A coordinated IP spoofing attack attempted to disrupt the Tor anonymity network, according to the Tor Project and relay operators.
The Tor Project said the attack started on October 20, when Tor directory authorities, the critical components responsible for managing and maintaining the list of Tor relays, started getting complaints alleging that their servers had been conducting port scanning.
The unauthorized port scanning triggered automated abuse complaints to ISPs, which resulted in some relays being taken offline.
An analysis revealed that a threat actor had used spoofed SYN packets to make it appear as if IPs associated with Tor relays had been conducting the port scans. Non-exit relays were the focus of the attack.
“The attacker’s intent seems to have been to disrupt the Tor network and the Tor Project by getting these IPs on blocklists with these unfounded complaints,” the Tor Project said.
It also noted, “We want to reassure everyone that this incident had no effect on Tor users. While the attack had a limited impact on the Tor network – taking a few relays offline temporarily – it caused unnecessary stress and inconvenience for many relay operators who had to address these complaints.”
It’s unclear who is behind the attack. Threat actors working for a government whose citizens often use Tor to bypass censorship and protect their privacy are a likely culprit, but other types of groups — including hacktivists and cybercriminals — may also benefit from a disruption of the Tor network.
Tor relay operator Pierre Bourdon has analyzed the attacks after his server was targeted with an automated abuse complaint.
Some cybersecurity services automatically send out abuse complaints to ISPs when they detect potential malicious activity from an IP address.
In this case, many of the automated complaints were sent out by WatchDogCyberDefense, which says it has started working on a way to identify spoofed IPs after Bourbon urged the community to ignore abuse reports coming from this service.
The Tor Project said the origin of the spoofed packets was shut down on November 7 as a result of collaboration between the Tor community, InterSecLab, and GreyNoise.
Related: Tor Merges With Security-Focused OS Tails
Related: Tor Responds to Reports of German Police Deanonymizing Users