Playing the devil's advocate here - isn't this a good thing for the Tor network? Almost anything that adds traffic to the Tor network will help the "legit" users further blend into the crowd.
It sounds like it's close to hurting performance for legit users. Also, since we don't know what the botnet operator's planning, it's probably safest for Tor to try to stop it.
If I were looking at things, I'd backtrace from sites of interest. If your computer connected to a broad number of websites, and sufficient numbers of fishy websites - and other computers did likewise - then yeah, the false positives would be too great. But just increasing traffic through the network doesn't necessarily do that, at least as far as I understand it.
Seems entirely possible that this bot net represents an intentional attack on Tor. While it doesn't seem nearly as effective as it could be, that may be intentional as well, both to leave doubt as to its true nature, and to gather data with some long-term goal (likely eliminating Tor entirely) rather than simply causing short-term pain.
My CPU-limited nodes lost several MB/s in bandwidth, which I now suspect is caused by this.
Note that the handshake is the CPU-limited part, so a CPU-limited node benefits (in terms of MB/s) from having few clients which use high bandwidth, the opposite of these bots.
NSA trying to make a mess with TOR with all americans as their zombies?
It is funny to see what american government is doing with its citizens. And with rest of the world. First they create terrorism, and then they"solve" it.
Roger doesn't understand botnets at all. The author clearly doesn't care about Tor itself, just his C&C server, which are more likely to get shutdown. Tor is exactly what he wants. Anonymity only matters at the server, not all the zombies.
Your comment was a bit confusing to me. I'm going to intrepret 'Roger' as the writer of the blog entry (not really clear anywhere on the page); and by 'the author', you mean the botnet owner?
Then the portion of the blog post (at the very end) you are responding to:
>
> I still maintain that if you have a multi-million node botnet, it's silly to try
> to hide it behind the 4000-relay Tor network. These people should be using their
> botnet as a peer-to-peer anonymity system for itself. So I interpret this
> incident as continued exploration by botnet developers to try to figure out what
> resources, services, and topologies integrate well for protecting botnet
> communications. Another facet of solving this problem long-term is helping them
> to understand that Tor isn't a great answer for their problem.
>
> [- Roger]
>
where you believe the blog is mistaken on the botnet's use of Tor. You point out the intention of hiding the owner's control of the botnet vs. your interpretation of the blog post as claiming the botnet is trying to hide entirely behind Tor.
My interpretation of the blog post excerpt is that the botnet offers its creator a chance to run a better Tor than Tor itself... with more nodes and the option of configuring whatever percentage as entry / relay / exit nodes.
It'd be great if botnets would help the tor network and turn some nodes into relays (including exit) to help anonymity and capacity, at least they wouldn't parasite off the network completely.
No, not really -- that would be a much, much more serious problem for Tor. (As I understand it,) Tor relies on the assumption that relays are controlled by a diverse group of people. If one person suddenly adds 3 million Tor relays, then it doesn't help anonymity at all, since that one person can now monitor a significant portion of Tor traffic.
If I own every relay on your circuit, I can monitor your traffic; if I own three million relays, it's almost certain that a significant portion of the traffic will be running through circuits composed of relays I own.
And you do not even need to control all the relays: assuming you control the first node and the last node in the circuit and as Tor is a low-latency network, it's trivial to perform timing analysis to find out what someone is doing on the network.
I just downloaded and installed the Tor Browser Bundle from the Tor Project site, and am disappointed that the version I was provided is 0.2.3.25. (Linux)
It may be an attack on the network in the DOS sense, but it should not compromise anonymity because these bots are simply acting as clients, not relay (or exit) nodes.
Would it be possible to require things requesting access to the tor network to host their own temporary relay (even if it's really small handling one or two connections only?)
This would also allow for plausible deniability. If the Tor network was compromised and half the nodes were owned by the feds or a botnet or something like that, it would still be impossible to tell if the traffic coming from your ip was from you or someone else.
Instead of hacking relays to prioritize one botnet version over another, they should properly implement rate-limiting algorithms like exponential backoff in case of failure.
In the case of Tor, the objective is to obtain a valid circuit relatively quickly so I feel that even exponential backoff would need a low max time to be practical.
<tinfoilhat>I bet an exploit was found that through operating a certain number of clients Tor's anonymity or hidden services can be compromised</tinfoilhat>
Only if the clients becomes relays, which they have not done. It just a bunch more client requests, and all that those can do is affecting the performance of the network itself. They can't directly impact others anonymity.
