Man
Professional
- Messages
- 3,059
- Reaction score
- 585
- Points
- 113
Experts repelled an attempt to violate the anonymity of users.
In late October, Tor administrators, relay operators, and even the Tor Project team began receiving complaints about port scans allegedly being conducted by their servers. As it turned out later, the attackers used fake IP addresses to send false reports of suspicious traffic on behalf of Tor nodes.
As a result of the investigation, it turned out that the cause of the complaints was a coordinated attack with IP Spoofing. The attackers spoofed the IP addresses of non-exit relays and other nodes in the Tor network, which led to automatic complaints against operators. Experts managed to find the source of the false packets and fix the problem on November 7.
It is important to emphasize that this incident did not affect Tor users. The attack affected only a small number of repeaters, temporarily disabling them. However, relay operators had to face a wave of complaints and an additional burden due to the need to deal with providers. Although the attack was aimed at the Tor community, IP spoofing activities like this could affect any online service.
At the moment, the project is faced with the task of supporting relay operators: it is necessary to restore their accounts and help providers unblock the IP addresses of Tor directional nodes. Operators whose relays are still blocked are recommended to use the OONI Probe tool and the Circumvention test to check the availability of directional nodes. If they are still not available, you should contact the support of your hosting provider.
Affected operators can also send a template letter to their ISPs explaining that the relays have fallen victim to the attack and are not the source of suspicious traffic.
The critical directional nodes of the Tor network play a critical role in maintaining a list of available relays, and the attack on them was aimed at disrupting the entire network. The attackers used fake SYN packets to create the illusion that the IP addresses of Tor relays were the sources of the scan. This has led to the blocking of IP addresses in major data centers such as OVH and Hetzner on false complaints.
The attack caused a wide response among cybersecurity specialists. Especially valuable was the information provided by Pierre Bourdon, who analyzed the mechanism of the attack in detail and shared his findings with the community. Thanks to Bourdon's analysis, it was possible to gain a deeper understanding of the essence of the incident.
Source
In late October, Tor administrators, relay operators, and even the Tor Project team began receiving complaints about port scans allegedly being conducted by their servers. As it turned out later, the attackers used fake IP addresses to send false reports of suspicious traffic on behalf of Tor nodes.
As a result of the investigation, it turned out that the cause of the complaints was a coordinated attack with IP Spoofing. The attackers spoofed the IP addresses of non-exit relays and other nodes in the Tor network, which led to automatic complaints against operators. Experts managed to find the source of the false packets and fix the problem on November 7.
It is important to emphasize that this incident did not affect Tor users. The attack affected only a small number of repeaters, temporarily disabling them. However, relay operators had to face a wave of complaints and an additional burden due to the need to deal with providers. Although the attack was aimed at the Tor community, IP spoofing activities like this could affect any online service.
At the moment, the project is faced with the task of supporting relay operators: it is necessary to restore their accounts and help providers unblock the IP addresses of Tor directional nodes. Operators whose relays are still blocked are recommended to use the OONI Probe tool and the Circumvention test to check the availability of directional nodes. If they are still not available, you should contact the support of your hosting provider.
Affected operators can also send a template letter to their ISPs explaining that the relays have fallen victim to the attack and are not the source of suspicious traffic.
The critical directional nodes of the Tor network play a critical role in maintaining a list of available relays, and the attack on them was aimed at disrupting the entire network. The attackers used fake SYN packets to create the illusion that the IP addresses of Tor relays were the sources of the scan. This has led to the blocking of IP addresses in major data centers such as OVH and Hetzner on false complaints.
The attack caused a wide response among cybersecurity specialists. Especially valuable was the information provided by Pierre Bourdon, who analyzed the mechanism of the attack in detail and shared his findings with the community. Thanks to Bourdon's analysis, it was possible to gain a deeper understanding of the essence of the incident.
Source
