Tor Network Targeted by IP Spoofing Attack: Relays Falsely Accused of Port Scanning

In late October, Tor administrators, relay operators, and even the Tor Project team began receiving complaints alleging port scanning activity originating from their servers. As later investigations revealed, attackers had been using fake IP addresses to send deceptive reports of suspicious traffic, impersonating Tor nodes.

The investigation concluded that these complaints stemmed from a coordinated IP spoofing attack. The attackers forged IP addresses of non-exit relays and other nodes within the Tor network, resulting in automated complaints directed at relay operators. Experts were able to trace the source of these counterfeit packets, resolving the issue by November 7.

It is crucial to note that this incident did not impact Tor users. The attack affected only a small number of relays, temporarily taking them offline. However, relay operators faced a surge in complaints and additional burdens in handling provider inquiries. Although this attack targeted the Tor community, similar IP spoofing tactics could disrupt any online service.

The Tor Project now faces the task of supporting relay operators by restoring their accounts and assisting providers in unblocking the IP addresses of Tor directory nodes. Operators whose relays remain blocked are advised to use the OONI Probe and Circumvention test tools to verify the availability of directory nodes. Should access issues persist, they are encouraged to contact their hosting provider’s support.

Affected operators may also send their providers a template letter clarifying that their relays were victims of an attack and not the source of suspicious traffic.

The critical directory nodes in the Tor network play an essential role in maintaining a list of available relays, and this attack aimed to destabilize the entire network. The attackers used forged SYN packets to create the illusion that Tor relay IP addresses were the source of scanning activity, leading to false complaints that resulted in IP blocks in major data centers like OVH and Hetzner.

This attack resonated widely among cybersecurity experts. Particularly valuable was the analysis provided by Pierre Bourdon, who meticulously dissected the attack mechanism and shared his findings with the community, offering profound insights into the nature of the incident.