Tor Network Under Attack: False Abuse Reports Flood Node Operators

In recent days, Tor node operators have been inundated with abuse notifications. These alerts concern failed SSH login attempts, allegedly originating from their nodes, indicating brute-force attack activity.

Typically, Tor nodes merely relay traffic between the originating and destination nodes within the Tor network and should not initiate SSH connections to public internet hosts, much less engage in brute-force attacks. However, an analysis by a researcher using the pseudonym “delroth” revealed that most Tor nodes did not generate SSH traffic.

It was discovered that malicious actors are spoofing the IP addresses of Tor nodes to conduct large-scale brute-force attacks on honeypots and intrusion detection networks, which automatically issue complaints about suspicious activity. This has resulted in false abuse notifications targeting Tor nodes.

Consequently, hosts receiving multiple failed login attempts are blacklisted, flooded with violation notifications, and their IP addresses acquire a “bad reputation.” This often leads to providers disabling such hosts, sometimes without the possibility of appeal.

The attacks aim to undermine the Tor network’s infrastructure by overwhelming it with abuse complaints. Currently, the malicious activity remains moderate, and the perpetrators’ identities are still unknown.

In response, Tor node operators are being urged to file appeals and deploy additional nodes to replace those lost, while providers are asked to scrutinize complaints more carefully to prevent wrongful blocks.