A hacking group that calls itself Lizard Squad claimed it was behind Christmas Day outages on Sony and Microsoft's gaming networks. And now, it says, it has turned its eyes toward anonymous browsing tool Tor.
But earlier Friday, thousands of new nodes appeared on the network featuring labels starting with "LizardNSA." A Twitter account associated with the group indicated that it was behind the new relays.
This is potentially problematic because theoretically the operator of a significant proportion of nodes could compromise the anonymity of users by tracking traffic that exited through their system -- and 3,000 some nodes would represent a substantial number of total relays. Earlier this year, the Tor Project reported that an unknown attacker had used malicious relays to potentially capture data using far fewer nodes.
But it's not clear that the apparent Lizard Squad nodes are currently a threat. According to an explanation posted on a Tor blog last year, new relays go through an approval process that lasts several days during which their bandwidth is restricted.
Messages posted on a Tor e-mail list indicate that some node operators suggest flagging the new relays as malicious. But it's unclear how the Tor Project will respond to the situation -- it did not respond to a Washington Post inquiry on the subject.
In an interview conducted over an online chat program, a person claiming to be associated with Lizard Squad told The Post that the group now controlled half of the nodes on the overall Tor network, but conceded that only a very minimal amount of traffic was being routed through those nodes.
The person demonstrated that he controlled the main Twitter account associated with Lizard Squad but declined to identify himself.
The point of the project, the person said, was to demonstrate structural weaknesses in how Tor operates. While this influx was clearly marked and thus easy to block, the person argued, there might be ways to do it surreptitiously if they used randomized information for the volunteer servers.
"Add the nodes to the network over the period of a month or so and there'd be no practical way of identifying our [nodes]," the person said.
Update: In an e-mailed statement, the Tor Project told the Post that the organization is addressing the new relays:
This looks like a regular attempt at a Sybil attack: the attackers have signed up many new relays in hopes of becoming a large fraction of the network. But even though they are running thousands of new relays, their relays currently make up less than 1% of the Tor network by capacity. We are working now to remove these relays from the network before they become a threat, and we don't expect any anonymity or performance effects based on what we've seen so far.
Correction: An earlier version of this post attributed the Tor Project's statement to a volunteer. In fact, it had been written by a group that did not include the volunteer.