N0TH1NG T0 H1D3

Transparency Report March 2023

March was a noteworthy month because most of the attacks on our infrastructure either decreased in severity considerably or even even stopped completely. There are still attacks, but the current situation is rather manageable.

The lack of the usual attacks had the added benefit of getting valuable data about the baseline load of Tor on our servers. We always had to more or less guess the impact of the attacks on the server’s performance since we started hosting Tor exit relays when the attacks were happening already. But now we can safely conclude that the previous attacks were responsible for at least 70% and at the most 90% of the load on our CPUs, depending on the severity of the attacks. This means that before the major change in attack pattern and severity in March, only between 10% and 30% of our total computational and bandwidth resources were spent on legitimate Tor traffic.

Without the attacks the servers were mostly idling so with the available headroom we added more relays. As a result the exit probability share of Nothing to hide exit relays stayed the same (~15%) despite losing share in the first half of March. Our bandwidth contribution to the Tor network grew from 22.5 Gb/s to 27 Gb/s.

The metrics used in this report are rounded extrapolated snapshots of the final day of the month, to not give away too much specific information.

1 Requests & orders

We received 0 official LEA requests this month.

1.1 Law enforcement agencies (LEA)

LEA Requests Orders
n/a 0 0
Legal entity Requests
n/a 0

1.3 Natural persons

Natural person Requests
John Doe 0

2 Service report

2.1 Tor relays

Tor relays

178

Bandwidth

27.0 Gb/s

Monthly traffic

8.700 TB

Because of the increase in exit relays we were able to keep our exit probability share the same. The CPUs are saturated for about 50% so growing further would be easy, but centralization might become a problem. Also Tor would need to increase the amount of relays per IP address to 8 before we could contribute more bandwidth to the Tor network.

Period # Guard # Exit Bandwidth Daily traffic Monthly traffic
November 2022 18 0 5.6 Gb/s 60 TB 1.800 TB
December 2022 34 18 12.8 Gb/s 138 TB 4.150 TB
January 2023 68 18 18.5 Gb/s 200 TB 6.000 TB
February 2023 3 124 22.5 Gb/s 240 TB 7.200 TB
March 2023 6 172 27.0 Gb/s 290 TB 8.700 TB

Note that for these statistics both incoming and outgoing traffic are combined (just like Tor network’s metrics).

2.2 Tor DNS requests

Query response

2.900 per second

Daily queries

251 million

Monthly queries

7.5 billion

DNS requests on the Tor network are resolved by the Tor exit relays. This means that high capacity Tor exit relays can generate a lot of DNS queries. These queries are being resolved by multiple high capacity DNS resolvers.

In March the amount of queries-per-second decreased a bit, despite the total Tor traffic increasing. Our best guess is that one or more of the attacks also generated DNS queries because when the attacks stopped the amount of DNS queries also decreased considerably.

Period Query rate Daily queries Monthly queries
November 2022 0 0 0
December 2022 870 75.000.000 2.300.000.000
January 2023 2.100 181.000.000 5.400.000.000
February 2023 3.150 272.000.000 8.200.000.000
March 2023 2.900 251.000.000 7.500.000.000

Do note that we don’t log the contents of DNS queries.

2.3 Tor diversity

One of our major goals is to break the GNU/Linux monoculture currently present on the Tor network. Monocultures in nature are dangerous, as vulnerabilities are held in common across a broad spectrum. In a globally used anonymity network, monocultures can be disastrous.

We make the Tor network stronger and more resilient by running all our relays on FreeBSD. Here we report on our ongoing effort to increase operating system diversity on the Tor network.

Period NTH Guard BSD Guard GNU Guard NTH Exit BSD Exit GNU Exit
November 2022 0.11% 6.1% 93.9% 0.0% 0.9% 99.1%
December 2022 0.12% 6.2% 93.8% 4.46% 6.0% 94.0%
January 2023 1.54% 7.5% 92.5% 11.4% 16.0% 84.0%
February 2023 0.13% 6.0% 94.0% 15.0% 19.0% 81.0%
March 2023 0.14% 4.9% 94.7% 15.5% 16.0% 84.0%

The overall BSD exit share decreased in March, probably due to the decrease in total amount of other (excluding our relays) BSD relays on the network. This is somewhat worrisome because despite Nothing to hide only runs 172 out of 444 (39%) relays on BSD, we’re contributing ~97% of BSD exit relay bandwidth. Linux has a exit share of 84% and this shows how big the monoculture problem for exit relays really is.

If any Tor operator reading this is interested in running Tor relays on BSD, please contact us and we will gladly help out.

2.4 DDoS attacks

As mentioned March was a great month because there were less attacks while the attacks that remained were less severe as well. Using the Tor browser also feels faster and smoother on average since the change in attack pattern and severity. The question is how long the current situation will remain, and we should still be prepared for a change of heart with the adversaries.