Since at least 2017, an unknown, well-resourced and apparently state-supported attacker has been operating thousands of potentially harmful servers in the entry, middle and exit positions of the Tor network. An IT security researcher with the pseudonym Nusenu, Top Site Info who is himself a member of the community, sees this as an attempt to deanonymize users of the service on a large scale.
The threatening actor, which Nusenu christened KAX17, operated more than 900 servers in the Tor network with a maximum bandwidth of 155 GBit / s.That’s a good ten percent of the entire merger, which is usually one daily total has from 9,000 to 10,000 nodes.
Some of these servers assigned to KAX17 function as entry points (watchdogs), others as intermediate relays and still others as starting points. As exit nodes, the latter represent the last stage in the obfuscation route that maintains the connection between Tor and the rest of the Internet.
The task of the nodes is to jointly encrypt and anonymize the data traffic of the users.This creates a huge network of proxy servers that forward connections to one another while protecting the privacy of the users.
Servers added to the Tor network actually need to contain rudimentary contact information. This is intended to enable the administrators of the service and law enforcement authorities to contact the operators of the nodes in the event of a misconfiguration or to report abuse. A stored email address is sufficient for this.
However, compliance with this rule is not strictly monitored.Especially when the network does not have a sufficiently large number of nodes active to hide user data traffic, the Tor operators turn a blind eye and also accept servers without contact details.
According to one, Nusenu got from him this week published article identified a pattern on some of these Tor relays without email addresses. The expert first noticed this in 2019. He has now traced the phenomenon back to 2017.KAX17 is constantly adding new servers in large numbers to the network without contact information. At any given point in time, Top Site Info the attacker had hundreds of nodes in operation.
The mysterious servers are usually located in data centers that are spread all over the world. KAX17 does not only rely on cheap hosters, but also on the Microsoft cloud. The devices are mainly configured as entry and center points, but there are also a small number of exit nodes.
This is unusual as most relevant attackers tend to focus on operating from point of origin.Among other things, this enables them to change the user’s data traffic. The broader focus of KAX17 suggests, according to Nusenu, that the “tenacious” group is trying to gather information about Tor members and record their routes within the network. In view of the extensive resources used and the effort involved, they are by no means amateurs.
Nusenu calculates that there was a 16 percent probability that a Tor user would connect to the network via one of the KAX17 servers.The chance of it going through one of the middle relays was even 35 percent. At 5 percent, it was rather unlikely to be caught by the group when leaving Tor.
The high probability of contact when entering and in the middle of the network can definitely be used to identify hidden services operated via Tor, explained researcher Neal Krawetz, who specializes in anonymization technologies, to the online magazine The Record.In case you loved this informative article and you would like to receive details with regards to Top Site Info, please click the following website, i implore you to visit our webpage.