Tor relays
178
Transparency Report March 2023
March was a noteworthy month because most of the attacks on our infrastructure either decreased in severity considerably or even even stopped completely. There are still attacks, but the current situation is rather manageable.
The lack of the usual attacks had the added benefit of getting valuable data about the baseline load of Tor on our servers. We always had to more or less guess the impact of the attacks on the server’s performance since we started hosting Tor exit relays when the attacks were happening already. But now we can safely conclude that the previous attacks were responsible for at least 70% and at the most 90% of the load on our CPUs, depending on the severity of the attacks. This means that before the major change in attack pattern and severity in March, only between 10% and 30% of our total computational and bandwidth resources were spent on legitimate Tor traffic.
Without the attacks the servers were mostly idling so with the available headroom we added more relays. As a result the exit probability share of Nothing to hide exit relays stayed the same (~15%) despite losing share in the first half of March. Our bandwidth contribution to the Tor network grew from 22.5 Gb/s to 27 Gb/s.
The metrics used in this report are rounded extrapolated snapshots of the final day of the month, to not give away too much specific information.
1 Requests & orders
We received 0 official LEA requests this month.
1.1 Law enforcement agencies (LEA)
| LEA | Requests | Orders |
|---|---|---|
| n/a | 0 | 0 |
1.2 Legal entities
| Legal entity | Requests |
|---|---|
| n/a | 0 |
1.3 Natural persons
| Natural person | Requests |
|---|---|
| John Doe | 0 |
2 Service report
2.1 Tor relays
Bandwidth
27.0 Gb/s
Monthly traffic
8.700 TB
Because of the increase in exit relays we were able to keep our exit probability share the same. The CPUs are saturated for about 50% so growing further would be easy, but centralization might become a problem. Also Tor would need to increase the amount of relays per IP address to 8 before we could contribute more bandwidth to the Tor network.
| Period | # Guard | # Exit | Bandwidth | Daily traffic | Monthly traffic |
|---|---|---|---|---|---|
| November 2022 | 18 | 0 | 5.6 Gb/s | 60 TB | 1.800 TB |
| December 2022 | 34 | 18 | 12.8 Gb/s | 138 TB | 4.150 TB |
| January 2023 | 68 | 18 | 18.5 Gb/s | 200 TB | 6.000 TB |
| February 2023 | 3 | 124 | 22.5 Gb/s | 240 TB | 7.200 TB |
| March 2023 | 6 | 172 | 27.0 Gb/s | 290 TB | 8.700 TB |
Note that for these statistics both incoming and outgoing traffic are combined (just like Tor network’s metrics).
2.2 Tor DNS requests
Query response
2.900 per second
Daily queries
251 million
Monthly queries
7.5 billion
DNS requests on the Tor network are resolved by the Tor exit relays. This means that high capacity Tor exit relays can generate a lot of DNS queries. These queries are being resolved by multiple high capacity DNS resolvers.
In March the amount of queries-per-second decreased a bit, despite the total Tor traffic increasing. Our best guess is that one or more of the attacks also generated DNS queries because when the attacks stopped the amount of DNS queries also decreased considerably.
| Period | Query rate | Daily queries | Monthly queries |
|---|---|---|---|
| November 2022 | 0 | 0 | 0 |
| December 2022 | 870 | 75.000.000 | 2.300.000.000 |
| January 2023 | 2.100 | 181.000.000 | 5.400.000.000 |
| February 2023 | 3.150 | 272.000.000 | 8.200.000.000 |
| March 2023 | 2.900 | 251.000.000 | 7.500.000.000 |
Do note that we don’t log the contents of DNS queries.
2.3 Tor diversity
One of our major goals is to break the GNU/Linux monoculture currently present on the Tor network. Monocultures in nature are dangerous, as vulnerabilities are held in common across a broad spectrum. In a globally used anonymity network, monocultures can be disastrous.
We make the Tor network stronger and more resilient by running all our relays on FreeBSD. Here we report on our ongoing effort to increase operating system diversity on the Tor network.
| Period | NTH Guard | BSD Guard | GNU Guard | NTH Exit | BSD Exit | GNU Exit |
|---|---|---|---|---|---|---|
| November 2022 | 0.11% | 6.1% | 93.9% | 0.0% | 0.9% | 99.1% |
| December 2022 | 0.12% | 6.2% | 93.8% | 4.46% | 6.0% | 94.0% |
| January 2023 | 1.54% | 7.5% | 92.5% | 11.4% | 16.0% | 84.0% |
| February 2023 | 0.13% | 6.0% | 94.0% | 15.0% | 19.0% | 81.0% |
| March 2023 | 0.14% | 4.9% | 94.7% | 15.5% | 16.0% | 84.0% |
The overall BSD exit share decreased in March, probably due to the decrease in total amount of other (excluding our relays) BSD relays on the network. This is somewhat worrisome because despite Nothing to hide only runs 172 out of 444 (39%) relays on BSD, we’re contributing ~97% of BSD exit relay bandwidth. Linux has a exit share of 84% and this shows how big the monoculture problem for exit relays really is.
If any Tor operator reading this is interested in running Tor relays on BSD, please contact us and we will gladly help out.
2.4 DDoS attacks
As mentioned March was a great month because there were less attacks while the attacks that remained were less severe as well. Using the Tor browser also feels faster and smoother on average since the change in attack pattern and severity. The question is how long the current situation will remain, and we should still be prepared for a change of heart with the adversaries.