Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Network Security

IP Spoofing Attack Tried to Disrupt Tor Network

A coordinated IP spoofing attack that involved port scans tried to disrupt the Tor network by getting relays on blocklists. 

Tor disruption

A coordinated IP spoofing attack attempted to disrupt the Tor anonymity network, according to the Tor Project and relay operators.

The Tor Project said the attack started on October 20, when Tor directory authorities, the critical components responsible for managing and maintaining the list of Tor relays, started getting complaints alleging that their servers had been conducting port scanning. 

The unauthorized port scanning triggered automated abuse complaints to ISPs, which resulted in some relays being taken offline. 

An analysis revealed that a threat actor had used spoofed SYN packets to make it appear as if IPs associated with Tor relays had been conducting the port scans. Non-exit relays were the focus of the attack. 

“The attacker’s intent seems to have been to disrupt the Tor network and the Tor Project by getting these IPs on blocklists with these unfounded complaints,” the Tor Project said.

It also noted, “We want to reassure everyone that this incident had no effect on Tor users. While the attack had a limited impact on the Tor network – taking a few relays offline temporarily – it caused unnecessary stress and inconvenience for many relay operators who had to address these complaints.”

It’s unclear who is behind the attack. Threat actors working for a government whose citizens often use Tor to bypass censorship and protect their privacy are a likely culprit, but other types of groups — including hacktivists and cybercriminals — may also benefit from a disruption of the Tor network. 

Tor relay operator Pierre Bourdon has analyzed the attacks after his server was targeted with an automated abuse complaint. 

Advertisement. Scroll to continue reading.

Some cybersecurity services automatically send out abuse complaints to ISPs when they detect potential malicious activity from an IP address. 

In this case, many of the automated complaints were sent out by WatchDogCyberDefense, which says it has started working on a way to identify spoofed IPs after Bourbon urged the community to ignore abuse reports coming from this service. 

The Tor Project said the origin of the spoofed packets was shut down on November 7 as a result of collaboration between the Tor community, InterSecLab, and GreyNoise.

Related: Tor Merges With Security-Focused OS Tails

Related: Tor Responds to Reports of German Police Deanonymizing Users

Related: Tor Code Audit Finds 17 Vulnerabilities

Written By

Eduard Kovacs (@EduardKovacs) is a managing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Don’t miss this Live Attack demonstration to learn how hackers operate and gain the knowledge to strengthen your defenses.

Register

Join us as we share best practices for uncovering risks and determining next steps when vetting external resources, implementing solutions, and procuring post-installation support.

Register

People on the Move

Network security and compliance assurance firm Titania has appointed Victoria Dimmick as CEO.

Secure browser firm Conceal has appointed Eric Cornelius as Chief Executive Officer.

Shanta Kohli has been named CMO at Sysdig.

More People On The Move

Expert Insights

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest cybersecurity news, threats, and expert insights. Unsubscribe at any time.