Tor relay operators have been targeted in a large-scale IP spoofing attack aimed at disrupting the Tor network. The attack, which began on October 20, spoofed non-exit relays and other Tor-related IPs to trigger automated abuse reports resulting in the shutdown of some relays.
According to a statement from the Tor Project, the attack started when Tor directory authorities — crucial servers tasked with managing and verifying the network's relay list — began receiving abuse reports alleging that their IP addresses were involved in unauthorized port scans. These directory authorities help organize the flow of data between Tor’s relays, which serve as the backbone of the network.
The threat actor behind the attack reportedly deployed spoofed SYN packets, making it appear as though Tor IP addresses were responsible for port scanning. By using this tactic, the attackers aimed to manipulate the appearance of network activity to trigger abuse reports from automated systems, which were then sent to internet service providers (ISPs) and data centers. Those impacted included hosting providers like OVH and Hetzner, with some Tor relays temporarily taken offline as a result.
The attack was focused on non-exit relays — the relays that handle internal network traffic but do not directly connect users to external internet services. Targeting non-exit relays likely allowed the attackers to exploit a less inspected part of the network while still causing disruptions to the overall Tor infrastructure.
“While we received support from many individuals and organizations during this incident, we also experienced instances of unprofessional conduct, where a the refusal to investigate and lack of diligence inadvertently amplified the impact of this attack. Much of the reporting on this fake abuse attack comes from watchdogcyberdefense[.]com and we endorse the calls within the cybersecurity community to treat these reports with caution, the Tor Project wrote in a blog post.