Large botnet cause of recent Tor network overload (opens in new tab)

(blog.fox-it.com)

79 pointsthursley12y ago16 comments

16 comments

> Typically, it is fairly clear what the purpose of malware is, such as banking, clickfraud, ransomware or fake anti-virus malware. In this case however it is a bit more difficult.

I think the article answers its own question the paragraph previous:

> While some bots continue to operate using the standard HTTP connectivity, some versions of the malware use a peer-to-peer network to communicate (KAD based).

Tor and Kademlia are both rather complex systems. To use one or the other, but not both, in different versions of your botnet, would suggest to me that this is a botnet creator split-testing the effectiveness and scalability of different command-and-control technologies.

X-Istence12y ago

Even criminals need to do A/B testing!

jruthers12y ago

I wonder if it is conceivable that a government agency that wouldn't like what Tor offers, could reduce Tor's attractiveness by bombing it from a botnet, much like what they've done by arresting people who host a tor node for traffic that runs across it.

With that said, I accept that this is much less likely explanation than just some Russian group just using it to facilitate their usual crime.

brazzy12y ago

So far the new users are showing little activity (according to the article), so that seems unlikely.

fiatpandas12y ago

I don't think the little activity disproves that theory beyond a reasonable doubt. If it really was a govt agency wanting to flood the network, they may be waiting for a particular event to initiate the flood.

3 more replies

maxk4212y ago

Unless this is attack on the anonymity of TOR rather than the speed.

chmike12y ago

Could the anonymity of tor users be compromized by these presumed bots ? As for bitcoin which could be subverted if one users holds more than 50% of the bitcoins.

InXorWeTrust12y ago

Most likely not. If the bots were to suddenly turn into nodes, then there is a good chance that a large percentage of users could have their anonymity compromised.

Tor anonymity relies on the fact it is difficult to tie in where you entered the system, and where you exited the system. If someone where to control a large amount of nodes, they could (in theory) tie a large amount identities together. But this requires a large amount of entry and exit nodes.

gwern12y ago

> As for bitcoin which could be subverted if one users holds more than 50% of the bitcoins.

You're thinking of the 50% attack where you have half the hashing power, not half the bitcoins.

gizmo68612y ago

I don't think so. It looks like these bots are connecting as users, not nodes. It might be possible to use these bots to increase/control the load on tor which may be able to facilitate an attack based on controlling a significant amount of nodes.

001sky12y ago

Is there any commercial logic to hacking tor, though?

dylz12y ago

They are connecting as users -- it's more than likely that the only thing that is to be gained is a fully anonymous non-takedownable C&C

j / k navigate · click thread line to collapse