Lizard Squad hit the Tor network, after Christmas attacks on Sony PSN and XBox Live networks

Pierluigi Paganini December 27, 2014

Members of the hacking group Lizard Squad, which have paralyzed the networks of Xbox live and PlayStation PSN, now have targeted the Tor network.

The hacking collective Lizard Squad that has paralyzed the Play Station Network and Xbox live networks at Christmas now seems to concentrate its efforts on the popular anonymizing Tor network.

In time I’m writing the Xbox live service is up, while PSN appears still down, but messages on the Internet seems to confirm an attack on the Tor network operated once again by Lizard Squad.

One of the Twitter account used by the collective confirmed to have stopped the DDoS against Sony PSN and XBox Live, while a new wave it targeting the Tor infrastructure.

“To clarify, we are no longer attacking PSN or Xbox. We are testing our new Tor 0day.” reads a tweet from @LizardMafia, one of the account used by Lizard Squad.

Lizard Squad PSN Tango down Tor

While it seems that the attacks stopped thanks to the intercession of Kim Dotcom, the popular team of Lizard Squad hit the Tor network introducing a ton of new relays in the overall network with the name “LizardNSA.”

“Someone who claims to be a part of Lizard Squad has set up a large number of Tor relays. That’s it,” said Runa A. Sandvik, an advocate with the Tor project.

Lizard Squad PSN Tango down Tor 2

The attack of Lizard Squad team against doesn’t affect the end-users because they haven’t targeted with DDoS any critical servers of the infrastructure (i.e. Directory authorities), but the introduction of news new relays could allow a persistent attacker to de-anonymize Tor users.

Lizard Squad PSN Tango down Tor 4

The Lizard Squad team has added over 3000 relays, nearly half of the total number, with serious repercussions on the users’ anonymity.

Tor Project tweeted the following statement just after the attack:

“This looks like a regular attempt at a Sybil attack: the attackers have signed up many new relays in hopes of becoming a large fraction of the network. But even though they are running thousands of new relays, their relays currently make up less than 1 per cent of the Tor network by capacity. We are working now to remove these relays from the network before they become a threat, and we don’t expect any anonymity or performance effects based on what we’ve seen so far.”

Nadim Kobeissi, who developed the chat client Cryptocat, posted the link to the Tor metrics that demonstrate that Lizard Squad added a significant number of “LizardNSA” relays.”Currently there’s actually almost 10,000 relays, about 3,000 to 6,000 of those seem to be Lizard Squad’s,” he said

Currently there’s actually almost 10,000 relays, about 3,000 to 6,000 of those seem to be Lizard Squad’s,” he said

Lizard Squad PSN Tango down Tor 3

Be aware, to be effective that new relays have to obtain enough consensus for the rest of the Tor network, as explained by Kobeissi and security researcher Frederic Jacobs to The Verge.

“The attack won’t be effective unless Lizard Squad’s relays obtain enough consensus with the rest of the network, which is currently not happening due to the newness of the relays and their low bandwidth allowance,” says Kobeissi.

In the past, the operators at the Tor Project warned of possible traffic confirmation attack against the Tor network.

On July 4 2014 Tor Team discovered a group of malicious relays that they assume were trying to de-anonymize Tor Network users with confirmation attack technique.

“The security advisory explains that bad actors were leveraging a critical flaw in Tor to modify protocol headers in order to perform a traffic confirmation attack and inject a special code into the protocol header used by attackers to compare certain metrics from relays to de-anonymize users. The advisory reports that 115 malicious fast non-exit relays (6.4% of whole Tor network) were involved in the attack, the servers were actively monitoring the relays on both ends of a Tor circuit in an effort to de-anonymize users. The malicious relays were running Tor version 50.7.0.0/16 or 204.45.0.0/16 and bad actors were using them trying to de-anonymize Tor users who visit and run so-called hidden services. The malicious relays joined the Tor network on January 30th 2014 and experts at Tor Project removed them from the network on July 4th 2014.”

The action run by Lizard Squad against the Tor networks seems to be a demonstrative act to alert on possible attacks run by law enforcement or Intelligence Agencies, the team team is inviting to carefully manage the way to add new relay servers to the network to avoid its poisoning.

“Hi, do you guys still give away shirts for relay owners? We need about 3000 @torproject,” tweeted @LizardMafia.

Stay tuned …

Pierluigi Paganini

(Security Affairs –  Tor network, Lizard Squad)



you might also like

leave a comment