Slashdot Mirror

← Back to Stories (view on slashdot.org)

Unprecedented Spike In TOR .Onion Nodes (profwoodward.org)

Posted by whipslash on from the tor-files dept.

Martin S. writes: The Tor project is reporting an unprecedented rise in unique .Onion nodes, rising from around 40k to 60k in just a few days, says security researcher Professor Woodward. I wonder is this could possible be related to Shari Steel plan to push Tor mainstream, as reported on /. a few days ago.

57 comments

  1. Duh by Anonymous Coward · · Score: 5, Insightful

    More FBI nodes to more easily de-anonymize the network.

    1. Re:Duh by Trailer+Trash · · Score: 2

      More FBI nodes to more easily de-anonymize the network.

      My first thought. That's half as many added in a few days - something's fishy.

      --
      Do you have ESP?
    2. Re:Duh by gweihir · · Score: 1

      Standard paranoia and standard cluelessness: .onion-nodes do not help for that at all.

      --
      Most ACs are not even worth the keystrokes to insult them. Be generically insulted by this and ignored otherwise.
    3. Re:Duh by Anonymous Coward · · Score: 0

      The United States government can see something like 85% of the world's traffic.
      As I understand it, if one can see traffic going into and coming out of TOR, it's possible to correlate them to a high degree of certainty. And if someone controls a high enough percentage of .onion nodes that correlation becomes a near certainty.
      Or am I missing something?

    4. Re:Duh by Anonymous Coward · · Score: 0

      You're right about how that works, but we're talking about different things.

      The .Onion nodes are endpoints, they are the web-hosts that only serve up pages on the TOR network. They aren't (likely) routing other network traffic as well. Unless there is a reason for someone to go to the attacker's page they'll never actually hit these devices.

  2. Lizard Squad by Anonymous Coward · · Score: 0

    It's probably Lizard Squad again. This is their MO.

    1. Re: Lizard Squad by Anonymous Coward · · Score: 0

      They're truly the squad of death. They want us to die. To die.

    2. Re: Lizard Squad by Anonymous Coward · · Score: 0

      I thought it was Republicans. What did I miss?

    3. Re: Lizard Squad by Anonymous Coward · · Score: 0

      Nah the republicans don't be like that anymore. Now it's fish people, errr I mean terrorist.

  3. Smells like Government plan to me... by Anonymous Coward · · Score: 0

    Control enough entry and exit points, you stand a good chance of capturing enough traffic to de-anonymize the TOR user.

    Of course, I have no clue what I'm talking about so feel free to tell me why I'm wrong.

    Cheers

    1. Re:Smells like Government plan to me... by KGIII · · Score: 3, Interesting

      That's how I understand it but I too am not an expert. I also understand that it's most important when you leave the .onion domains and enter the "clearnet." (When using it as a proxy, for example.) I guess if someone can see enough of the internet at one time then they can also use traffic shaping and timing to single out a user. So long as you remain on the .onion networks you are reasonably safe - some say completely safe.

      Now, safe means that you are safe technically. It does not mean you're safe otherwise. You still need to avoid identifying browser characteristics/fingerprints. You need to not leak personal information of any kind and that includes keeping scripting off (or very selective and with great attention to care) and not installing extensions that single you out or may leak the data to a third party. Assuming one is attentive enough to practice safe-hex, they're reasonable secure - with a high level of certainty.

      As always, safety needs to be weighed against your goals and the risks you're willing to take to reach them. Security is a process, not an application and nothing is completely secure.

      --
      "So long and thanks for all the fish."
    2. Re:Smells like Government plan to me... by Anonymous Coward · · Score: 0

      "with a high level of certainty." - Bullshit.

    3. Re:Smells like Government plan to me... by Anonymous Coward · · Score: 0

      You need to not leak personal information of any kind

      That is true, but the problem is these days that is effectively impossible for most people to accomplish. It's technically possible, sure, but even difficult for people who put some effort into the matter. The number of techniques used to de-anonymize traffic (browser fingerprinting, canvas fingerprints, etc) grows by leaps and bounds all the time, and the chance you've kept up with and have countermeasures for all of it is small.

    4. Re:Smells like Government plan to me... by gweihir · · Score: 3, Informative

      These are hidden servers, not entry- or exit-points.

      --
      Most ACs are not even worth the keystrokes to insult them. Be generically insulted by this and ignored otherwise.
    5. Re:Smells like Government plan to me... by KGIII · · Score: 2

      Damn that Slashdot formatting. It appears to have removed your citation. Think you could post it again?

      --
      "So long and thanks for all the fish."
    6. Re:Smells like Government plan to me... by Anonymous Coward · · Score: 0

      Exactomundo.

      "Safe Hex" intentions seem to lose priority in the heat of the moment, and you haven't gotten any in a while.

    7. Re:Smells like Government plan to me... by siriuskase · · Score: 1

      They aren't hidden from whoever controls them.

      --
      If you must moderate, please moderate as irrelevent, not something bad, because I'm sure someone will find this interest
    8. Re:Smells like Government plan to me... by gweihir · · Score: 1

      You misunderstand. "Hidden Server" is a technical term for a specific configuration of a TOR-server, as is "exit node" and "entry node". These are three different classes of TOR network elements and they do not overlap.

      --
      Most ACs are not even worth the keystrokes to insult them. Be generically insulted by this and ignored otherwise.
    9. Re: Smells like Government plan to me... by Anonymous Coward · · Score: 0

      Hence the Tor browser bundle, which is constantly updated with countermeasures and defenses. Using your regular browser over Tor is very challenging to do right. Using the Tor browser bundle solves more or less everything except users deanonymising themselves.

  4. Oops. by Anonymous Coward · · Score: 0

    I didn't realize my botnet of compromised tor nodes would be noticed this quickly.

  5. Dissident in the land of the free. by Anonymous Coward · · Score: 0

    Maybe people are wising up to the fact they are under attack from their government?

  6. Sites, not nodes by Anonymous Coward · · Score: 5, Informative

    The number of hidden services (.onion sites) has increased, not the number of exit or relay nodes.

    Personally, I don't see 20k more hidden services as a big number: I'm surprised there are so few total (60k). Tor hidden services are a great way to run a server with a dynamic IP address and solve NAT and fire wall issues all at once for free when trying to run a personal server. It also solves several other problems people generally care less about (hides your IP to prevent traffic DDOS attacks, and protects your identity), provides an easy mechanism to have multiple servers serving the same address for redundancy, provide end to end encryption (if the client is also using tor) and makes your service more accessible to clients using TOR (they don't have to go through an exit node).

    Tor hidden services are great for low-bandwidth latency tolerant random services you might want to serve off your laptop or phone from time to time. I found it easier to setup most alternatives for solving any one of these issues: I set up a tor hidden service on the first try with no issues. It was easier than getting my dynamic DNS working, and also easier than forwarding a port through my router. (You can host a tor hidden service without port forwarding since all the connections the server makes are actually outward to the poxy nodes).

    Really I think the only big issue with them is the latency, and lack of IPv6 support. On that note, I recently had an IPv4 outage for a while and it was interesting to see what worked on IPv6 only.

    1. Re:Sites, not nodes by Anonymous Coward · · Score: 4, Interesting

      How does the Tor swarm work anyway when most people don't have open ports for listening? Btw I'm posting this from Tor, kudos to Slashdot for allowing it when most sites are a PITA to use from Tor.

    2. Re:Sites, not nodes by Anonymous Coward · · Score: 0

      Not every joe can just run a webserver via Tor and call it a day. You need to make triple checks on all your configuration to make sure you're not going to leak an IP address anywhere. Best run in a VM that bridges directly to Tor.

      Again, assuming you really want to hide your IP address.

    3. Re:Sites, not nodes by Anonymous Coward · · Score: 1

      Hmm, I think Retroshare is even better for a personal server. Retroshare will even reconnect to mobile computers.

    4. Re:Sites, not nodes by Anonymous Coward · · Score: 0

      Wow. slashdot definitely did not work through Tor about a month ago when I tried.

    5. Re:Sites, not nodes by Anonymous Coward · · Score: 2, Informative

      As with any TCP/IP connection, only one side of each connection needs to be listening. In the case of TOR, the user doesn't need any open ports, only the relays need to have open ports. The major misunderstanding I've seen of TOR (especially recently) is that it isn't a "swarm" in the sense that not every user is a relay and even less are exits, you have to specifically enable those settings.

    6. Re:Sites, not nodes by Anonymous Coward · · Score: 2, Funny

      Unfortunately they'll have to turn it off again if APK ever figures out how to use Tor.

  7. BBC also reporting this now by Martin+S. · · Score: 2

    Tor: 'Mystery' spike in hidden addresses

  8. Encryption trojans by Anonymous Coward · · Score: 5, Interesting

    There's a recent spike in encryption trojans, too. The recovery-keys are provided through TOR.
    e.g.
    http://1.f.ix.de/scale/geometry/695/q75/imgs/18/1/7/5/3/8/0/5/locky-desktop-9dc10fc8250d6db0.png

    Looks like its generating specific servers to get the keys from for every victim.

    1. Re:Encryption trojans by Anonymous Coward · · Score: 3, Interesting

      Yes, i have seen this trojan twice last week, in different company, sure that the increase of tor's nodes come from that.

    2. Re: Encryption trojans by Anonymous Coward · · Score: 1

      Yes, Dr. Woodward did mention the Locky ransomware in his blog post. He also mentioned on Twitter that these new onions also seem to have started shutting down shortly after the media buzz revealed it. Funny that...

    3. Re:Encryption trojans by slashmydots · · Score: 1

      That is definitely what I would attribute the spike to. Who else would have the motivation to basically suddenly open 20,000 new websites as hidden services? Ransomware writers! And they all have the motivation and resources.

  9. "is this could possible be related" ? by Anonymous Coward · · Score: 0

    Hell, is that encrypted or something? Please, please, a little more attention to the headlines

  10. Meanwhile, IBM announced . . . by PolygamousRanchKid+ · · Score: 4, Funny

    . . . that they sold and delivered a 20K server to the NSA . . .

    --
    Schroedinger's Brexit: The UK is both in and out of the EU at the same time!
  11. Potentially caused by IM application by WoOS · · Score: 5, Informative

    According to TFA (yes, I know, I am not supposed to read it) this could be caused by the anonymous messaging application Ricochet which apparently creates a hidden service for each user.
    Would have expected that that information was mentioned in the summary.

    1. Re:Potentially caused by IM application by Anonymous Coward · · Score: 0

      Torchat did that too, but I guess Ricochet is more popular

    2. Re:Potentially caused by IM application by stevegee58 · · Score: 1

      What's TFA?

  12. Aliens? by Anonymous Coward · · Score: 0

    Space or illegals. Would space aliens be illegal? Undocumented? How would TRUMP 2016 handle that? I know, build a space wall, of course, but how to make somebody else pay for it, that is the only real question. Do you hear that aliens?

    1. Re: Aliens? by Anonymous Coward · · Score: 0

      The andromedans take our interstellar gas, they have smart leaders. We must build a space wall, and andromeda is gonna pay for it.

    2. Re: Aliens? by Anonymous Coward · · Score: 0

      Watch out for the Orion collective, they're rapists.

  13. Sceptical old me by liqu1d · · Score: 3, Interesting

    This reads more of an ad for Ricochet than anything substantial.

    1. Re:Sceptical old me by Anonymous Coward · · Score: 0

      Retroshare is more advanced than Ricochet.

  14. ricochet im by Anonymous Coward · · Score: 0

    ricochet.im is responsible.

  15. Meet the new editors. Same as the old editors. by Anonymous Coward · · Score: 0

    "I wonder is this could possible be related"

    Good to see whipslash is maintaining Slashdot's proud and longstanding traditional of editorial illiteracy.

    1. Re:Meet the new editors. Same as the old editors. by fisted · · Score: 1

      A /. summary with no typos would probably violate some fundamental property of the universe, so that cannot happen, or if it did, the consequences would be dire. Deal with it.

      --
      CLI paste? paste.pr0.tips!
  16. Kill Tor users, easiest solution ever by Anonymous Coward · · Score: 0

    That's because somehow cyber criminals broke Windows 10 and started doing one one of the following: or This shit network now is running in a new version of .Net framework, or they managed to install the previous versions on many computers. The number of needed nodes to make something big has fallen.

    Ah, please don't try to undo what I spent all night fixing. And when I say fixing I mean getting rid of this unscrupulous fucking ugly stalker.

  17. Isolating Tor for privacy by Burz · · Score: 1

    https://www.whonix.org/wiki/Ab...

    This is probably the safest way to use Tor.

  18. Risk of too many services? by Anonymous Coward · · Score: 0

    Is there a risk to having too many hidden services? My understanding is that the address and key needed to unlock the data are related, so if there are more hidden services, then the chances of a collision or key harvesting is dramatically increased. Plus, there is no way of "owning" an .onion address, so could there be two of the same one at the same time?

    Makes me wonder if they need to increase the address space or do something to fix those problems.

  19. Big brother by AndyKron · · Score: 1

    Government spying nodes.

  20. Re:"I wonder is this could possible be related to" by fisted · · Score: 1

    Only if the community is also allowed to wiki-edit AC comments.

    --
    CLI paste? paste.pr0.tips!
  21. It's bittorrent by Anonymous Coward · · Score: 0

    Lol.
    Onions, I2Ps, onioncat, Phantom, and IPv6 are PRECISELY what people are using to share all their media overbittorrent with complete ANONYMITY and thus total IMPUNITY.
    Trusting VPN's to not log or be ordered to rat you out is completely ass retarded foolish.

    You NEED to use these anonymous overlay networks to protect yourself.
    You get all your data encrypted in transit to your peers so no one else can see it, and you get total inability for any peer to know your real address.

    You can rip and share CD's, DVD's, Games, BluRay all you want with nobody able to stop or say shit or sue you.
    24 hours a day, 7 days a week, 52 weeks a year.

    A true filesharing haven finally exists :)

  22. Read the Tor mailing lists please by Anonymous Coward · · Score: 0

    Some people have been testing nodes and creating hundreds of them at a time. I don't recall why they were doing this, but it could be others are doing the same thing.

    I wouldn't trust most .onion services anyway. If you're not up to date with The TBB and/or Tails, and/or you don't harden your Tor setup by disabling javascript and other methods, you just might get owned and may not notice it.

    99% of the .onion sites I've visited appeared to be honeypots. Once you've learned the warning signs to look for, it all becomes clear.

    1. Re:Read the Tor mailing lists please by Anonymous Coward · · Score: 0

      Some people have been testing nodes and creating hundreds of them at a time. I don't recall why they were doing this, but it could be others are doing the same thing.

      I wouldn't trust most .onion services anyway. If you're not up to date with The TBB and/or Tails, and/or you don't harden your Tor setup by disabling javascript and other methods, you just might get owned and may not notice it.

      99% of the .onion sites I've visited appeared to be honeypots. Once you've learned the warning signs to look for, it all becomes clear.

      What are the warning signs?

  23. eyes watering by ryanmc1 · · Score: 0

    "I wonder is this could possible be related to Shari Steel ..."

    The grammar in this sentence made my eyes water.