A red line has been drawn through a cartoon megaphone.

The Tor anonymity service and anticensorship tool has come under fire from two threats in recent weeks: The Russian government has blocked most Tor nodes in that country, and hundreds of malicious servers have been relaying traffic.

Russia’s Federal Service for Supervision of Communications, Information Technology, and Mass Media, known as Roskomnadzor, began blocking Tor in the country on Tuesday. The move left Tor users in Russia—said by Tor Project leaders to number about 300,000, or about or 15 percent of Tor users—scrambling to find ways to view sites already blocked and to shield their browsing habits from government investigators.

“Illegal content”

Tor Project managers on early Tuesday said some ISPs in Russia began blocking Tor nodes on December 1 and that Roskomnadzor had threatened to block the main Tor site. A few hours later, the Russian government body made good on those threats.

“The grounds were the spreading of information on the site ensuring the work of services that provide access to illegal content,” Roskomnadzor told the AFP news service on Wednesday in explaining the decision. “Today, access to the resource has been restricted.” The censorship body has previously blocked access to many VPNs that had operated in the country.

Tor managers have responded by creating a mirror site that is still reachable in Russia. The managers are also calling on volunteers to create Tor bridges, which are private nodes that allow people to circumvent censorship. The bridges use a transport system known as obfs4, which disguises traffic so it doesn’t appear related to Tor. As of last month, there were about 900 such bridges.

Many default bridges inside Russia are no longer working, Tor said. “We are calling on everyone to spin up a Tor bridge!” project leaders wrote. “If you’ve ever considered running a bridge, now is an excellent time to get started, as your help is urgently needed.”

Sybil attack

Meanwhile, on Tuesday, security news site The Record reported on findings from a security researcher and Tor node operator that a single, anonymous entity had been running huge numbers of malicious Tor relays. At their peak, the relays reached 900. That can be as much as 10 percent of all nodes.

Tor anonymity works by routing traffic through three separate nodes. The first knows the user’s IP address, and the third knows where the traffic is destined. The middle works as a sort of trusted intermediary so that nodes one and three have no knowledge of each other. Running huge numbers of servers has the potential to break those anonymity guarantees, said Matt Green, an encryption and privacy expert at Johns Hopkins University.

“As long as those three nodes aren’t working together and sharing information, Tor can function normally,” he said. “This breaks down when you have one person pretending to be a bunch of nodes. All [the attackers] have to be is in the first hop or the third hop.” He said that when a single entity operates the first and third nodes, it’s easy to infer the information that is supposed to be obfuscated using the middle node.

Such techniques are often known as Sybil attacks, named after the titular character of a 1970 TV mini-series who suffered from dissociative identity disorder and had 16 distinct personalities. Sybil attacks are an impersonation technique that involves a single entity masquerading as a set of nodes by claiming false identities or generating new identities.

Citing a researcher known as Nusenu, The Record said that at one point, there was a 16 percent chance that a user would enter the Tor network through one of the malicious servers. Meanwhile, there was also a 35 percent chance of passing through one of the malicious middle servers and a 5 percent chance of exiting through one of the servers.

“A very governmenty thing to do”

Nusenu said the malicious relays date back to 2017, and over the years, the person responsible has regularly added large numbers of them. Typically, the unknown person has operated up to hundreds of servers at any given time. The servers are usually hosted in data centers located all over the world and are mostly configured as entry and middle points.

Tor Project leaders told The Record that Tor removed the nodes as soon as it learned of them.

The researcher said that a variety of factors suggests that the nodes are the work of a well-resourced attacker backed by a nation-state. Green agreed and said the most likely culprit would be China or Russia.

“It sounds like a very governmenty thing to do,” Green said. China and Russia “would have no qualms about actively screwing with Tor.”

Tor users can do several things to minimize the damage resulting from rogue nodes. The first is to use TLS-based encryption for the sending of mail and browsing of websites. Browsing anonymous sites that are within Tor hidden services network (aka the Dark Web)—as opposed to using Tor to connect to regular Internet sites and servers—isn’t affected by the threat. Unfortunately, this is frequently not an option for people who want to reach sites that have been blocked through censorship.