dslreports logo
site
spacer

spacer
 
   
spc
story category
Tor Surge Likely Due to BotNet
by Karl Bode 08:38AM Friday Sep 06 2013
As recently noted, the anonymizing Tor network saw an unprecedented spike in traffic in August, the 100% surge during the month to 1,200,000 users being the highest usage on record for the project. Lots of speculation had floated around for the cause of that spike, ranging from botnets to the Pirate Bay's new filter-skirting browser (which uses Tor). After some analysis, security firms like Fox-IT stated that the culprit most likely was a botnet:
quote:
In recent days, we have indeed found evidence which suggests that a specific and rather unknown botnet is responsible for the majority of the sudden uptick in Tor users. A recent detection name that has been used in relation to this botnet is “Mevade.A”, but older references suggest the name “Sefnit”, which dates back to at least 2009 and also included Tor connectivity. We have found various references that the malware is internally known as SBC to its operators.
This sudden surge comes immediately on the heels of suspicions that the FBI has been using malware to attack the network. That conclusion seems backed up by a blog post over at the Tor network:
quote:
The fact is, with a growth curve like this one, there's basically no way that there's a new human behind each of these new Tor clients. These Tor clients got bundled into some new software which got installed onto millions of computers pretty much overnight. Since no large software or operating system vendors have come forward to tell us they just bundled Tor with all their users, that leaves me with one conclusion: somebody out there infected millions of computers and as part of their plan they installed Tor clients on them.
Tor Project leader "Arma" proceeds to note that the problem could swamp the network, resulting in Tor Relays dropping half the requests they get, resulting in chained failures across the network. Tor goes on to hope that the botnet developers, who the group believes are using Tor to experiment with masking BotNet communications, will quickly realize Tor really doesn't provide the kind of scale they're looking for.

view:
topics flat nest 
guppy_fish
Premium
join:2003-12-09
Lakeland, FL
kudos:2
Reviews:
·Verizon FiOS

More likely a DOS against TOR

This sounds more like a NSA driven DOS ( Denial Of Service ), even the details just say it can't be people behind the uptick so they think that only leaves BotNets, since no software vendors have come forward to bundling TOR.

Well whom doesn't want public functioning anonymous network? , it isn't the BOTS ... Its are own NSA

FFH
Premium
join:2002-03-03
Tavistock NJ
kudos:5

Re: More likely a DOS against TOR

said by guppy_fish:

This sounds more like a NSA driven DOS ( Denial Of Service ), even the details just say it can't be people behind the uptick so they think that only leaves BotNets, since no software vendors have come forward to bundling TOR.

Well whom doesn't want public functioning anonymous network? , it isn't the BOTS ... Its are own NSA

Or security agencies in China, Iran, Pakistan, N. Korea, or a dozen other countries.
--
"If you want to anger a conservative lie to him.
If you want to anger a liberal tell him the truth."
guppy_fish
Premium
join:2003-12-09
Lakeland, FL
kudos:2

Re: More likely a DOS against TOR

Yes good points, and I agree with your list of suspects!

FFH
Premium
join:2002-03-03
Tavistock NJ
kudos:5

Could botnet deployers be a national security agency?

There are lots of security agencies in countries around the world that don't like the Tor network at all. It is possible the botnet used against Tor was designed by one of those country's agencies.
--
"If you want to anger a conservative lie to him.
If you want to anger a liberal tell him the truth."

ARGONAUT
Have a nice day.
Premium
join:2006-01-24
New Albany, IN
kudos:1

We have to spy on you to protect you.

Majority of Tor crypto keys could be broken by NSA

The majority of devices connected to the Tor privacy service may be using encryption keys that can be broken by the National Security Agency, a security researcher has speculated.

Rob Graham, CEO of penetration testing firm Errata Security, arrived at that conclusion by running his own "hostile" exit node on Tor and surveying the encryption algorithms established by incoming connections. About 76 percent of the 22,920 connections he polled used some form of 1024-bit Diffie-Hellman key. The analysis came a day after revelations the NSA can circumvent much of the encryption used on the Internet. While no one knows for sure exactly what the NSA is capable of cracking, educated speculation has long made a case that the keys Graham observed are within reach of the US spy agency.

»arstechnica.com/security/2013/09···er-says/
--

If you're going through hell, keep going. - Winston Churchill