The Tor Project has been synonymous with the Deep Web, as it is a primary method by which users can access hidden portions of the Internet. Besides traffic encryption, an additional feature that gives Tor users anonymity is that their network traffic passes through several nodes, making the real source unidentifiable.

While not much can be said about end-users in this context, we were curious to comprehend the infrastructure associated with the Tor network. So we downloaded a list of Tor nodes from dan.me.uk containing 7,850 IP addresses as of 16 October 2020. While the site contains different lists for entry, router, and exit nodes, we selected the entire Tor list for this study. We then used an IP geolocation database to gain more insights into the Tor nodes.

In particular, we looked at the nodes’ source countries and checked if they were consistent with the top Internet service providers (ISPs). Aside from the nodes’ IP geolocation, we also looked at the node users’ locations to answer these questions:

• What are the Tor nodes’ top source countries?
• What are their top ISPs?
• Are their ISPs’ locations consistent with their source countries?
• Are the Tor node users also located in the source countries?

Top Tor Node Source Countries

IP Geolocation Database allowed us to determine the locations of the Tor nodes’ IP addresses. For our sample, we found that Germany (DE) topped the list of source countries with a 21% share (see Figure 1). The U.S. (US) followed with a 16% share, trailed by France (FR) with 8%, the Netherlands (NL) with 6%, and Canada (CA) with 4%. Together, these five countries accounted for more than half of the Tor nodes’ locations.

Meanwhile, the U.K. (GB) was home to 3% of the nodes. While Russia (RU), Sweden (SE), Finland (FI), Switzerland (CH), Austria (AT), and Lithuania (LT) combined accounted for 2% of the total number of Tor nodes. The rest of the countries accounted for 1% or less of the sample.

ISPs Commonly Used by the Tor Nodes

The Tor nodes were distributed across 1,376 ISPs. The top 10 of them accounted for 37% of the sample. Figure 2 shows the distribution of Tor nodes among the top 10 ISPs.

French provider OVH topped the list with 719 IP addresses, while German company Hetzner ranked second with 538. The rest of the top 10 are listed below, along with their country of operation:

• Linode (U.S.)
• Digital Ocean (U.S.)
• NETCUP (Germany)
• Quintex Alliance Consulting (U.S.)
• Online S.A.S. (France)
• FranTech Solutions (U.K.)
• UAB Cherry Servers (Lithuania)
• Deutsche Telekom AG (Germany)

Three out of the 10 ISPs are based in Germany, which is the top Tor node source country. The presence of three American ISPs on the list is also consistent with the U.S. being the top 2 source country. France was the top 3 Tor node IP geolocation, also consistent with the presence of more than one ISP from the country on the list.

Tor Node Users by Country

The top source countries and the locations of the ISPs somehow coincided. The top countries that emerged from both lists include Germany, the U.S., and France. But how about the locations of the Tor node users?

To find out, we consulted Torproject[.]org metrics and filtered the Top Ten Countries by Relay Users to reflect statistics from 1 January to 16 November 2020.

The three dominant countries on both of our lists—Germany, the U.S., and France—were also the locations of about 38% of Tor node users.

Of the remaining countries in the top 10 node user locations, only Indonesia, Ukraine, and India were not on our list of top source countries.

All anonymized traffic could be treated with suspicion from a cybersecurity viewpoint, regardless of whether they were hidden using virtual private networks (VPNs), proxy servers, or the Tor network. This short study showed how it was possible to gather more information about Tor nodes using IP intelligence.