Threat Level: green Handler on Duty: Didier Stevens

SANS ISC: InfoSec Handlers Diary Blog - SANS Internet Storm Center InfoSec Handlers Diary Blog

Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!

Tor Use Uptick

Published: 2013-08-30
Last Updated: 2013-08-30 19:02:34 UTC
by Kevin Liston (Version: 1)
8 comment(s)

The Tor Metrics Portal is reporting a jump in their user metrics (

This is causing a bit of discussion and as people share observations and data with each other a few hypotheses bubble up.

  • It's a new malware variant.
  • It's people responding to news of government surveillance.
  • It's a reporting error.

We've received a few reports here about vulnerability scans coming in from Tor nodes, and a report of a compromised set of machines that had tor clients installed on them.  As more data are shared and samples come to the surface, let's look at the Tor Project's own data a little more closely.

First, what are they actually counting?  According to their site:

"After being connected to the Tor network, users need to refresh their list of running relays on a regular basis. They send their requests to one out of a few hundred directory mirrors to save bandwidth of the directory authorities. The following graphs show an estimate of recurring Tor users based on the requests seen by a few dozen directory mirrors."

So we're seeing an uptick in directory requests.  When did this start?  Looks mid August, so let's zoom in and see.  I try a little binary search to narrow it down.  First zooming to AUG-15 through AUG-30:

Zooming in further to find were the jump really starts:

Things are still flat on the 19th.

I'm liking the 19th as the beginning.

Has this happened before?  Let's really widen the scope a bit.


So we had a recent spike in early 2012.

There appears to be a similar doubling of users between 06-JAN and 11-JAN in 2012

Are you seeing an uptick in TOR activity in your networks?  Share you observations, and especially any malware (

Keywords: Tor
8 comment(s)
Diary Archives