The Tor Project is warning that an unnamed attacker is planning to try to cripple the network by seizing directory authorities, the servers that help Tor clients find Tor relays in the network.
Tor officials said that the network right now is still safe to use, and also emphasized that they are taking steps to ensure that if the directory authorities are in fact seized, that the network will continue to function as designed.
“The Tor Project has learned that there may be an attempt to incapacitate our network in the next few days through the seizure of specialized servers in the network called directory authorities. We are taking steps now to ensure the safety of our users, and our system is already built to be redundant so that users maintain anonymity even if the network is attacked. Tor remains safe to use,” Tor officials wrote on the project’s blog.
Tor is designed to help users browse the Internet anonymously and it relies on a worldwide network of servers that route traffic through circuits in order to help disguise the source of the traffic. In order for the system to work, users’ clients need to be able to find the addresses of Tor relays, and if the directory authorities are taken offline, that process could become problematic. The Tor network has become an object of much interest to law enforcement officials, especially the FBI, which in November conducted a takedown of the Silk Road 2.0 server on the network. Around the same time, law enforcement officials in Europe seized hundreds of sites operating on the Tor network.
Attackers have always been interested in Tor, as well. Earlier this year, researcher Josh Pitts discovered a Tor exit node that was patching binaries as they moved through the server, adding malware dynamically. But the attack that Tor Project officials are concerned about hitting the network in the coming days or weeks is something different; it’s an attack on the infrastructure of the network itself.
“People use the Tor network every day to conduct their daily business without fear that their online activities and speech (Facebook posts, email, Twitter feeds) will be tracked and used against them later. Millions more also use the Tor network at their local internet cafe to stay safe for ordinary web browsing,” the Tor officials said.
“Tor is also used by banks, diplomatic officials, members of law enforcement, bloggers, and many others. Attempts to disable the Tor network would interfere with all of these users, not just ones disliked by the attacker.”
Over the weekend, the operator of a large cluster of Tor exit nodes posted a message to a Tor mailing list, saying that someone had opened the chassis on each of his servers and inserted a USB device into them and he had lost control of the servers. The operator, Thomas White, speculated that it could have been a law enforcement action, but later said he wasn’t sure.
“Tonight there has been some unusual activity taking place and I have now lost control of all servers under the ISP and my account has been suspended. Having reviewed the last available information of the sensors, the chassis of the servers was opened and an unknown USB device was plugged in only 30-60 seconds before the connection was broken. From experience I know this trend of activity is similar to the protocol of sophisticated law enforcement who carry out a search and seizure of running servers,” White wrote.
The Tor Project has blacklisted the exit nodes White operated for the time being.