Run Deep

The Attack on the Hidden Internet

Could a group of just-for-kicks hackers take down the world’s most important network for staying anonymous online?

It’s the network of choice for democracy activists, online drug dealers, and an estimated two million folks every day who would just rather get on the Internet without a government minder watching.

It’s called Tor, and lately, it has been under attack.

And strangely, the hackers being blamed for the attack are a relatively new group who, until recently, liked their cyberattacks pretty simple and only messed with gaming networks. This strike on Tor is anything but. That has some serious implications for the wide network of activists and unsavory types who rely on Tor’s cloak to get by online.

Until recently, the hacker collective known as Lizard Squad was all but unknown. But lately, they’ve been everywhere, most recently for flooding the networks of the PlayStation and Xbox gaming consoles with junk traffic. (That’s known as a distributed denial of service, or DDoS attack, in cybersecurity jargon.) It’s the group’s sixth major DDoS attack since August. They even released a (pretty damn weak) hip-hop song on SoundCloud recounting their antics.

Tor, on the other hand, has been an Internet staple for years. Started as a project by employees of the U.S. Naval Research Laboratory, Tor was developed as a system to protect intelligence communications being carried over the Internet. Today, it’s the No. 1 anonymity network, providing both a way to protect the anonymity of Internet users in oppressive regimes as well as a method for criminals to carry out transactions that are tough for law enforcement to track. Privacy advocates such as the Electronic Frontier Foundation say everyone should use it.

In the meantime, Human Rights Watch recommends it as a tool for activists an whistleblowers; the Tor Project boasts of its popularity among U.S. intelligence operatives —even as cyberspying outfits from Moscow to Maryland’s Fort Meade scramble to decloak Tor’s anonymous users.

Most recently, it’s Tor’s ability to provide websites with a private “onion” address that has been hitting the headlines. “Onion” addresses are private addresses that can only be reached after connecting through Tor’s layers of anonymity. Ordinary Web browsers can’t see the site, in other words—protecting it from government censors. Seen both as a way to make websites used by activists accessible in countries governed by hostile regimes and as a way to host websites carrying illegal products and services, this part of the Tor network is now known as a central component of the “darknet” or “deep web.”

It’s this community—or rather, communities—that the Lizard Squad was looking to disrupt. Exactly why is unclear; their previous hacks seem to have just been for the Lulz (laughs in Internet-speak) and the attention. This attack, coming just days after the PlayStation DDoS, was certainly an eye-opener.

Over the space of a few hours on Friday, Lizard Squad registered a little more than 3,000 Tor relays. Relays are special computers that Tor uses to anonymously transmit traffic across the Internet. Comprised entirely of volunteered machines, the larger and more distributed this network of relays is, the better for the network and its users. So it’s understandable that the Tor folks wanted to make it as easy as possible to add new relays to the network, allowing it to grow. However, it appears it is this very open nature that the Lizard Squad is attempting to exploit.

Networks like Tor have long been considered to be vulnerable to an attack known as a “Sybil” attack, named after the famous 1973 book about the woman suffering from multiple personality disorder. The attack relies on flooding the network with fake nodes, or identities, until enough of them are present that the operator of those fake nodes can use them to influence or control the network. It’s like poisoning a party by overloading it with assholes.

Just how many fake nodes would be needed in order to pull off a successful Sybil attack against Tor is not known. Luckily, Tor was prepared for this sort of assault, and has built-in defenses to protect against it.

Tor’s administrators have to allow new nodes to connect and play a trusted role in the network. So to enable this while protecting the network, it has a system of evaluation that cycles the new node through several distinct phases before loading it up with traffic. This means that for the first few days the node essentially sees no traffic until the network is confident about it and its reliability.

Get The Beast In Your Inbox!

Daily Digest

Start and finish your day with the top stories from The Daily Beast.

Cheat Sheet

A speedy, smart summary of all the news you need to know (and nothing you don't).

By clicking “Subscribe,” you agree to have read the Terms of Use and Privacy Policy
Thank You!
You are now subscribed to the Daily Digest and Cheat Sheet. We will not share your email with anyone for any reason.

As a result, while the 3,021 nodes added by Lizard Squad looked like a significant chunk of Tor’s more than 6,000-node network, they actually carried less than 1 percent of Tor’s traffic. Most importantly, they were all deleted long before that percentage could rise any higher. So, while Lizard Squad’s latest attack against the Internet’s most important anonymity network is troublesome, it was also completely harmless—this time. There is a lot of residual concern that Lizard Squad was able to get even this far. One of the biggest concerns is that if they had been more patient and subtler about how they executed this attack, it’s possible that they could have added relays slowly, across a wide range of networks, in such a way that they became trusted integral parts of the Tor network. At that point, who knows what they could have been capable of.

As well as creating these nodes, it appears that Lizard Squad also attempted to use their DDoS techniques to attack key Tor resources and the Tor website. These attacks, however, were also unsuccessful.

But the Lizard Squad was able to get one thing done: Piss off Anonymous, the best known of the hacktivist collectives. It’s not their first run-in; since its inception, Lizard Squad has irritated Anonymous with its attacks against gaming networks, resulting in threats and promises of payback. Most recently with the Xblox Live and PlayStation attacks, Anonymous “doxed”—revealed the most personal information of—members of Lizard Squad. It’s basically an invitation to harassment, ridicule, and even ID fraud.

While Lizard Squad appears to be hell-bent on burning down the Internet for its own amusement, Anonymous—or, at least, parts of it—also sees itself as a guardian of free speech in particular. And that means preserving Tor.

After a bunch of tough talk, this round of the hacker-on-hacker fight nevered materialized. Tor seems to have deleted all of the malignant nodes. And some members of the Lizard Squad are now claiming that they were never trying to poison the network.

It almost makes you wonder if Lizard Squad did this just to annoy Anonymous and the other earnest champions of privacy. Or if it was yet another prank, just for the Lulz.