Last Monday, Memorial Day in the US, and Victoria Day in Canada, I discovered a potentially troubling anomaly in the Tor network. Between about 10am and 3pm EST the number of computers running the Tor software as a relay or exit dropped to about 400 from the usual range of about 2,000.
This could be nothing serious, but also could be very serious in terms of increased exposure of Tor network traffic to possible monitoring. It is generally acknowledged that the more computers running the Tor software as relays and exits the greater anonymity of it's users. With 80% of the usual Tor servers flagged as out-of-service for 5 hours, this would mean all the normal Tor network traffic would be forced to travel through just 20% of the available servers. In other words, if an imaginary adversary controlled 4 Tor servers, then instead of having access to just 0.2% of the total Tor network traffic (4 of 2,000), they could have access to 10% of the total Tor network traffic (4 of 400), as long as their 4 were part of the ones that remained in service.
How could all these servers have been flagged as out of service? Was it an accidental anomaly in the Tor software? Was someone maliciously manipulating the Tor "running" status flag for this time period, hoping that no one would notice?
We have no answers at this time, although we are convinced that this anomaly was not simply a problem with our own software which monitors the composition and state of the Tor network. In response to this, we have started development of an alert system to be added to our pickaproxy.com service, so that when (if?) these conditions come up again, our users will be told, so they can make their own choices as to whether to continue using our service (and the Tor network in general) or disconnect until we issue a "Code Green" when more normal conditions return ...
Comments