Skip to content

The art of attacking TOR (Independence Day post)

  • by

In this post I wanted to portray that Privacy doesn’t exist, Freedom of speech doesn’t exist. How TOR breaches your privacy including attackers and other government agencies and a bit of deep dive in the technical part, How TOR works and can be easily attacked because of its design flaw.

Before getting into TOR , Lets understand , What it is and How it works?

TOR (The onion Routing)  as we see onions have different layers once you start peeling it off, the same logic is being used. It bounces our internet traffic through various routes (Nodes) which makes us anonymous on the internet.

Our internet traffic gets route from different Nodes (Nodes are different computers connected to each other in a specific structure). If you want you can set up TOR relays which makes your computer to serve as Nodes which means other internet traffic will route through your computer, It is a great contribution if you can set up TOR relays and help the community to grow bigger and running TOR or Tor relays are not illegal, Your activities on the internet using TOR decides legal and illegal.

Lets deep dive, How TOR routes our traffic through different Nodes and provides strong anonymity?

So the user requests first go through the entry node which has the details of our identity and the information we are searching for, the next step is it sends out the requests to the Middle node and asking for the data we want to search in an encrypted form but not our identity details, Our identity only known by the entry node. So from the middle node, it goes to the exit node where it asks webserver to give the details we are searching.

For example, we are searching for on google so the exit node will decrypt our request i.e. asking from google about and sends the results from through the same route.

So the main nodes are entry node which knows our id details and exit node which fetches our search results and send it through the middle node then entry node. Technically exit node doesn’t know about the entry node which helps us to hide our identity and these nodes change frequently for every session. Your entry node might be in the US and your Exit node might be in the jungle of Africa xD  It randomly assign nodes for every session.

Summarizing how our traffic routes :

  1. Entry node – which knows our ID and the data we are searching in an encrypted form.
  2. Middle Node – It only routes our requests to the exit node by hiding our entry node details.
  3. Exit Node – It fetches our search results and sends it to the middle node and the middle node sends the details to the entry node and from the entry node it sends it to us in an encrypted form.

Always use VPN while connecting to TOR.

How safe TOR is?

TOR is vulnerable by design, I don’t trust TOR for anonymity but I do give my best to improve for the community, and its been a long time, I am engaged in this community.

TOR was built for secure communication for US defense and later it was open-sourced. An adversary may try to de-anonymize the user by some means. One way this may be achieved is by exploiting vulnerable software on the user’s computer. The NSA had a technique that targets a vulnerability – which they codenamed “EgotisticalGiraffe” – in an outdated Firefox browser version at one time bundled with the Tor package and, in general, targets Tor users for close monitoring under its XKeyscore program. Attacks against Tor are an active area of academic research which is welcomed by the Tor Project itself. The bulk of the funding for Tor’s development has come from the federal government of the United States,initially through the Office of Naval Research and DARPA.

Exit Node Eavesdropping :

Another attack scenario is by owning the exit node, As Tor is an opensource and TOR relays can be set up by anyone so we can do Man in the middle attack because the route from exit node to the webserver is unencrypted So if I see a bitcoin payment going through my exit node what I can do, I will edit the wallet address to my address so I will be receiving the payment by tampering the request and performing MITM (man in the middle attack)

For unencrypted HTTP requests, they suppress the HTTP-to-HTTPS redirect if the server sends it. If that redirect is suppressed, the client continues w/unencrypted HTTP. (This only works against endpoints that the client has no HSTS cache or preload for.)

According to the TOR community 24% exit nodes controlled by hackers. This is allowing hackers to snoop on crypto transactions and redirect Bitcoin funds to themselves.

Bitcoin address rewriting attacks are not new, but the scale of their operations is.

– Anonymous

Also in recent data dumps 270GB documents have been leaked as a part of “Blueleaks” Interpol found trading of bioweapons on the dark market.

No one knows whether the buyer or seller is a government body or any national lab or terror organization but there are lot of other dark markets where these are being sold openly and can be own by anyone.

A serious and sophisticated chemical or biological weapons program by an actor like the Al-Qaeda or ISIS would not be online at all. They know that is terrible OpSec (operational security) even on the dark web or using encrypted channels or devices,”  – Investigation Officer

Heartbleed bug

The heartbleed bug was discovered in OpenSSL in 2014 and a lot of TOR nodes were vulnerable. The Tor Project recommended Tor relay operators and onion service operators revoke and generate fresh keys after patching OpenSSL, but noted Tor relays use two sets of keys and Tor’s multi-hop design minimizes the impact of exploiting a single relay, there were a lot of other relays were not updated and leads to exploiting the Hearbleed.

Autonomous system (AS) eavesdropping :

Most of the entry and exit nodes are being monitored by the government agencies and attackers so to overcome this problem  I came up with a solution in my research paper [LINK]  where I have configured our entry and exit nodes totally opposite political regions so if my entry node is India my exit node will be in Pakistan which increases and harden our anonymity.

Bad apple attack :

An attack that is capable of revealing the IP addresses of BitTorrent users on the Tor network. The “bad apple attack” exploits Tor’s design and takes advantage of insecure application use to associate the simultaneous use of a secure application with the IP address of the Tor user in question. One method of attack depends on control of an exit node or hijacking tracker responses, while a secondary attack method is based in part on the statistical exploitation of distributed hash table tracking.

The attack targeted six exit nodes, lasted for twenty-three days, and revealed a total of 10,000 IP addresses of active Tor users. We have supercomputers and high power GPUs for personal computing cracking Distributed Hash Table won’t take much time to get and reveal the IP addresses of an user.

Sniper Attack :

A DDoS attack targets at the Tor nodes. The attack works using a colluding client and server and filling the queues of the exit node until the node runs out of memory, and hence can serve no other (genuine) clients. By attacking a significant proportion of the exit nodes this way, an attacker can degrade the network and increase the chance of targets using nodes controlled by the attacker.

Mouse fingerprinting

It is the technique using time measurement via JavaScript at the 1-millisecond level that could potentially identify and correlate a user’s unique mouse movements provided the user has visited the same “fingerprinting” website with both the Tor browser and a regular browser. This proof of concept exploits the “time measurement via JavaScript” issue, which had been an open ticket on the Tor Project for ten months

Circuit fingerprinting attack :

In 2015, the administrators of Agora, a huge darknet market for drugs, announced they were taking the site offline in response to a recently discovered security vulnerability in Tor. They did not say what the vulnerability was, but Wired speculated it was the “Circuit Fingerprinting Attack” presented at the Usenix security conference.

Recently, TOR security advisory says to use SSLStrip for all the exit nodes, or else it will get remove from the TOR routing list. That sounds good from getting victimized from the exit nodes attack but are we really safe from getting monitored from government agencies with 0day exploits?

Privacy is just a myth it seems like we are under the hood using TOR but behind the scenes are very dark, there are hidden paths to catch the rabbit from the rabbit hole.



I thought of writing about Tor privacy because the ultimate freedom of speech doesn’t exist, Every year we celebrate Independence day but are we really independent?

73 years of independence but

  • We are now still dependent on a few ultra-nationalist conservatives, Capitalists Central Banks, British Central Juridical system, Are we truly independent?
  • Employment is just enslavery. They make you work at 2% of your real worth.
  • Police are only to control the masses with force. Eventually, They make you feel safe by providing a false sense of security.
  • Taxation is just an enforced funding to the government.
  • The juridical system takes advantage of the police and give orders to anyone.
  • Why a kid is forced to follow his parent’s religion?
  • Why girls don’t have life If we boys can have fun? Isn’t you call this society a conservative?
  • Religious groups force people for the same rituals, Why can’t we discover it on our own?
  • Masses select a democratic government but people they can choose from are chosen by a political party.
  • The economy is rigged to make poor people poorer.
  • Debt is just a number created by your banks just typing the numbers on the computer?
  • Money is a scam, Central bank is a scam, Stocks, Bonds, Forex trading are all big hoax by selling your trust on these commodities.

It is like giving  someone options to choose a weapon with which he would like to be killed.No  matter what you choose, You are going to be killed.

I wish our brave hearts could fix this like Bhagat Singh, Subhash Chandra Bose but they are being killed because they knew and wanted to fix this by going against Gandhi but some people didn’t like the idea.

 I wish I could whisper  Happy independence day from my heart but someday for sure.

Inquilab Zindabad !!