tor users up

Along with the longer term upward trend in the usage in tor I noted below, there has now been a large, rapid rise in the number of connected tor clients in the last week or so.

The tor usage statistics graphs show a dramatic doubling of daily connected clients (from around the 500,000 mark to well in excess of 1,000,000 since around the 18th or 19th of August.


If we look at the same statistics for UK client usage we see a jump from around 16,000 to over 32,000.


and in the US we see a rise from just under 100,000 to around 140,000.


Given such a very sharp and unexpected rise in the number of clients with no corresponding jump in the number of relays or exits we should expect a noticeable degradation in the performance of the network. However, the performance statistics for the same period merely show a slight worsening in the times taken to complete a 50 KiB request over tor.


As Roger Dingledine notes in a post to tor-talk today, it is hard to say whether or not that slight worsening is a real difference.

As yet, no-one on the tor project seems to have a firm view on the reasons for this particularly steep rise at this particular time. Dingledine speculates that the recent release of a browser bundle by the Pirate Bay (a release which is not endorsed by the tor project) or alternatively a botnet could be responsible, but neither seems to me to be that plausible. Pirate Bay users are notorious for their desires to access .iso images of videos, particularly over bittorrent. Whilst many exit relays specifically exclude the usage of torrents, I think a flood of Pirate Bay users on the scale noted would have had a much more serious impact on tor network performance than seems to have been the case. Similarly, if a botnet of the magnitude of around half a million clients suddenly started to use tor (probably in an attempted DDOS of some unfortunate target) I would expect to see a much greater impact on the network than a slight slowing of file retrieval times.

The next few days should be interesting. Might we see a spate of complaints about “attacks” from tor (lending credence to the botnet theory)?

Permanent link to this article:


Skip to comment form

    • Richard Budd on 2013/08/31 at 8:50 pm

    Maybe just the Average Joe getting a clue after all the news?
    When you look at it as a function of everybody on the internet it isn’t even a blip.

    • Mick on 2013/08/31 at 9:19 pm

    I don’t believe that. And the stats don’t support that theory. The rise is sudden, spectacular and consistent across a huge geographic range. “Joe Average” in 50 – 90 states all “getting it” at the same time is just not a plausible scenario. Collin Anderson on tor-talk posted a graphic (taken from the on-line tor stats) of the top 50 countries. Take a look at that. Can you believe Vietnam going from a 1000 or so users to around 30,000 at the same time as Morocco going from 600 to over 5000, and Peru going from around 600 to over 6000? Take a look at the slopes of all those graphs, They are the same (well, with the exception of Syria that is).

    I’m now coming round to the botnet theory. But given that the actual traffic volume is low, this looks like a trial run for something else. Someone, somewhere, is testing the tor network in preparation for something. I’m not sure the network could cope if the massive influx of new “users” started to actually pull some real traffic all at once. I’m pretty sure my own node can’t take much more.


    • bastrian on 2013/09/01 at 6:52 pm

    Really strange. What kind of botnet could it be? And what happen if they start to work? Right now it seems that the Botnet is inactive, and there are no sign that there is any particular malware around. On such a huge scale someone should noticed it. Lets say that its a botnet and the scope of the botnet is to take down the nodes. If the bigger Nodes fails, the small one will go down too really quick and then the entire network will have huge trouble. Correct me if i am wrong.


    • Mick on 2013/09/10 at 7:51 pm


    I guess that you have probably read Roger Dingledine’s blog post of 5 September by now. It would appear from that post (and Fox IT’s post of the same date) that there is now considerable agreement that an “old” botnet (dating from around 2009) has been re-programmed with a tor client and is probably using one or more tor hidden service nodes as command and control servers. Certainly this theory would explain the huge number of incoming connections with no apparent impact on tor traffic volumes.

    I worry though what would happen if the botnet operator(s) decide to start using tor to hit servers outside the network. The resulting flood of traffic through tor would likely cripple it.


    • Patrick Clark on 2013/09/20 at 9:54 am

    The Pirate Bay’s PirateBrowser is expanding its user base rapidly, far beyond the expectations of the site’s operators. The Tor-based browser, which allows people to bypass ISP filtering and access blocked websites, has already been downloaded more than 500,000 times since its launch earlier this month. The increase in downloads coincides with a mysterious increase in Tor users, but contrary to speculation it’s unlikely that the two events are related.

    • Mick on 2013/09/20 at 12:09 pm

    I think the events are completely unrelated. The number of pirate bay downloads cannot possibly account for the rise in tor usage. And I fail to see why anyone would use a dodgy copy of the TBB from the Pirate Bay when they can get the real thing from the torproject site. Pirate Bay themsleves have admitted that their browser does not use tor properly (or at all in some cases).

    (Oh, and I have deleted the website you linked to on the grounds that it is highly unlikely to be valid).



Comments have been disabled.