Since at least 2017, at the entry, middle and exit levels of the Door Network, the unknown, well-resourced and openly pro-government attacker has been running thousands of malicious servers. An IT security analyst by the nickname Nusenu is a member of the community, which considers large-scale service users to be an attempt to remove the name.
900 Server Mid 155 Gbitz / V
The intimidating actor, named Nusenu KAX17, runs over 900 servers on the Tor network with a maximum bandwidth of 155 GBit / s. This is a good ten percent of the total, which is usually one The daily total is 9,000 to 10,000 nodes.
Some of these servers assigned to KAX17 act as watchpoints (watchdogs), others as intermediate relays and others as starting points. As exit nodes, the latter represents the last stage of the ambiguous path that maintains the connection between the door and other parts of the Internet.
The function of nodes is to encrypt and anonymize users’ data traffic collectively. This creates a large network of proxy servers that send links to each other while protecting users’ privacy.
A server without contact details will be accepted in case of emergency
Servers included in the Door network must actually contain basic contact information. It aims to contact service operators and law enforcement officers in the event of a malfunction or reporting malpractice operator. The saved email address is sufficient for this.
However, compliance with this rule is not strictly monitored. Door operators blindly accept servers without contact details, especially when there are not enough nodes on the network to cover user data traffic.
Hundreds of knots in no time
According to someone, Nussenu got it from him this week The published article identifies a form of some of these door relays without email addresses. The expert first noticed this in 2019. He has now discovered this event in 2017. KAX17 continues to add a large number of new servers to the network without contact information. At any given moment, the attacker had hundreds of nodes in operation.
Mysterious servers are usually located in data centers around the world. The KAX17 relies not only on cheap hosts, but also on the Microsoft cloud. Devices are mainly configured as entry and center points, but also have a limited number of exit nodes.
Unleash Door Users
This is unusual because most related attackers focus on acting from the point of view. Among other things, it allows them to change the user’s data traffic. The broad focus of KAX17, according to Nucenu, is to gather information about “stubborn” group Tor members and try to register their routes within the network. In view of the extensive resources and effort used, they are by no means amateurs.
Nucenu estimates that there is a 16 percent chance that a Tor user will connect to the network through one of the KAX17 servers. The chance of going through one of the medium relays is even 35 percent. At 5 percent, Dora is unlikely to be caught by the group when he leaves.
Neil Grovets, an anonymous researcher who specializes in anonymous technologies, explained to the online journal that the high probability of communications entering and exiting the network can certainly be used to identify hidden services operated via Tor. Record. This approach “can also be used to expose users”. The possibility of parallel tracking of public online services and tracking of user tracks in this way has a promising effect.
KAX17 has made mistakes
Last year, Nuchenu had already shown that Dora could penetrate relatively easily. Accordingly, the hacker group BTCMITM20 operated large-scale exit nodes. At peak times, the probability of getting on such a server while browsing Tor was up to 27 percent. Fraudsters wanted to divert Bitcoin transactions to their own accounts using Dora. The nodes were exposed due to the use of unusually high bandwidth and the handling of data traffic.
In view of the different profiles of the attacks, Nusenu did not believe the connection between KAX17 and BTCMITM20. He also did not see it as a scientific project. Although the KAX17 was a powerful player, at least in the beginning, it already made a mistake in functional security (OpSec): he initially provided email addresses on some of his servers.
This email address later appeared in one Door Project Mail List Should servers that do not have such contact details be precautionarily removed, especially during discussions. Significantly, the participant in question spoke out against such a practice.
A rabbit and hedgehog breed – with the NSA?
According to its own information, Nusenu reports KAX17 servers to the Tor program since last year. The security team there removed all of the group’s exit points in October 2020. However, after a while, some of these servers went back online without contact information. Behind it may be KAX17. The rabbit and hedgehog breed is developing between the two sides.
A spokesman for the Dor project confirmed Record Nuchenu’s new knowledge. He explained that several hundred nodes responsible for the KAX17 were removed in October and November this year. The attacker is still being investigated, so no reason can be given. There are no definite clues as to who will be behind this. Edward Snowden’s revelations have previously suggested that at least the US intelligence agency NSA should have the appropriate capabilities.
Although Nusenu has so far been against it, the expert considers it prudent and sometimes necessary to exclude unreliable nodes in the Tor network from certain data movements. This is the only way to reduce the risk of name deletion and other attacks. This requires Tor customers to pre-set the use of “trusted operators” or to know about them through “trusted announcers”. More than 50 percent of the exit nodes are already heading towards such a “defensive” mode.
(BME)
“Avid writer. Subtly charming alcohol fanatic. Total twitter junkie. Coffee enthusiast. Proud gamer. Web aficionado. Music advocate. Zombie lover. Reader.”
More Stories
What Does the Future of Gaming Look Like?
Throne and Liberty – First Impression Overview
Ethereum Use Cases