The anonymity service Tor and the anti-censorship tool have been attacked by two threats in recent weeks: the Russian government has blocked most of the Tor nodes in that country and hundreds of malicious servers have been transmitting traffic.
The Russian Federal Service for the Supervision of Communications, Information Technology and the Media, known as Roskomnadzor, started blocking Tor in the country on Tuesday. The move left Tor users in Russia:said by the leaders of the Tor Project to about 300,000, or about 15 percent of Tor users, struggling to find ways to view already blocked sites and protect their browsing habits from government researchers.
Tor Project managers on Tuesday morning said Some ISPs in Russia started blocking Tor nodes on December 1 and Roskomnadzor had threatened to block the main Tor site. A few hours later, the Russian government body done well about those threats.
“The reason was the dissemination of information on the site that guarantees the work of services that provide access to illegal content”, Roskomnadzor told AFP news service Wednesday to explain the decision. “Today, access to the resource has been restricted.” The censorship body has previously blocked access to many VPNs that had operated in the country.
Tor managers have responded by creating a mirror site which is still accessible in Russia. Managers are also asking for volunteers to create Tor bridges, which are private nodes that allow people to bypass censorship. Bridges use a transport system known as obfs4, which hides traffic so it doesn’t appear Tor related. Until last month, there were about 900 such bridges.
Many default bridges within Russia no longer work, Tor said. “We call on everyone to rotate a Tor bridge!” the project leaders wrote. “If you’ve ever considered running a bridge, now is an excellent time to start, as your help is urgently needed.”
Meanwhile, on Tuesday, security news site The Record reported findings from a security researcher and Tor node operator that a single anonymous entity had been running a large number of malicious Tor relays. At their peak, the relays hit 900. That can be up to 10 percent of all nodes.
Tor anonymity works by routing traffic through three separate nodes. The first knows the user’s IP address and the third knows where the traffic is going. The medium works as a kind of reliable intermediary so that nodes one and three do not know each other. Running a large number of servers has the potential to break those guarantees of anonymity, said Matt Green, an encryption and privacy expert at Johns Hopkins University.
“As long as those three nodes are not working together and sharing information, Tor can function normally,” he said. “This gets screwed up when you have a person pretending to be a bunch of nodes. Everybody [the attackers] it has to be either on the first hop or on the third hop. ”He said that when a single entity operates the first and third nodes, it is easy to infer the information that is supposed to be obfuscated using the middle node.
Such techniques are often referred to as Sybil attacks, named after the titular character of a 1970 television miniseries who suffered from dissociative identity disorder and had 16 different personalities. Sybil attacks are a spoofing technique that involves a single entity posing as a set of nodes by claiming false identities or generating new identities.
Citing a researcher known as Nusenu, The Record said that at any given time, there was a 16 percent chance that a user would enter the Tor network through one of the malicious servers. Meanwhile, there was also a 35 percent chance of going through one of the malicious intermediate servers and a 5 percent chance of exiting one of the servers.
“A very governmental thing to do”
Nusenu said malicious relays date back to 2017, and over the years, the person responsible has regularly added a large number of them. Normally, the unknown person has operated servers in the realm of hundreds at any one time. Servers are typically housed in data centers located around the world and are mostly configured as intermediate and entry points.
The Tor Project leaders told The Record that Tor removed the nodes as soon as it found out about them.
The researcher said that a variety of factors suggest that the nodes are the work of a well-resourced attacker backed by a nation-state. Green agreed, saying the most likely culprits would be China or Russia.
“It sounds like a very governmental thing,” Green said. China and Russia “would have no qualms about actively meddling with Tor.”
Tor users can do several things to minimize the damage resulting from rogue nodes. The first is to use TLS-based encryption for email sending and website browsing. Browsing anonymous sites within Tor’s hidden services network (also known as the Dark Web), unlike using Tor to connect to common sites and servers on the Internet, is not affected by the threat. Unfortunately, this is not usually an option for people who want to access sites that have been blocked by censorship.