Tor Use Uptick
The Tor Metrics Portal is reporting a jump in their user metrics (https://metrics.torproject.org/users.html)
This is causing a bit of discussion and as people share observations and data with each other a few hypotheses bubble up.
- It's a new malware variant.
- It's people responding to news of government surveillance.
- It's a reporting error.
We've received a few reports here about vulnerability scans coming in from Tor nodes, and a report of a compromised set of machines that had tor clients installed on them. As more data are shared and samples come to the surface, let's look at the Tor Project's own data a little more closely.
First, what are they actually counting? According to their site:
"After being connected to the Tor network, users need to refresh their list of running relays on a regular basis. They send their requests to one out of a few hundred directory mirrors to save bandwidth of the directory authorities. The following graphs show an estimate of recurring Tor users based on the requests seen by a few dozen directory mirrors."
So we're seeing an uptick in directory requests. When did this start? Looks mid August, so let's zoom in and see. I try a little binary search to narrow it down. First zooming to AUG-15 through AUG-30:
Zooming in further to find were the jump really starts:
Things are still flat on the 19th.
I'm liking the 19th as the beginning.
Has this happened before? Let's really widen the scope a bit.
So we had a recent spike in early 2012.
There appears to be a similar doubling of users between 06-JAN and 11-JAN in 2012
Are you seeing an uptick in TOR activity in your networks? Share you observations, and especially any malware (https://isc.sans.edu/contact.html)
https://www.sans.edu
