Lizard Squad Attacks TOR Network with 3,000 Faulty Nodes and Failed to Compromise

The latest yet infamous hacking group known as, Lizard Squad, has been wreaking havoc online the past few months and especially this recent holiday weekend, first taking the PlayStation network and Xbox live gaming servers offline for almost 48 hours, and most recently have begun abusing an alleged zero-day vulnerability within the Tor network in hopes of compromising the project.

On Friday Lizard Squad notified the public of their latest attacks against the gaming networks had ceased and they had moved their operations to the TOR network, writing on Twitter:

To clarify, we are no longer attacking PSN or Xbox. We are testing our new Tor 0day.

— R.I.U. Lizard Squad (@LizardMafia) December 26, 2014

After the team made their announcement, they registered around some 3,000 TOR node relays on the network. The goal was to dominate the number of relays in sheer numbers taking ownership of about half the nodes on the network, routing nearly all the networks traffic through their server points (if the servers were rogue remains unknown).

Many privacy concerned users questioned what the Lizard Squad’s attacks meant for the TOR network, but as stated many previous times, the TOR network is built to withstand the most brutal of attacks, even if the physical servers are compromised.

Just last week the TOR project warned of an alleged upcoming attack on the network and alerting users that they would be on the lookout but for users to remain weary. Project officials noted the TOR network is built to withstand even high-level government attacks and they would be heavily monitoring the network for suspicious activity.

Shortly after the Lizard Squad turned on their amass of servers dominating nearly half the Tor network relays, the TOR Project traffic dropped nearly fifty percent. Many users believed the TOR network had been hacked or compromised, worrying their privacy and security may have been at risk, ceasing use til the project cleaned off the faulty nodes.

Nadim Kobeissi, computer programmer and cryptography professional tweeted a screenshot of what the Tor network looked like during the Lizard Squad attacks and when their near 3,000 Tor relays were online:

This is what the Tor network looks like right now. pic.twitter.com/0QQAGVTRRI

— Nadim Kobeissi (@kaepora) December 26, 2014

The Tor Project is an online anonymizing tool that helps keep Internet users safe and anonymous while browsing the Internet. The network routes your traffic through several nodes encrypting your traffic at hop, helping users attain strong security and resist censorship. As the traffic is encrypted through each hop, the first two relays are known as the middle relays, which pick up the first packets and begin encrypting them sending them to several nodes. Seeing as the nodes are spread out over the world, it would be nearly impossible to trace all the traffic back to one destination.

If one user controlled all the nodes and the traffic routed through them, hypothetically it would be possible to track a limited amount of traffic severed through the nodes.

Seeing as how newly setup Tor relays work, the attack did not work as planned or as many thought. Seeing as how a newly added Tor relay works, the official website notes the relay goes through a full phased verification process within the first three days, and almost no traffic is pushed through it in the time being. Meaning little to no bandwidth on the server is used during the time. As with Kobeissi’s photo when Lizard Squad tried to take over the network, nearly all the relays had little to no traffic going through them. The nodes would need to pass through three additional phases to become fully functional.

Runa Sandvik, a previous Tor Project official and security researcher explained to ZDNet why the attack was a flop and had no real impact on the anonymizing or deanonymizing aspect of the tool. The reason being is that all the relays controlled by Lizard Squad operated through the Google Cloud service and within the same IP range. Also the relays were fresh, and not completely verified by Tor Project officials.

Tor quickly responded noting they were working on removing the relays before the nodes were able to push traffic through.

“This looks like a regular attempt at a Sybil attack: the attackers have signed up many new relays in hopes of becoming a large fraction of the network. But even though they are running thousands of new relays, their relays currently make up less than 1% of the Tor network by capacity. We are working now to remove these relays from the network before they become a threat, and we don’t expect any anonymity or performance effects based on what we’ve seen so far,” Tor Project officials wrote in a statement.

While the Lizard Squad’s plans didn’t work out on the Tor network, the team took another sinister action, launching a large Distributed Denial of Service (DDoS) against the Tor Project website, turning it offline.

As the DDoS started, the Lizard Squad than began insulting the Tor network, calling it a safe-harbor for pedophiles among more.

Meanwhile I’ve been pounding the pedophile safe harbor known as Tor’s website for over an hour. What are you going to do about that?

— R.I.U. Lizard Squad (@LizardMafia) December 27, 2014

The Tor Project remained offline Saturday throughout several hours of the day, no specific downtime was commented on.

As most hackers stand for privacy and security, tens of thousands were outraged at the Lizard Squad’s actions against TOR. The largest Twitter account for the Anonymous collective expressed their feelings on Twitter towards the squad:

Hey @LizardMafia don’t fuck with the Tor network. People need that service because of corrupt governments. Stand the fuck down.

— Anonymous (@YourAnonNews) December 27, 2014

It would appear the Lizard Squad did not want to actually compromise the Tor network as they publicly stated their actions prior to even booting up their 3,000 relays. Many would not even hint at the sign of an attack and instead begin abusing the zero-day immediately.

If the Lizard Squad wanted to gain publicity, more creditability or just use a proof-of-concept “zero-day” remains unknown, but the Tor network is once again functioning safely.