IPredator is a Swedish VPN service that appeared when the "Ipred" law was passed in Sweden, a law that was passed to allow rights holders to find and prosecute people who torrent stuff. So most likely, it's used for piracy.

Although the people running the relay may be associated with piracy, that doesn't mean this exit node is any different than any other Tor exit node. Traffic on the Tor network is doesn't distinguish by "pirated" content or not. They're simply a company with privacy conscious employees who are probably using their high-bandwidth relay as a form of advertisement.

I also noticed a weird conglomeration somewhere in Kansas near Witchita. Someone's pet project?

Same curiosity here...114 relays...G-Earth shows a house with several outbuildings surrounded by farmland...

Must be just the geographical center of the USA. Probably it just puts all the relays which don't have further geolocation than the USA, there. It doesn't do the same for Russia, though...

Interesting...would be nice to hear from the dev on that...

I'm wondering the same thing, would be interesting to hear if there is some reason behind this.

Does anyone find it surprising that Europe seems to have comparatively more nodes/traffic flow than the US?

There are huge amount of peered ISP that offer cheap servers.

OVH and Free Telecom probably host a huge amount of Tor traffic in FR. Easily do 300 Mbps 24x7 for sub-$15/m dedicated server.

OVH also has subsidiaries in other EU countries that will geolocate back to those countries (hosted in FR physically).

Do you have a link for the service that could do 300mbps for this price? I'd like to setup a server if that's the case.

free.fr - https://www.scaleway.com/pricing/ (these are hardware, not VMs)

ovh - https://www.kimsufi.com/us/en/index.xml

200mbps UNMETERED. That is awesome. Does anyone have experience running a Tor node on free.fr?

I run some Tor relays on Scaleway, currently handling close to 100Mbps for some 3.60€/month after tax.

Although my uptime isn't exactly spotless, I think I'm getting just what I paid for, and I'd gladly recommend them (if and when they start accepting new customers again).

There is also online.net[1] who are relatively cheap.

[1] https://www.online.net/en/dedicated-server/dedibox-scg2

I use online heavily, forgot about that.

Here's a link to bookmark; https://console.online.net/en/order/server_limited

Occasionally there will be deals like 2xSSD HWraid 8-16 core 32GB/64GB ram for <$50/m there (if it's blank there are no promos).

I've been using a Dedibox XC SSD for the past six months. Can't beat the value for the, uh, Euro.

Scaleway unfortunately doesn't accept new signups right now :-/

The US population is more than 2 times smaller than the European one, so it makes completly sense to me.

You mean less than half of Europe?

Yes: US - about 300 million Europe - about 740 million

I think he was nitpicking your grammar, not your facts

In general, Internet in Europe is much more censored than in the US.

Interesting theory, I'd have assumed it's a combination of cheaper bandwidth, better peering arrangements and a population almost twice the size of the US.

Population twice the size in a fraction of the area. Good for low latency connections -- countering one of the downsides of tor.

Flow looks like transatlantic connection with epicenter in Europe

there's an interesting link in London between two points. http://imgur.com/LmvpcxL

the two points being Westminster and the City...

There is also a similar link in Amsterdam: https://f.zdev.com/dl/cxofxm.png

The same thing can be found in Paris, too.

Whats the nexus in Germany north of Frankfurt? (My guess is, that it is Hetzner, but can anybody comment?)

I don't think there's a data center there, it's probably just where all nodes in Germany end up which don't have more accurate geolocation.

Here's the summary: IP Geolocation is at best inaccurate.

Addendum: Not actual traffic flows but simulated with an undescribed model.

How was this data collected? Doesn't this require all the relay operators sharing their connection data?

No, this information is publicly available when your Node joins the Tor network. All nodes (except for a limited set of entry-nodes) are publicly listed as being a part of the Tor network. Their IP addresses are used to approximate their location based on where the IP address is registered.

but how is the flow of traffic between the nodes measured?

Because the nodes in a path are determined randomly, with weighting based on publicly available scores, you can simply estimate the amount of traffic between any two given nodes. Here's a summary of how routes are chosen:


And here's the code that does the traffic estimation based on node bandwidth scores (edit: hmm, seems that code might be slightly inaccurate, added a top level comment to point this out...):


What's going on in Kansas?

Kansas has some big data centers in it (there's a reason google fiber launched there). Lots of dedicated server and colocation providers are located in Kansas City. In order for these providers to receive IP addresses from ARIN, they must register with ARIN as an "autonomous system" (AS). One of the items on the form they must complete is the geolocation of the IP address block they are being assigned. That geolocation is often the location of the provider company, not necessarily the location of the server(s) the IP(s) point to.

Server providers register as autonomous systems, and purchase IP space in large blocks. They often have servers at multiple data centers, with VLAN routing configured to switch packets at the ingress IP to whichever server that IP is assigned to. When a client rents a server from a provider, the provider assigns the client some number of IP addresses from its available pool. Many times, the provider does not actually SWIP (officially delegate via ARIN) these IP addresses to the client, so the registration with ARIN will not reflect the owner of the server an IP currently points to.

tl;dr When a packet goes to an IP belonging to an AS registered with a certain geolocation, the AS can switch that packet to wherever it wants.

sprint headquarters

Sprint is in KC. It didn't look like KC. More like Wichita.

Geolocating IP addresses is very flawed and making maps from such data is bad science.

While the other commenters may be correct and seem to know more about this than I, almost every time I've seen stuff geolocate to "Kansas" it's geolocating to the United States, with no further level of detail available. The mapping software finds the geographic center of the United States (which is somewhere in Kansas) and puts it there

anyone else think it is curious that there is hardly any Tor traffic in/out of Seattle? You would think with the high density of tech-types, and proximity to pacific links, that there would at least be something?

If anyone else is seeing a page with just a map (and nothing moving), you probably have webgl disabled

what's happening just north of charleston, south carolina? google earth shows what seems like a cleared foundation in the middle of undeveloped land.

Unnamed Rd, Charleston, SC 29492, USA 32.912336, -79.862333


I see connections coming out of north korea....

I'm surprised by how dark Australia is. I at least expected the coastal cities to be lit up.

I suspect this is partly due to how notoriously overpriced and under-performing Australian internet access is.

I'm wondering if this might because Australia has less traffic per node, so most of the Australian nodes aren't reaching the display threshold (top 500 or whatever nodes).

This is traffic between relays, not Tor users.

I don't trust Tor because of exit nodes.

Then you're missing half of the point of Tor, the other half being hidden services which don't require an exit node at all.

Can you elaborate?

Traffic sent over TOR is unencrypted. Use a VPN or SSH tunnel of some kind and you've got location obscured and traffic encrypted. Boo-yah. Slow as shit though.

No, traffic sent through tor is encrypted all the way to the exit node. From there, it's in the clear (how else would the data get to its destination on the open internet?)

VPNs are exactly the same. They're encrypted to your provider and cleartext from there. Except the VPN provider knows exactly who you are because they see the IP you're connecting to, in addition to the content. A tor exit node only sees the content, but does not know the source.

No matter how you're connecting, you need to ensure you are running encrypted protocols (SSH, https, ...) to protect against whoever relays your traffic. Tor, VPNs etc do not change this.

The traffic is only unencrypted if the destination traffic would normally be unencrypted. That means that an exit node can't MITM what would already normally be an HTTPS connection. It's a small nitpick grammatically, but the distinction is an important one.

Edit: Another potential concern that I hadn't thought of might be pavki's concern for traffic correlation attacks, but that's entirely speculation on my part since they haven't provided any clarification to their original comment.

If you use encryption you don't need to.

Applications are open for YC Winter 2020

Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact