Botnet likely caused spike in number of Tor clients

So far, the network is still working, but measures need to be taken for the future, Tor said

By , IDG News Service |  Security

Fox-IT researchers said the name of the botnet could be "Mevade.A." But they also found old references that suggest the name is "Sefnit," which dates back to at least 2009 and also included Tor connectivity, they said in a blog post.

"We have found various references that the malware is internally known as SBC to its operators," they wrote, adding that they assume that it originates from a Russian-speaking area, and is likely to be financial-crime related. The researchers did not specify where they found the references.

Tor also thinks it is plausible that the botnet is running its C&C point as a hidden service, according to Dingledine.

While the Tor network is still working for now, the botnet could cause trouble, according to Tor.

The biggest problems are not caused by the amount of traffic added to the network, but rather by new circuits that are being made, Dingledine wrote.

"Tor clients build circuits preemptively, and millions of Tor clients means millions of circuits. Each circuit requires the relays to do expensive public key operations, and many of our relays are now maxed out on CPU load," Dingledine wrote.

This sets up a possible dangerous cycle. "When a client tries to build a circuit but it fails, it tries again. So if relays are so overwhelmed that they each drop half the requests they get, then more than half the attempted circuits will fail (since all the relays on the circuit have to succeed), generating even more circuit requests," Dingledine wrote.

To deal with these issues, Tor took several temporary measures to mitigate the problem. But for the future, other options need to be explored, Dingledine said. Tor could for example limit the circuit-create requests or learn to recognize the circuit building signature of a bot client.

"It would be great if botnet researchers would identify the particular characteristics of the botnet and start looking at ways to shut it down (or at least get it off of Tor)," Dingledine said.

"And finally, I still maintain that if you have a multi-million node botnet, it's silly to try to hide it behind the 4,000-relay Tor network. These people should be using their botnet as a peer-to-peer anonymity system for itself," Dingledine wrote.

Loek is Amsterdam Correspondent and covers online privacy, intellectual property, open-source and online payment issues for the IDG News Service. Follow him on Twitter at @loekessers or email tips and comments to loek_essers@idg.com

Join us:
Facebook

Twitter

Pinterest

Tumblr

LinkedIn

Google+

SecurityWhite Papers & Webcasts

See more White Papers | Webcasts

Answers - Powered by ITworld

Join us:
Facebook

Twitter

Pinterest

Tumblr

LinkedIn

Google+

Ask a Question