In late October 2024, the Tor network, known for its commitment to privacy and anonymity, fell victim to a coordinated IP spoofing attack targeting its non-exit relays. The attack, which led to an uptick in abuse complaints from hosting providers, involved attackers crafting spoofed IP packets that appeared to originate from legitimate Tor relays. This false identification resulted in several automated abuse reports, which accused Tor relays of engaging in unauthorized port scanning activity. The aim of the attack seemed to be to disrupt the network by causing key Tor-related IP addresses to be blacklisted by major hosting providers, such as OVH and Hetzner, effectively cutting off access to these relays. While the attack resulted in temporary disruptions, it had little lasting impact on the privacy or security of Tor users.
Upon detecting the attack, Tor directory authorities, relay operators, and the Tor Project sysadmin team mobilized quickly to address the issue. The coordinated response was crucial in managing the complaints and preventing further escalation. As part of the immediate response, affected relays were taken offline to mitigate any further damage, and relay operators worked closely with hosting providers to explain the situation and prevent the blocking of legitimate services. Despite the widespread disruptions, the Tor network’s core mission remained unimpeded, as its encryption protocols and the privacy of users were never compromised during the attack. Although certain relays were suspended, the vast majority of Tor users remained unaware of the issue, continuing to access the network securely.
The attack served to highlight the vulnerability of the Tor network to such spoofing tactics, underscoring the ongoing challenges that large decentralized networks face in safeguarding their infrastructure from malicious actors. Despite the setbacks caused by the false abuse reports, the Tor community’s resilience was evident in the swift restoration of services. Not only did operators take necessary steps to resolve the situation, but they also engaged in open collaboration with security experts like InterSecLab and GreyNoise. Their efforts enabled the identification of the origin of the spoofed IP packets, which was key to neutralizing the threat. The Tor Project issued guidelines for affected relay operators, encouraging them to use tools like OONI Probe’s “Circumvention” test to monitor network reachability and clarify the situation with hosting providers.
As the attack was gradually brought under control by November 7, 2024, the Tor Project expressed its gratitude to the community for its quick and effective response. The event also highlighted the critical importance of collaboration between relay operators, security professionals, and hosting providers to mitigate future attacks. Security experts such as Andrew Morris and Pierre Bourdon, a key relay operator, played an instrumental role in analyzing the attack’s nature and impact, contributing valuable insights that helped protect the network from future threats.
