Skip to Content

Security Flaw Shows Tor Anonymity Network Dominated by Botnet Command and Control Traffic

The Tor anonymity network is championed as a tool for freedom of speech and anonymity. But the reality is depressingly different, say Internet researchers who have analysed the network’s traffic using a security flaw.

The Tor network is an online service that allows users to surf the web anonymously. Its main benefit is to reduce the chances of network surveillance discovering a user’s location or web usage. For that reason it is championed as an important tool for promoting free speech and protecting personal privacy, especially for people under authoritarian regimes such as that in China.

However, Tor is also often criticised for carrying illegal, shady or controversial content such as pornography and “Silk Road” traffic for illegal goods. So an interesting question is what kind of traffic prevails?

Today, we get an answer thanks to the work of Alex Biryukov, Ivan Pustogarov and Ralf-Philipp Weinmann at the University of Luxembourg. And the results are not as eye-sparklingly freedom-protecting as you might imagine.

These guys conclude that the Tor network is dominated by botnet traffic and that much of the rest is adult content and traffic related to black market and illegal goods.

First up, if Tor is so anonymous, how did these guys get their data? It turns out that until recently, the Tor protocol contained a flaw that allowed anybody in the know to track users back to their origin.

This flaw was actually discovered by Biryukov, Pustogarov and Weinmann earlier this year and immediately corrected by Tor. However, before the flaw became public, these guys took the opportunity to analyse Tor traffic to see where it came from and what it contained.

On 4 February, they collected some 39,000 unique addresses offering Tor content. They then estimated the popularity of each address and classified its content. In particular, they roughly divided the addresses into two groups: those providing illegal content or shady services and those providing other hidden services, such as freedom of speech and the anonymous search engine DuckDuckGo.  

The results are eye-opening. Biryukov and co say the number of addresses devoted to legal and not-so-legal content is about equal. “Among Tor hidden services one can even find a chess server,” they say.

But a different picture emerges when it comes to the relative popularity of these services. Of the top twenty most popular Tor addresses, eleven are command and control centres for botnets, including all of the top five. Of the rest, five carry adult content, one is for Bitcoin mining and one is the Silk Road marketplace. Two could not be classified.

The FreedomHosting address is only the 27th most popular address while DuckDuckGo is the 157th most popular, according to this analysis.

“The most popular…addresses are command and control centers of botnets and resources serving adult content,” conclude Biryukov and co.

That’s a depressing picture but perhaps it’s the price humanity has to pay for freedom of speech.

Discuss—anonymously or not—in the comments section below.

Ref: arxiv.org/abs/1308.6768: Content And Popularity Analysis Of Tor Hidden Services

Keep Reading

Most Popular

wet market selling fish
wet market selling fish

This scientist now believes covid started in Wuhan’s wet market. Here’s why.

How a veteran virologist found fresh evidence to back up the theory that covid jumped from animals to humans in a notorious Chinese market—rather than emerged from a lab leak.

light and shadow on floor
light and shadow on floor

How Facebook and Google fund global misinformation

The tech giants are paying millions of dollars to the operators of clickbait pages, bankrolling the deterioration of information ecosystems around the world.

masked travellers at Heathrow airport
masked travellers at Heathrow airport

We still don’t know enough about the omicron variant to panic

The variant has caused alarm and immediate border shutdowns—but we still don't know how it will respond to vaccines.

egasus' fortune after macron hack
egasus' fortune after macron hack

NSO was about to sell hacking tools to France. Now it’s in crisis.

French officials were close to buying controversial surveillance tool Pegasus from NSO earlier this year. Now the US has sanctioned the Israeli company, and insiders say it’s on the ropes.

Stay connected

Illustration by Rose WongIllustration by Rose Wong

Get the latest updates from
MIT Technology Review

Discover special offers, top stories, upcoming events, and more.

Thank you for submitting your email!

Explore more newsletters

It looks like something went wrong.

We’re having trouble saving your preferences. Try refreshing this page and updating them one more time. If you continue to get this message, reach out to us at customer-service@technologyreview.com with a list of newsletters you’d like to receive.