Home / Industry

A Look Into Tor Nodes' Locations and ISPs with IP Intelligence

The Tor Project has been synonymous with the Deep Web, as it is a primary method by which users can access hidden portions of the Internet. Besides traffic encryption, an additional feature that gives Tor users anonymity is that their network traffic passes through several nodes, making the real source unidentifiable.

Source: https://commons.wikimedia.org/wiki/File:Tor-onion-network.png

While not much can be said about end-users in this context, we were curious to comprehend the infrastructure associated with the Tor network. So we downloaded a list of Tor nodes from dan.me.uk containing 7,850 IP addresses as of 16 October 2020. While the site contains different lists for entry, router, and exit nodes, we selected the entire Tor list for this study. We then used an IP geolocation database to gain more insights into the Tor nodes.

In particular, we looked at the nodes' source countries and checked if they were consistent with the top Internet service providers (ISPs). Aside from the nodes' IP geolocation, we also looked at the node users' locations to answer these questions:

  • What are the Tor nodes' top source countries?
  • What are their top ISPs?
  • Are their ISPs' locations consistent with their source countries?
  • Are the Tor node users also located in the source countries?

Top Tor Node Source Countries

IP Geolocation Database allowed us to determine the locations of the Tor nodes' IP addresses. For our sample, we found that Germany (DE) topped the list of source countries with a 21% share (see Figure 1). The U.S. (US) followed with a 16% share, trailed by France (FR) with 8%, the Netherlands (NL) with 6%, and Canada (CA) with 4%. Together, these five countries accounted for more than half of the Tor nodes' locations.

Meanwhile, the U.K. (GB) was home to 3% of the nodes. While Russia (RU), Sweden (SE), Finland (FI), Switzerland (CH), Austria (AT), and Lithuania (LT) combined accounted for 2% of the total number of Tor nodes. The rest of the countries accounted for 1% or less of the sample.

Figure 1: Top IP geolocation source countries of the Tor nodes

ISPs Commonly Used by the Tor Nodes

The Tor nodes were distributed across 1,376 ISPs. The top 10 of them accounted for 37% of the sample. Figure 2 shows the distribution of Tor nodes among the top 10 ISPs.

Figure 2: Top 10 ISPs of the Tor nodes

French provider OVH topped the list with 719 IP addresses, while German company Hetzner ranked second with 538. The rest of the top 10 are listed below, along with their country of operation:

  • Linode (U.S.)
  • Digital Ocean (U.S.)
  • NETCUP (Germany)
  • Quintex Alliance Consulting (U.S.)
  • Online S.A.S. (France)
  • FranTech Solutions (U.K.)
  • UAB Cherry Servers (Lithuania)
  • Deutsche Telekom AG (Germany)

Three out of the 10 ISPs are based in Germany, which is the top Tor node source country. The presence of three American ISPs on the list is also consistent with the U.S. being the top 2 source country. France was the top 3 Tor node IP geolocation, also consistent with the presence of more than one ISP from the country on the list.

Tor Node Users by Country

The top source countries and the locations of the ISPs somehow coincided. The top countries that emerged from both lists include Germany, the U.S., and France. But how about the locations of the Tor node users?

To find out, we consulted Torproject[.]org metrics and filtered the Top Ten Countries by Relay Users to reflect statistics from 1 January to 16 November 2020.

The three dominant countries on both of our lists — Germany, the U.S., and France — were also the locations of about 38% of Tor node users.

Figure 3: Screenshot of the Top Ten Countries by Relay Users from torproject.org

Of the remaining countries in the top 10 node user locations, only Indonesia, Ukraine, and India were not on our list of top source countries.


All anonymized traffic could be treated with suspicion from a cybersecurity viewpoint, regardless of whether they were hidden using virtual private networks (VPNs), proxy servers, or the Tor network. This short study showed how it was possible to gather more information about Tor nodes using IP intelligence.

By WhoisXML API, A Domain Research, Whois, DNS, and Threat Intelligence API and Data Provider – Whois API, Inc. (whoisxmlapi) is a big data and API company that provides domain research & monitoring, Whois, DNS, IP, and threat intelligence API, data and tools to a variety of industries.  Visit Page

CircleID Newsletter The Weekly Wrap

More and more professionals are choosing to publish critical posts on CircleID from all corners of the Internet industry. If you find it hard to keep up daily, consider subscribing to our weekly digest. We will provide you a convenient summary report once a week sent directly to your inbox. It's a quick and easy read.

I make a point of reading CircleID. There is no getting around the utility of knowing what thoughtful people are thinking and saying about our industry.

VINTON CERF
Co-designer of the TCP/IP Protocols & the Architecture of the Internet

Related

Topics

Cybersecurity

Sponsored byVerisign

IP Addressing

Sponsored byIPv4.Global

Brand Protection

Sponsored byAppdetex

Whois

Sponsored byWhoisXML API

DNS Security

Sponsored byAfilias

Cybercrime

Sponsored byThreat Intelligence Platform

Domain Names

Sponsored byVerisign

New TLDs

Sponsored byAfilias