top of page

Understanding the Tor Network and its Metrics

Updated: May 11

Tor is the most popular ‘dark net’ used today. It is well known for its association with illegal activity, such as forums and vendors selling drugs and weapons, and the ever-increasing media surrounding cybercrime. However, there are legitimate uses for Tor, such as avoiding state-based censorship or communicating anonymously in contested environments.

In this blog, we are going to look at the other side and understand how the network works. We’ll also explore network attribution considerations and look at methods to correlate network activity with geopolitical events.

Most people who use Tor simply access it with a standard Tor browser and use search engines (see our previous blog), index sites, or navigate directly to known destination .onion addresses. However, we can learn more about what is happening around the world by taking a step back and looking at the network itself. Luckily, Tor's network details are publicly available for us to view and analyse.

The Tor Network to the Surface Web

Let's begin with a quick overview of how the Tor network works. It is made up of a series of volunteer-hosted relays which route traffic through to a destination and back. A client will connect to what is called an ‘entry guard’, pass through a ‘middle relay’ and then exit through an ‘exit node’. The terminology may differ; however, the structure of the network resembles the layers of an onion (hence the name).

We can use Tor network to connect to the surface web (using the Tor browser and network as a proxy to ‘normal websites’). When this occurs, are connection will look like this:

The Tor Network to the Dark Web

When we visit the dark web, or hidden services (URLs that end in .onion), our connection is a little different, and a little more anonymous. Tor doesn’t use HTTPS, as the communication stays within the Tor network, and by its very nature, it is encrypted. It looks like this:

Tor over VPN

There is much discussion online about whether or not to use a Virtual Private Network (VPN), which essentially adds another hop in the network.

So, what’s the answer? Well, it depends.

Using a VPN allows you to mask your IP address. When you connect to a VPN, you are assigned a new IP, which does not reveal your original IP, ISP, or location. When choosing a VPN, you should always thoroughly research the provider. Free-to-use VPNs may log your data (including your originating IP) and may work poorly. Reputable VPN providers - which will often require a subscription fee - will provide policies and information about the data that they record.

Connecting to a VPN first, then Tor, sometimes called ‘Tor over VPN’, provides added protection that prevents the entry guard from seeing your true IP address. The Tor Project website, however, doesn’t recommend using a VPN with Tor. We must understand who we are hiding from first and foremost, and what risks we are seeking to mitigate:

  • Avoiding Traffic Correlation Attacks - Use a VPN

  • Worried that a Tor Node is watching your activity - Use a VPN

  • Hackers - Use a VPN

  • Well-resourced state actor - In this instance, a VPN may enlarge your attack surface (How did you pay for the VPN? Does the VPN keep a log of your activity?) but use a VPN if you have a good online persona.

Remember - always use a reputable VPN provider (which likely means avoiding free VPN services!) both on and off the dark web.

Bridge Relays – Avoiding Censorship

Tor relays are publicly listed, so an ISP (Internet Service Provider) or restrictive state actors can block or detect their use. However, bridges are not listed in the public Tor directory. That means that an ISP or government trying to block access to the Tor network have a harder time doing so.

If you decide to use Tor without a VPN, or without a bride relay, an Internet Service Provider (ISP) can see the connection to Tor, however; cannot see the content. Bridge relays are easy to establish by configuring your connection when you open up the Tor Browser.

Now that we have a basic understanding of traffic flow, and some more information around our attribution, let's look at macro network activity.

Network Activity and Metrics

The Tor Project enables the public to research the metrics of the network, including user activity, servers, and relays. This is useful for understanding peaks and troughs in network activity, and we can correlate changes in activity with geopolitical events. It is common to see a spike in Tor connections during periods of civil unrest or conflict – we can’t see what people are using Tor for with macro network analysis, but the inference is still useful for assessments.

Tor Metrics (