A hacking group that calls itself Lizard Squad claimed it was behind
Christmas Day outages on Sony and Microsoft’s gaming networks. And now,
it says, it has turned its eyes toward anonymous browsing tool Tor.
Tor is relied on by journalists, activists, whistleblowers and everyday
people who want to keep their online activities private. It works by
routing traffic through nodes known as “relays” that are operated by
individuals and organizations around the world — essentially
volunteer-run servers that keep anonymity functions working.
But earlier Friday, thousands of new nodes appeared on the network featuring
labels starting with “LizardNSA.” A Twitter account associated with the
group indicated that it was behind the new relays.
potentially problematic because theoretically the operator of a
significant proportion of nodes could compromise the anonymity of users
by tracking traffic that exited through their system — and 3,000 some
nodes would represent a substantial number of total relays. Earlier this
year, the Tor Project reported that an unknown attacker had used malicious relays to potentially capture data using far fewer nodes.
But it’s not clear that the apparent Lizard Squad nodes are currently a threat. According to an explanation posted
on a Tor blog last year, new relays go through an approval process that
lasts several days during which their bandwidth is restricted.
Messages posted on a Tor e-mail list indicate that some node operators suggest flagging the new relays as malicious.
But it’s unclear how the Tor Project will respond to the situation —
it did not respond to a Washington Post inquiry on the subject.
In an interview conducted over an online chat program, a person claiming
to be associated with Lizard Squad told The Post that the group now
controlled half of the nodes on the overall Tor network, but conceded
that only a very minimal amount of traffic was being routed through
The person demonstrated that he controlled the main
Twitter account associated with Lizard Squad but declined to identify
The point of the project, the person said, was to
demonstrate structural weaknesses in how Tor operates. While this influx
was clearly marked and thus easy to block, the person argued, there
might be ways to do it surreptitiously if they used randomized
information for the volunteer servers.
“Add the nodes to the
network over the period of a month or so and there’d be no practical way
of identifying our [nodes],” the person said.
Update: In an e-mailed statement, Tor Project volunteer Kate Krauss told the Post that the organization is addressing the new relays:
looks like a regular attempt at a Sybil attack: the attackers have
signed up many new relays in hopes of becoming a large fraction of the
network. But even though they are running thousands of new relays, their
relays currently make up less than 1% of the Tor network by capacity.
We are working now to remove these relays from the network before they
become a threat, and we don’t expect any anonymity or performance
effects based on what we’ve seen so far.
Peterson covers technology policy for The Washington Post, with an
emphasis on cybersecurity, consumer privacy, transparency, surveillance
and open government.
for The Washington Post, focusing on telecom, broadband and digital
politics. Before joining the Post, he was the technology correspondent
for National Journal and an associate editor at the Atlantic.