Security Company Attributes Tor Traffic Surge To Botnet

hypnosec writes "A cyber defense and IT security company has claimed that the reason behind recent surge in number of clients connecting to Tor is in fact a relatively unknown botnet and not NSA or genuine adoption of Tor. In late August there was a huge increase in Tor network traffic and number of clients connecting to the Tor network. As of this writing number of connections has quadrupled with over 2,500,000 clients connecting to the network. According to Fox-it, the surge in traffic is because of a botnet dubbed 'Mevade.A,' which is known to have Tor connectivity features. The company noted that the botnet may have links to a previously detected botnet dubbed 'Sefnit,' which also featured Tor connectivity. Fox-it claimed that they have found "references that the malware is internally known as SBC to its operators.""

I, for one, welcome our bot overlords

[stewsters]

The more peers and traffic, the better anonymity. If some of those peers are grandmas with 50 toolbars rather than paranoid crypto-nerds, we are better off.

Re:I, for one, welcome our bot overlords

Until your going through mostly peers that are controlled by one entity (botnet herder), which allows them to conduct various attacks against tor's anonymity, not to mention sniffing data from compromised exit nodes, increasing the public perception that tor is for "bad stuff", etc.

Botnets and Tor

[girlintraining]

Well, I have good news and bad news... the bad news is that this has been a long time coming, and now it's here. The good news is that although the botnet itself is bad, the number of connections and extra clients improves Tor security overall for all the other users. The thing is, the more relays, the more connections, the larger the network... the faster and more secure it is. If all the botnet does is setup relays, it's a win for the Tor network. Of course, it isn't going to just do that, and these aren't authorized relays so it's not exactly occupying the moral high ground here. The machines hosting the bot need scrubbed.

But this also introduces a wrinkle -- the US government, and likely others, also maintain their own botnets. And they actively seek to shut down other people's botnets, through domain seizure, etc. This would seem to be a reaction to those efforts -- that is, by decentralizing and hiding the command and control, they're effectively adapting to the tactics our military is using on the internet.

I said a long time ago that the militarization of the internet would cause a lot of problems... and that we had no business developing an offensive cyber-military because it would just encourage others to begin an arms race that would lead to major economic and communications instabilities worldwide. It hasn't gotten that far yet, but it's building to that. Our own aggressive stance has created yet another fucking cold war.

Re:Botnets and Tor

[IamTheRealMike]

I believe you are making an incorrect assumption that these botnet nodes are actually relaying on behalf of the network. I've not seen any reason to believe this is correct. Rather than just act as normal clients of the Tor network - placing extreme load on existing relays.

In fact, this botnet appears to be basically breaking Tor with many node operators reporting that their relays cannot keep up. The Tor developers recently started developing code to prioritise the more efficient NTOR handshake over the older protocol, and because the botnet runs older code people who upgrade to the latest code (once they are finished) should take priority over the botnet traffic. Until the botnet also upgrades, of course.

To make it worse, when a circuit fails to build because of overloaded relays, Tor retries. I'm not sure there's any kind of exponential backoff. Thus the network goes into a death spiral in which clients constantly try to build circuits and fail, placing even more load on the already overloaded system and making it impossible to recover.

Unfortunately we may be looking at the end of Tor here, at least temporarily. The botnet operator doesn't seem to realise what's happening, otherwise they'd be backing off. Tor is effectively experiencing a massive, global, accidental denial of service attack by this botnet. Many relays don't have enough CPU power to weather the circuit storms. It will be very interesting to see what the Tor developers do next - they don't have any effective way to fight off this botnet because almost by design they can't detect or centrally control the network. They practically have to ask nicely for the operators to go away.

Re:Botnets and Tor

[bragr]

>The good news is that although the botnet itself is bad, the number of connections and extra clients improves Tor security overall for all the other users. The thing is, the more relays, the more connections, the larger the network... the faster and more secure it is.

That isn't what is happening here. The new connections are clients only so they aren't acting as relays or exit nodes. Tor network stats actually show a slight drop in performance. However, the increased number of clients does probably make correlation attacks harder, if the NSA or someone else is actually doing those.

Re:Botnets and Tor

[girlintraining]

If the NSA or someone else is actually doing those.

If? You don't "If" in security. You assume you're already compromised, that the attacker is well-financed and has total knowledge of the network, etc. And yes, the NSA "or someone" is most definately doing it. Just not to you. We know you browse for porn using Tor... and that you've visited the Silk Road just to see what the hubabub was about. Aaaaand... nobody cares.

Besides, the hidden service protocol has a massive glitch; namely that it's a limited keyspace and the database is decentralized and distributed. They know what all the hidden services are... and you can too if you're sufficiently motivated.

And most of them aren't anything of value.

Re:Yes but

What caused the spike? That's the worrying fact i think.

The summary is, as has been usual for some time, not entirely accurate. While the number of Tor users spiked, the actual traffic on the Tor network did not increase much at all.
This was specifically mentioned in the original article and discussed here previously.

This story is about a security company claiming the rise in users was a botnet which switched it's command-and-control traffic to Tor from open HTTP. Which is kind of smart in that it make it much harder to pick apart the botnet to take down the command servers, or hijack the botnet. But on the other hand it make it a LOT easier for researchers to estimate the size of the botnet. And in my mind, the more worrysome aspect is that some company or government might use this as an excuse to start blocking or taking other action against Tor traffic in general.