Mysterious Traffic and False Blocks: Why Are Hackers Targeting Tor Nodes?

In recent days, Tor node operators have been receiving a surge of abuse notifications. These alerts report failed SSH login attempts, allegedly originating from their nodes, suggesting brute-force attacks. Normally, Tor nodes simply relay traffic between the entry and exit points of the Tor network and should not initiate SSH connections to open hosts on the internet, let alone participate in brute-force attacks.

However, an analysis by a researcher known as “delroth” revealed that most Tor nodes were not actually generating any SSH traffic. It turned out that attackers were spoofing the IP addresses of Tor nodes while carrying out large-scale brute-force attacks on honeypots and networks with intrusion detection systems. These systems automatically send complaints about suspicious activity, resulting in false abuse notifications being sent to Tor node operators.

As a result, hosts that receive numerous failed login attempts end up on blacklists, receive multiple violation notices, and their IP addresses develop a “bad reputation.” This often leads providers to disconnect these hosts, sometimes without any possibility of appeal.

The goal of these attacks is to undermine the Tor node infrastructure by overwhelming it with abuse complaints. So far, the malicious activity has been moderate, and the perpetrators remain unknown.

Currently, Tor node operators are being encouraged to file appeals and deploy additional nodes to replace those lost. Providers are also being asked to scrutinize complaints more carefully to avoid false blocks.