The Tor staff started working with three researchers from Princeton University on a project that aims to bring some new insight into the so-called Sybil attacks that have been plaguing the Tor network for the past few years.

In computer science, a Sybil attack is when a nefarious actor adds enough nodes to a network to compromise and dilute the reputation of its nodes.

For the TOR network, Sybil attacks can give a third-party group the ability to collect metadata on its users, snoop traffic coming out of Tor exit nodes, and even the capability of unmasking traffic if their malicious nodes are selected as entry points.

The Tor network has seen many Sybil attacks in the past

Seeing more pressure from governments and hacking crews, the Tor Project started to fight back. First, it was through the launch of a fundraising campaign to secure financial independence from the US government, and then through the creation of a bug bounty program to address bugs in their software.

On top of these measures, the Tor Project has now also entered a research program with the Princeton University to concentrate their efforts on understanding how Sybil attacks on their network work.

For this, the two teams created a special tool called sybilhunter, which they used to analyze historical Tor network data from the past nine years. This tool was able to identify not only various types of Sybil attacks but also the malicious nodes added to the network.

Sybilhunter identified past Sybil attacks on the Tor network

Some of the Sybil attacks types researchers discovered using sybilhunter include rewrite Sybil attacks, redirect Sybil attacks, FDCservers Sybil attacks, trotsky Sybil attacks, default Sybil attacks, FusIVZTOR Sybil attacks, LizardNSA Sybil attacks, Anonpoke Sybil attacks, PlanetLab Sybil attacks, and Amazon EC2 Sybil attacks.

"Our practical work with sybilhunter taught us that detecting Sybils frequently requires manual work," researchers explain in their paper.

"We are also working with The Tor Project on incorporating our techniques in Tor Metrics, a website that contains network visualizations, which are frequented by numerous volunteers that sometimes report anomalies. By incorporating our techniques, we hope to benefit from 'crowd-sourced' Sybil detection."

Researchers and the Tor Project are hopeful that sybilhunter will play a crucial role in the future of Tor and help its maintainers identify malicious actors before they do any real damage to their infrastructure and users.