From an average of significantly below 500k to almost 2.5M users.
This drives up the global number of connecting users from approx. 3M to almost 5M.
Hard to imagine that so many people in Germany suddenly switched to TOR, especially since there has not been any significant event lately that may have triggered such a decision (afaik)?
My personal experience with TOR (as an administrator of various websites and services) is that it is a major source of unwanted/malicious traffic (spam, etc.) and most of it is automated. The big increase is probably not users but bots?
The interesting question is if there is a bot net spreading in Germany since the 17th of June. What would be the likelihood of that going undetected. If you like conspiracy theory, the rise in one country could point to state actors.
Off the top of my head - Germany hosts a disproportionate amount of sensitive data because it's the location of choice for cloud providers storing things for EU member countries. They have lots of fiber, lots of ISPs, plenty of datacenter space, a stable government, and data security laws that meet or exceed everyone else in the EU.
Germany hosts a disproportionate amount of sensitive data because it's the location of choice for cloud providers storing things for EU member countries.
Hat tip to this. My German teammate and I have discussed exactly this point. The Microsoft Azure cloud has a German specific cloud that targets exactly this market. Some marketing genius made billions for Microsoft with that idea.
One weird thing to me: You are right about "lots of fiber" -- specifically Frankfurt Internet Exchange is (was?) the busiest in the world for a long time. Why does non-urban, non-commercial (retail) Internet access suck so hard in Germany? It is the topic of endless (but understandable) crying by German residents on HN!
> Why does non-urban, non-commercial (retail) Internet access suck so hard in Germany?
To cut a very long story short, what should have happened a long time ago in Germany is to treat internet access at a reasonable speed (however that is determined) like access to electricity or the plain old telephone system: It's the law you get connected like everyone else at the price everyone else pays, even when you are in a very rural setting. Leaving that decision to commercial interests, has lead to very slow or unavailable rural internet infrastructure because either the price would be ridiculously high to become connected or the companies would lose money.
It's political failure, plain and simple.
Looking back in time, the original sin was committed in Germany in the early 80s when the SPD run government understood that fiber optic networks were the future for the telephone system and television distribution. They had a 30 year plan to convert West-Germany's telecom infrastructure to fiber. That was way before the internet, but would that plan have been enacted, Germany would have sat on a high speed fiber infrastructure in the 90s when the Internet exploded onto the scene.
Unfortunately the conservative CDU government under Kohl immediately scrapped that plan when they came into power and went for cable as the distribution medium for TV and the telephone system continued to operate on copper at least on the last mile. So here we are in the 2020s with crappy cable modems and crappy DSL connections. (Where available.)
Did modern Germany (after reunited) ever discuss the idea of a national broadband network, like Australia and New Zealand? I cannot belive more highly industrialised countries have not followed this route. The long term economic impacts will be HUGE.
> Why does non-urban, non-commercial (retail) Internet access suck so hard in Germany?
Lack of competition and laws tailored to the privatized Deutsche Telekom: If I dig up the street to put fiber optics, they may join in for free. So may I, if they dig up streets - they just don't.
My guess is that a certain router is getting infected with a botnet because ISPs usually hand out the same router to their customers. And ISPs are usually limited to a single country.
That would be an explanation and probably by okhams razor be more likely. But wouldn't that ISP notice the difference in traffic patterns drastically and react? It is just unlikely (but far from impossible) that this is something 'normal' happening.
My fear would be that someone still is trying to gather a critical mass of nodes to contact controll servers via TOR to cause mass havoc in a single country from within a single country. Generally IMHO Germany would be a good target for destabilisation currently. But I think and hope this could just a bit of overinterpreting. Probably one would need a good statistic on the subnets the users come from.
I can't speak to German ISPs or anyone outside of these USA. But I believe that ISPs are absolutely the weakest link when it comes to malicious botnets and other types of widespread network-based compromises.
ISPs certainly have the tooling and the positioning to be able to detect C&C channels, outgoing DDOS attacks, and compromised customer premises equipment. But do they? And if they do detect any of it, do they take action? When is the last time you heard about an ISP disconnecting a paying customer because of the customer's compromised device(s)? When is the last time you even heard of an ISP notifying a customer about such a thing?
Two months ago, my router was compromised and joined to some sort of botnet in the capacity of a DNS resolver. I would never have been able to detect such WAN-side traffic if I hadn't had a special setup on my part. My ISP was the first to hear when I'd detected it, and I sincerely doubt that they receive many such reports, especially with logs as evidence.
Can you imagine receiving a phone call, "Hello, this is your ISP! You're pwned! Please follow through these remediation steps as I prompt you: ..." You'd undoubtedly think it was a phishing scam. Because ISPs just don't seem to care about abuse.
They will send you copyright strikes and prosecute you for BitTorrent, but it does't seem like they'd lift a finger to prevent the next big DDOS or spam factory originating from their own customers.
My parents home lan got caught up in a bot net and their isp was sending emails about it to their isp provided email address.
But it's possible they were just passing on abuse reports from the numerous targeted victims of this botnet who bothered to complain.
The intrusion point was a Linux system with a 3 letter password and ssh exposed on a nonstandard port. So if you're someone who still thinks the bad guys won't find your computer because you changed the port, know that that is very outdated thinking.
I don't even know how to log in to my ISP provided email., so it goes without saying that I'm not reading it. I'm surpised that ISPs still offer email.
In Germany, I doubt they have the tooling or staff anymore. For almost a decade we've been in a race to the bottom regarding pricing and as a result, service quality. I wouldn't be surprised if critical parts of the infrastructure are maintained by outsourced jobs from half around the world.
The only somewhat professional player is the Deutsche Telekom, which was kinda the Bell of Germany and got privatized in the 90s, when the phone network was also opened to other players. They are more expensive though. Other than that, you might be lucky and have some small regional ISP that's competent enough. Otherwise there are just two other companies left that offer service nationwide, after a lot of mergers.
My ISP actually sent me an email that said that one of my devices have an open TCP 445 port and advised me to fix it. Apparently Windows opens it by default and it can be exploited by some malware.
But I've never received a threatening letter about piracy. ISPs in my country simply don't send those.
My ISP will send letters or emails, but only if they get a complaint from the company in question. Usually what ends up happening is a company watches a torrent, and takes down a list of all the ip addresses downloading it. They then send boilerplate complaints to the isps associated with said ip addresses, who are legally required to do something about it. My little brother got in trouble this way lmao, they sent a letter to our house about it.
Many ISPs have clauses in their TOS that prohibit running any server of any kind. So it may be the case that your ISP regularly runs sweeps to detect customers who are running servers, and this warning may be a side effect of that sweep.
I often used to poke holes in my firewall and run VPN or ssh servers that were discoverable using my dynamic DNS service. My ISP never got involved with that. Of course, that was a case of me running a server for my exclusive use, rather than some sort of public web or login server that would have randos sending traffic across my link.
> That would be an explanation and probably by okhams razor be more likely. But wouldn't that ISP notice the difference in traffic patterns drastically and react?
I hope to be wrong but I am afraid you are overestimating the technical competency of the average ISP.
> My guess is that a certain router is getting infected with a botnet because ISPs usually hand out the same router to their customers.
This seems trivial to figure out with an analysis of the connecting IPs - which is absent on TOR's report page.
I'm also a bit confused why no one here on HN has asked about the connecting IP data (at this writing). Are these commercial IPs, dynamic (biz/residential) IPs or a mix? If they're mostly dynamic IPs, are they from more than one ISP?
TOR has country of origin data so it seems reasonable they'd also have network of origin.
All that said, I don't precisely know how TOR determines country of origin. Entry node data would seem to be the likely source. However I've long assumed that entry nodes are public supplied, like Relay and Exit nodes. Within that assumption it isn't clear to me how that data would flow to TOR - while maintaining anonymization of traffic.
I work in a German institution. I was recently hacked by such a botnet recently (lessons learned: use AuthorizedKeys, allow only one SSH user, proxy all http connections to a webhoster, and check your SSH and UFW logs often!)
It setup a virtual environment where it downloaded some kind of Tor node and ran some sort of code that used 100% of my CPU. My guess is crypto-mining. I purged the account, deleted everything before I could do forensics, but I checked the logs for the connections and they all came from Russia.
I remember there was a series of articles several years ago that German intelligence officers generated a lot activity in far-right websites. To the point that frequently it was mostly undercover „extremists“ discussing between themselves.
The closest article I can quickly find is about Germany intelligence informants doing the same in meatspace though.
> There was a "risk that sources of the intelligence service (Office for the Protection of the Constitution) could goad each other on to undertake bigger actions;" in other words, the system threatened to create an "incendiary effect."
> The interesting question is if there is a bot net spreading in Germany since the 17th of June.
A minor addendum: Looking at the csv file, it looks to me like traffic began drifting above the mean about June 6. From there I see a ramp-up, growing at an increasing rate.
I faced a recent distributed attack averaging 20,000 RPS[1] around the same time which makes me think that there might be a bot. I wonder if there’s a network of website operators similar to NANOG or the RIPE NCC mailing lists where I could compare my own experience with those of other operators.
I already have per-IP ratelimiting, and I'm against using captchas have bad UX (including the much-hailed Turnstile).
I'll probably migrate to some proof-of-work based schemes and some algorithms to detect anomalous requests, but it would require some engineering work on my part (for a free website FWIW), and the quickest way to mitigate it would be to block Tor.
IP blocking blocks most of the people on our local ISP. They are small, and use CGNAT, so one owned windows machine across town breaks sites like yours for everyone, and the root cause is extremely difficult to debug for end users.
As much as I deeply, deeply dislike captchas, ip blocking is far worse.
IP blocks also just don't work on IPv6. Unless you're prepared to block entire by ASN, an adversary can cheaply just buy up a lot of address space and churn through them. It gets even messier when dealing with real ISP networks because some hand out /40s for residential customers whereas others give just a /56.
>I'll probably migrate to some proof-of-work based schemes and some algorithms to detect anomalous requests, but it would require some engineering work on my part
Note that the growth is not just in Germany. Ireland, Sweden, Switzerland also show jumps (however in absolute terms they are still much smaller). I would not rule out it's people or bots connecting from third country/countries through VPNs based in Europe... for whatever reason.
VPSs in germany are much cheaper.
But I'm guessing this increase is paid with crypto or debit cards so pin pointing it to a specific provider like hetzner is hard
It would be much helpful if you could provide one or two reasons why the number could be wrong.... or maybe make some comments on the methodology, etc..
Just question about the accuracy without any context or reasons are not contributing to the argument.
As you can see if you scroll down the page (with many alerts of a similar magnitude in the last weeks), this is nothing unusual, solar disturbances of this level happen all the time.
We are getting closer to the peak of solar cycle 25 and increased solar activity is to be expected for the next few years:
Good for radio amateurs (simply speaking, more solar activity results in better radio propagation opportunities), potentially a risk for satellites and power grids.
People might be interested that there are lots of free apps that will tell you what the k index is and maybe send you a notification if it goes above a certain number. Around here numbers above seven are interesting.
That would be really helpful because taken out of context, single words translated to English will often produce very confusing results. My suggestion would be to ditch the google links and provide a properly translated version that is revealed when hovering over a word/phrase. Such a translation could be crowd sourced.
GPT-4 Prompt: Please assist with providing English glosses for a German text. For phrases which are not easily interpreted word-for-word, please provide a gloss for the whole phrase. Otherwise, provide a gloss for each word. You may output the glosses as a list, one gloss per line, german on left, followed by an arrow (-->), and then the english gloss.
Here's some of the output:
Es --> It
war --> was
ein --> a
sonniger --> sunny
Tag --> day
im --> in the
Wald --> forest
und --> and
ein --> a
Mädchen --> girl
namens --> named
Lisa --> Lisa
ging --> went
spazieren --> for a walk
Sie --> She
hörte --> heard
plötzlich --> suddenly
ein --> a
Geräusch --> noise
und --> and
drehte --> turned
sich --> herself
um --> around
I was expecting "drehte sich um" to be grouped together, but I'm pleased with the glosses.
Note how "sich" is glossed with "herself". That's understanding the context properly. Much more useful than a dictionary definition of "sich". Similar for "sonniger" which Google translated as "sunnier" out of context.
EDIT: Note that GPT-3.5 gave me exactly the same glosses.
Doesn't the FCC maintain public records of callsigns and associated home addresses? Why would you want to immediately tie your personal address to most of your online accounts?
