Tor Project Experts Reveal Details of Attack on Tor Network

In November 2024, the Tor Project team disclosed details about a coordinated attack targeting the Tor network. Last month, Tor relay operators and project system administrators began receiving complaints from their internet service providers about large-scale port scanning activity. Upon investigation, it was discovered that these complaints were linked to a coordinated attack involving IP address spoofing. Attackers were impersonating other IP addresses associated with Tor to make it appear as though the Tor network was responsible for widespread port scans.

Investigation and Resolution

Starting in late October, Tor Project specialists, together with experts from InterSecLab and GreyNoise, launched an investigation into the incident. On November 7, 2024, the source of the attack was identified, and the issue has since been resolved.

According to the Tor Project’s blog, the attack aimed to disrupt the operation of both the Tor Project and the Tor network. The attackers used spoofed SYN packets to make it look like Tor relay IP addresses were the source of mass port scanning. This activity triggered numerous automated abuse complaints, and it is believed that the attackers’ goal was to disrupt the Tor network and the Tor Project by getting their IP addresses added to blocklists.

Impact and Community Response

Pierre Bourdon, a Tor relay operator, provided a detailed explanation of how the attack was carried out. The Tor Project developers have assured users that the incident did not affect Tor users or their security.

“The attack had a limited impact on the Tor network, causing a temporary shutdown of several relays and resulting in additional stress and inconvenience for many relay operators who had to respond to the complaints. While this attack targeted our community, IP spoofing attacks can happen to any online service,” the Tor Project team wrote. “There is still much work to be done: we need to support relay operators in restoring their accounts and help providers unblock the IP addresses of Tor directory authority nodes.”

Lessons Learned and Warnings

The Tor Project noted that during the investigation and mitigation process, they encountered instances of unprofessional behavior, where a lack of investigation and carelessness only worsened the consequences of the attack. However, the developers also expressed gratitude to the many organizations and individuals who offered help and support.

It was also noted that most of the reports about the fake attacks originated from watchdogcyberdefense[.]com, and the Tor Project urges the cybersecurity community to treat such warnings with caution.