[curiousfab]

From an average of significantly below 500k to almost 2.5M users. This drives up the global number of connecting users from approx. 3M to almost 5M.

Hard to imagine that so many people in Germany suddenly switched to TOR, especially since there has not been any significant event lately that may have triggered such a decision (afaik)?

My personal experience with TOR (as an administrator of various websites and services) is that it is a major source of unwanted/malicious traffic (spam, etc.) and most of it is automated. The big increase is probably not users but bots?

[riedel]

The interesting question is if there is a bot net spreading in Germany since the 17th of June. What would be the likelihood of that going undetected. If you like conspiracy theory, the rise in one country could point to state actors.

[tw04]

Off the top of my head - Germany hosts a disproportionate amount of sensitive data because it's the location of choice for cloud providers storing things for EU member countries. They have lots of fiber, lots of ISPs, plenty of datacenter space, a stable government, and data security laws that meet or exceed everyone else in the EU.

[throwaway2037]

    Germany hosts a disproportionate amount of sensitive data because it's the location of choice for cloud providers storing things for EU member countries.

Hat tip to this. My German teammate and I have discussed exactly this point. The Microsoft Azure cloud has a German specific cloud that targets exactly this market. Some marketing genius made billions for Microsoft with that idea.

One weird thing to me: You are right about "lots of fiber" -- specifically Frankfurt Internet Exchange is (was?) the busiest in the world for a long time. Why does non-urban, non-commercial (retail) Internet access suck so hard in Germany? It is the topic of endless (but understandable) crying by German residents on HN!

[redprince]

> Why does non-urban, non-commercial (retail) Internet access suck so hard in Germany?

To cut a very long story short, what should have happened a long time ago in Germany is to treat internet access at a reasonable speed (however that is determined) like access to electricity or the plain old telephone system: It's the law you get connected like everyone else at the price everyone else pays, even when you are in a very rural setting. Leaving that decision to commercial interests, has lead to very slow or unavailable rural internet infrastructure because either the price would be ridiculously high to become connected or the companies would lose money.

It's political failure, plain and simple.

Looking back in time, the original sin was committed in Germany in the early 80s when the SPD run government understood that fiber optic networks were the future for the telephone system and television distribution. They had a 30 year plan to convert West-Germany's telecom infrastructure to fiber. That was way before the internet, but would that plan have been enacted, Germany would have sat on a high speed fiber infrastructure in the 90s when the Internet exploded onto the scene.

Unfortunately the conservative CDU government under Kohl immediately scrapped that plan when they came into power and went for cable as the distribution medium for TV and the telephone system continued to operate on copper at least on the last mile. So here we are in the 2020s with crappy cable modems and crappy DSL connections. (Where available.)

[throwaway2037]

Did modern Germany (after reunited) ever discuss the idea of a national broadband network, like Australia and New Zealand? I cannot belive more highly industrialised countries have not followed this route. The long term economic impacts will be HUGE.

[jlg23]

> Why does non-urban, non-commercial (retail) Internet access suck so hard in Germany?

Lack of competition and laws tailored to the privatized Deutsche Telekom: If I dig up the street to put fiber optics, they may join in for free. So may I, if they dig up streets - they just don't.

[ballenf]

Why would it be so localized to one country? Does Germany have a unique enemy compared to other NATO countries?

[aeyes]

My guess is that a certain router is getting infected with a botnet because ISPs usually hand out the same router to their customers. And ISPs are usually limited to a single country.

[riedel]

That would be an explanation and probably by okhams razor be more likely. But wouldn't that ISP notice the difference in traffic patterns drastically and react? It is just unlikely (but far from impossible) that this is something 'normal' happening.

My fear would be that someone still is trying to gather a critical mass of nodes to contact controll servers via TOR to cause mass havoc in a single country from within a single country. Generally IMHO Germany would be a good target for destabilisation currently. But I think and hope this could just a bit of overinterpreting. Probably one would need a good statistic on the subnets the users come from.

[NoZebra120vClip]

I can't speak to German ISPs or anyone outside of these USA. But I believe that ISPs are absolutely the weakest link when it comes to malicious botnets and other types of widespread network-based compromises.

ISPs certainly have the tooling and the positioning to be able to detect C&C channels, outgoing DDOS attacks, and compromised customer premises equipment. But do they? And if they do detect any of it, do they take action? When is the last time you heard about an ISP disconnecting a paying customer because of the customer's compromised device(s)? When is the last time you even heard of an ISP notifying a customer about such a thing?

Two months ago, my router was compromised and joined to some sort of botnet in the capacity of a DNS resolver. I would never have been able to detect such WAN-side traffic if I hadn't had a special setup on my part. My ISP was the first to hear when I'd detected it, and I sincerely doubt that they receive many such reports, especially with logs as evidence.

Can you imagine receiving a phone call, "Hello, this is your ISP! You're pwned! Please follow through these remediation steps as I prompt you: ..." You'd undoubtedly think it was a phishing scam. Because ISPs just don't seem to care about abuse.

They will send you copyright strikes and prosecute you for BitTorrent, but it does't seem like they'd lift a finger to prevent the next big DDOS or spam factory originating from their own customers.

[Fatnino]

My parents home lan got caught up in a bot net and their isp was sending emails about it to their isp provided email address.

But it's possible they were just passing on abuse reports from the numerous targeted victims of this botnet who bothered to complain.

The intrusion point was a Linux system with a 3 letter password and ssh exposed on a nonstandard port. So if you're someone who still thinks the bad guys won't find your computer because you changed the port, know that that is very outdated thinking.

[iforgotpassword]

In Germany, I doubt they have the tooling or staff anymore. For almost a decade we've been in a race to the bottom regarding pricing and as a result, service quality. I wouldn't be surprised if critical parts of the infrastructure are maintained by outsourced jobs from half around the world.

The only somewhat professional player is the Deutsche Telekom, which was kinda the Bell of Germany and got privatized in the 90s, when the phone network was also opened to other players. They are more expensive though. Other than that, you might be lucky and have some small regional ISP that's competent enough. Otherwise there are just two other companies left that offer service nationwide, after a lot of mergers.

[zirgs]

My ISP actually sent me an email that said that one of my devices have an open TCP 445 port and advised me to fix it. Apparently Windows opens it by default and it can be exploited by some malware.

But I've never received a threatening letter about piracy. ISPs in my country simply don't send those.

[eitland]

> That would be an explanation and probably by okhams razor be more likely. But wouldn't that ISP notice the difference in traffic patterns drastically and react?

I hope to be wrong but I am afraid you are overestimating the technical competency of the average ISP.

[WarOnPrivacy]

> My guess is that a certain router is getting infected with a botnet because ISPs usually hand out the same router to their customers.

This seems trivial to figure out with an analysis of the connecting IPs - which is absent on TOR's report page.

I'm also a bit confused why no one here on HN has asked about the connecting IP data (at this writing). Are these commercial IPs, dynamic (biz/residential) IPs or a mix? If they're mostly dynamic IPs, are they from more than one ISP?

TOR has country of origin data so it seems reasonable they'd also have network of origin.

All that said, I don't precisely know how TOR determines country of origin. Entry node data would seem to be the likely source. However I've long assumed that entry nodes are public supplied, like Relay and Exit nodes. Within that assumption it isn't clear to me how that data would flow to TOR - while maintaining anonymization of traffic.

[mantas]

Maybe German state itself is the actor.

[tetris11]

My bet is Russia.

I work in a German institution. I was recently hacked by such a botnet recently (lessons learned: use AuthorizedKeys, allow only one SSH user, proxy all http connections to a webhoster, and check your SSH and UFW logs often!)

It setup a virtual environment where it downloaded some kind of Tor node and ran some sort of code that used 100% of my CPU. My guess is crypto-mining. I purged the account, deleted everything before I could do forensics, but I checked the logs for the connections and they all came from Russia.

[hedora]

What state actor doesn’t understand statistical deanoymization attacks against tor?

(e.g., if you single-handedly double the network traffic, then an outside observer can figure out what ingress/egress traffic is yours)

[mantas]

Why pay attention to this if you can simply blame another state actor?

And German federal government have a history for covert shitposting.

[throwaway2037]

    And German federal government have a history for covert shitposting.

Wow, I never heard this before. Can you provide some examples famous examples?

[throwaway2037]

Can you explain more?

[WarOnPrivacy]

> The interesting question is if there is a bot net spreading in Germany since the 17th of June.

A minor addendum: Looking at the csv file, it looks to me like traffic began drifting above the mean about June 6. From there I see a ramp-up, growing at an increasing rate.

[layer8]

That’s when the Kakhovka dam was destroyed, shortly after the Ukrainian counteroffensive began.

[supriyo-biswas]

I faced a recent distributed attack averaging 20,000 RPS[1] around the same time which makes me think that there might be a bot. I wonder if there’s a network of website operators similar to NANOG or the RIPE NCC mailing lists where I could compare my own experience with those of other operators.

[1] https://news.ycombinator.com/item?id=36561930

[hartator]

Why not CAPTCHA protect these pages instead of blocking tor? Same attack can go through regular web.

[supriyo-biswas]

I already have per-IP ratelimiting, and I'm against using captchas have bad UX (including the much-hailed Turnstile).

I'll probably migrate to some proof-of-work based schemes and some algorithms to detect anomalous requests, but it would require some engineering work on my part (for a free website FWIW), and the quickest way to mitigate it would be to block Tor.

[hedora]

IP blocking blocks most of the people on our local ISP. They are small, and use CGNAT, so one owned windows machine across town breaks sites like yours for everyone, and the root cause is extremely difficult to debug for end users.

As much as I deeply, deeply dislike captchas, ip blocking is far worse.

[sweetjuly]

IP blocks also just don't work on IPv6. Unless you're prepared to block entire by ASN, an adversary can cheaply just buy up a lot of address space and churn through them. It gets even messier when dealing with real ISP networks because some hand out /40s for residential customers whereas others give just a /56.

[nerdbert]

I'm sure you can buy a table that says what size subnet to block for various ipv6 ranges.

[RobotToaster]

>I'll probably migrate to some proof-of-work based schemes and some algorithms to detect anomalous requests, but it would require some engineering work on my part

Have you tried mcaptcha? https://github.com/mCaptcha/mCaptcha

[lionkor]

If there isn't, lets make one. We could self host it, lock it down to invite-only.

[theonlybutlet]

Any UX changes to something like Brave browser perhaps? Making it easier to use tor mode. Although this is a big jump.

[throwaway290]

Note that the growth is not just in Germany. Ireland, Sweden, Switzerland also show jumps (however in absolute terms they are still much smaller). I would not rule out it's people or bots connecting from third country/countries through VPNs based in Europe... for whatever reason.

[doubleorseven]

VPSs in germany are much cheaper. But I'm guessing this increase is paid with crypto or debit cards so pin pointing it to a specific provider like hetzner is hard

[rurban]

Hetzner used by criminals would be my guess.

[ncr100]

Is it a bug in a client that accidentally spawns sub-clients?

[mistrial9]

do you believe these numbers?

[j16sdiz]

It would be much helpful if you could provide one or two reasons why the number could be wrong.... or maybe make some comments on the methodology, etc..

Just question about the accuracy without any context or reasons are not contributing to the argument.