[tor-project] The Akamai slide Alec posted
Ian Goldberg
tor at cypherpunks.ca
Fri May 20 16:59:00 UTC 2016
On Fri, May 20, 2016 at 09:55:05AM -0700, David Fifield wrote:
> On Fri, May 20, 2016 at 08:56:06AM -0400, Ian Goldberg wrote:
> > Does anyone know where we can get more information about the stats
> > behind this slide:
> >
> > https://twitter.com/AlecMuffett/status/730773970383982592
> >
> > The slide says:
> >
> > 1:11,500 non-Tor IPs contained malicious requests
> > 1:380 Tor exit nodes contained malicious requests
> >
> > The way it's worded, it sounds like they're saying "1/11500 of the
> > non-Tor IP addresses we saw sent malicious requests, and 1/380 of the
> > Tor exit node IP addresses we saw sent malicious requests", but I'm
> > finding that hard to believe, since 1/380 of the Tor exit node IP
> > addresses is ~3 IP addresses. It's unlikely that all malicious Tor
> > traffic was confined to 3 exit nodes. (But interesting if true.)
> >
> > Were they perhaps being a little loose and really meant "1/11500 TCP
> > connections coming from non-Tor IP addresses, and 1/380 TCP connections
> > coming from Tor exit nodes, contained malicious requests"?
>
> There's an actual written report (Sadia Afroz found the link to the
> report). The Tor part starts on page 59.
>
> https://www.stateoftheinternet.com/downloads/pdfs/2015-cloud-security-report-q2.pdf#59
>
> Here are the relevant tables. The heading "Global Rank" in Figure 4-2 is
> probably supposed to be "Source". The percentages in Figure 4-4 are off
> by a factor of 100; i.e. 1/380=0.0026=0.26%.
>
> The first two figures, 4-2 and 4-3, are explicitly in terms of requests.
> Figure 4-4 is a ratio between two "traffic" values but the caption
> refers to requests.
>
> Global Rank Legitimate HTTP Requests Frequency
> Non-Tor IPs 534,999,725,930 99.96%
> Tor exit nodes 228,436,820 00.04%
> Figure 4-2: Of the legitimate HTTP requests, excluding static media
> files, less than 1% were from Tor exit notes
>
> Source Legitimate HTTP Requests Frequency
> Non-Tor IPs 46,530,841 98.74%
> Tor exit nodes 596,042 1.26%
> Figure 4-3: Of the malicious HTTP requests, 1.26% were from Tor exit
> notes
>
> Source Ratio Between Malicious & Legitimate Traffic Frequency
> Non-Tor IPs 0.00008697% malicious traffic ~1:11,500
> Tor exit nodes 0.00260922% malicious traffic ~1:380
> Figure 4-4: Though the traffic levels are much smaller, Tor exit nodes
> were much more likely to contain malicious requests
Cool, thanks!
- Ian
More information about the tor-project
mailing list