Tor Network Thwarts IP Spoofing Attack
A coordinated attack targeting the Tor network has been neutralized thanks to the swift action of the Tor community and security researchers.
In late October, the Tor Project faced a wave of abuse complaints directed at its directory authorities and relay operators. These complaints stemmed from a sophisticated IP spoofing attack, where malicious actors forged the IP addresses of Tor relays to make it appear as though they were originating port scans. “This attack focused on non-exit relays, using spoofed SYN packets to make it appear that Tor relay IP addresses were the sources of these scans,” the Tor Project explained in a recent blog post.
This tactic triggered automated abuse reports at various hosting providers, including OVH and Hetzner, leading to temporary disruptions for some Tor relays. The attackers aimed to “disrupt the Tor network and the Tor Project by getting these IPs on blocklists with these unfounded complaints.”
Fortunately, the Tor community, in collaboration with InterSecLab, GreyNoise, and individual researchers like Pierre Bourdon, successfully identified and shut down the source of the attack on November 7th, 2024.
“We’ve seen many instances of good collaboration to defend the Tor network: analysis, investigation, and knowledge sharing,” the Tor Project emphasized. Relay operators actively worked together, sharing information and providing support to keep the network operational.
The Tor Project assures users that the attack had no direct impact on their browsing experience. However, the incident caused significant inconvenience for relay operators who had to address the unfounded abuse complaints.
For relay operators affected by these abuse complaints, the Tor Project provided guidance to help resolve issues with hosting providers:
- Check Reachability of Tor Directory Authorities: Operators can use tools like OONI Probe with the “Circumvention” test to confirm connectivity with Tor directory authorities. If directory authorities remain unreachable, operators should contact their providers to unblock Tor IPs.
- Reply to Hosting Providers: Relay operators who receive abuse complaints are encouraged to use the Tor Project’s prewritten template and refer providers to the Tor Project’s blog post. This clarification aims to reassure providers that the relays were spoofed and are not responsible for suspicious traffic.
Efforts are underway to assist affected relay operators in getting their accounts reinstated and to work with hosting providers to unblock impacted IP addresses. The Tor Project also highlighted the need for greater diligence within the cybersecurity community in handling abuse reports, particularly in light of misleading information from sources like watchdogcyberdefense[.]com.
