In recent weeks, Tor anonymity services and anti-censorship tools have been attacked by two threats: The Russian government has blocked most Tor nodes in the country, and hundreds of malicious servers have been relaying traffic.
The Russian Federation Communication, Information Technology and Mass Media Supervision Agency (Roskomnadzor) was established Stop Tor in the country Tuesday. This move left Tor users in Russia-Say Composed of Tor project leaders, there are approximately 300,000, or 15% of Tor users, scrambling to find ways to view blocked sites and protect their browsing habits from the attention of government investigators.
“Illegal Content”
Tor project manager early Tuesday Say Some ISPs in Russia started to block Tor nodes on December 1, and Roskomnadzor had threatened to block the main Tor sites.A few hours later, Russian government agencies well done About these threats.
“The reason is to disseminate information on the site and ensure the work of providing services that provide access to illegal content,” Roskomnadzor Tell AFP news agency When explaining the decision on Wednesday. “Today, access to resources is restricted.” Censorship agencies have previously blocked access to many VPNs operating in the country.
Tor managers create a Mirror site It can still be reached in Russia.Managers also called on volunteers to create Tor bridge, This is a private node that allows people to circumvent censorship. These bridges use a transport system called obfs4, which masquerades the traffic to make it look irrelevant to Tor. As of last month, there are approximately 900 such bridges.
Tor says that many default bridges in Russia no longer work. “We call on everyone to build a Tor bridge!” the project leader wrote. “If you have ever considered operating a bridge, now is the perfect time to start because we desperately need your help.”
Witch attack
Meanwhile, on Tuesday, the security news site The Record Report results According to security researchers and Tor node operators, an anonymous entity has been running a large number of malicious Tor relays. During the peak period, the relay reaches 900. This can be as high as 10% All nodes.
Tor anonymity works by routing traffic through three independent nodes. The first one knows the user’s IP address, and the third one knows the destination of the traffic. Middleware works as a trusted intermediary, so node 1 and node 3 do not know each other. Matt Green, an encryption and privacy expert at Johns Hopkins University, said that running a large number of servers could break these guarantees of anonymity.
“As long as these three nodes don’t work together and share information, Tor can operate normally,” he said. “When you have one person pretending to be a bunch of nodes, it will collapse. All [the attackers] Must be in the first or third hop. He said that when a single entity operates the first and third nodes, it is easy to deduce that the confusing information of the intermediate nodes should be used.
This technique is often referred to as a sorceress attack, named after the attacker’s characteristics. 1970 TV miniseries He suffers from dissociative identity disorder and has 16 different personalities. The Sybil attack is a simulation technique that involves a single entity disguised as a group of nodes by claiming false identities or generating new identities.
The Record quoted a researcher named Nusenu as saying that at a certain moment, the probability of a user entering the Tor network through one of the malicious servers is 16%. At the same time, there is a 35% chance of passing through one of the malicious intermediate servers, and a 5% chance of exiting through one of the servers.
“A very governmental thing”
Nusenu stated that malicious relays can be traced back to 2017. Over the years, the person in charge has regularly added a large number of such relays. Typically, unknown persons operate as many as hundreds of servers at any given time. Servers are usually hosted in data centers located around the world, and most of them are configured as entrances and intermediate points.
The head of the Tor project told The Record that Tor deleted the nodes immediately after learning about them.
The researchers stated that various factors indicate that these nodes are the work of resource-rich attackers backed by a nation-state. Green agreed and said that the most likely culprit was China or Russia.
“This sounds like a very governmental thing,” Green said. China and Russia “will actively mess up with Tor without hesitation.”
Tor users can do several things to minimize the damage caused by malicious nodes. The first is to use TLS-based encryption to send emails and browse websites. Browse anonymous sites in the Tor Hidden Service Network (aka Dark Web)—instead of using Tor to connect to regular Internet sites and servers—without threats. Unfortunately, this is usually not an option for people who want to visit a website that has been blocked by censorship.
