Large botnet cause of recent Tor network overload
blog.fox-it.com> Typically, it is fairly clear what the purpose of malware is, such as banking, clickfraud, ransomware or fake anti-virus malware. In this case however it is a bit more difficult.
I think the article answers its own question the paragraph previous:
> While some bots continue to operate using the standard HTTP connectivity, some versions of the malware use a peer-to-peer network to communicate (KAD based).
Tor and Kademlia are both rather complex systems. To use one or the other, but not both, in different versions of your botnet, would suggest to me that this is a botnet creator split-testing the effectiveness and scalability of different command-and-control technologies.
Even criminals need to do A/B testing!
I wonder if it is conceivable that a government agency that wouldn't like what Tor offers, could reduce Tor's attractiveness by bombing it from a botnet, much like what they've done by arresting people who host a tor node for traffic that runs across it.
With that said, I accept that this is much less likely explanation than just some Russian group just using it to facilitate their usual crime.
So far the new users are showing little activity (according to the article), so that seems unlikely.
I don't think the little activity disproves that theory beyond a reasonable doubt. If it really was a govt agency wanting to flood the network, they may be waiting for a particular event to initiate the flood.
Anyone with a botnet this large effectively has a kill switch on Tor.
If this botnet actually relies upon Tor for its primary means of C&C, and the botherders are in fact motivated by ordinary financial crime, then it would seem to be the largest botnet that would be least likely to try to shut down Tor.
The most dangerous scenario for Tor is if this botnet continues to grow exponentially, its operators command it to go into an uncontrolled DDoS mode, or some other glitch in its software causes Tor to fall over. The C&C hidden service would become unreachable, the operators could lose control of their botnet, and it could end up essentially stuck in a perma-DoS mode upon itself and Tor.
As is the nature of conspiracy theories, it is impossible to definitively disprove.
When you eliminate the falsifiable, whatever remains, however improbable, must be a conspiracy theory
If they wanted to flood the network at a particular time, why would they in advance create low-volume traffic that reveals the existence of the botnet?
Unless this is attack on the anonymity of TOR rather than the speed.
Could the anonymity of tor users be compromized by these presumed bots ? As for bitcoin which could be subverted if one users holds more than 50% of the bitcoins.
Most likely not. If the bots were to suddenly turn into nodes, then there is a good chance that a large percentage of users could have their anonymity compromised.
Tor anonymity relies on the fact it is difficult to tie in where you entered the system, and where you exited the system. If someone where to control a large amount of nodes, they could (in theory) tie a large amount identities together. But this requires a large amount of entry and exit nodes.
> As for bitcoin which could be subverted if one users holds more than 50% of the bitcoins.
You're thinking of the 50% attack where you have half the hashing power, not half the bitcoins.
I don't think so. It looks like these bots are connecting as users, not nodes. It might be possible to use these bots to increase/control the load on tor which may be able to facilitate an attack based on controlling a significant amount of nodes.
Is there any commercial logic to hacking tor, though?
They are connecting as users -- it's more than likely that the only thing that is to be gained is a fully anonymous non-takedownable C&C