TorFlow

Thanks for this! I opened an issue for it.

https://github.com/unchartedsoftware/torflow/issues/4

Brightest spots in capitals are probably caused by IP geolocation. Whois for many IPs returns main ISP HQ address which usually is based in the capital city. Also, geolocation tools will return capital city if no specific information other than country is available.

I think they could improve they ip2address tool, because I would expect some bright spot at hetzner datacenter and it's not there (while whois for IPs of my servers there returns proper location of the datacenter).

Nevertheless, awesome visualization.

One suggestion for the UI: when you click a + on an option, the minus should be at the bottom of the expanded option, so that you don't have to move the mouse to close the expansion.

That traffic is from IPredator's relay, which is currently the top exit node by consensus (https://globe.torproject.org/#/top10).

There are less than 50 relays in Australia and none of them come close to IPredator. Every AU relay combined has a middle probability of 0.0246% and an exit probability of 0.0060%.

IPredator alone has an exit probability of 2.1961%.

(You can see these stats with Tor Compass: https://compass.torproject.org/)

IPredator is a Swedish VPN service that appeared when the "Ipred" law was passed in Sweden, a law that was passed to allow rights holders to find and prosecute people who torrent stuff. So most likely, it's used for piracy.

I also noticed a weird conglomeration somewhere in Kansas near Witchita. Someone's pet project?

I'm wondering the same thing, would be interesting to hear if there is some reason behind this.

There are huge amount of peered ISP that offer cheap servers.

OVH and Free Telecom probably host a huge amount of Tor traffic in FR. Easily do 300 Mbps 24x7 for sub-$15/m dedicated server.

OVH also has subsidiaries in other EU countries that will geolocate back to those countries (hosted in FR physically).

The US population is more than 2 times smaller than the European one, so it makes completly sense to me.

In general, Internet in Europe is much more censored than in the US.

Flow looks like transatlantic connection with epicenter in Europe

the two points being Westminster and the City...

There is also a similar link in Amsterdam: https://f.zdev.com/dl/cxofxm.png

The same thing can be found in Paris, too.

I don't think there's a data center there, it's probably just where all nodes in Germany end up which don't have more accurate geolocation.

Addendum: Not actual traffic flows but simulated with an undescribed model.

No, this information is publicly available when your Node joins the Tor network. All nodes (except for a limited set of entry-nodes) are publicly listed as being a part of the Tor network. Their IP addresses are used to approximate their location based on where the IP address is registered.

Kansas has some big data centers in it (there's a reason google fiber launched there). Lots of dedicated server and colocation providers are located in Kansas City. In order for these providers to receive IP addresses from ARIN, they must register with ARIN as an "autonomous system" (AS). One of the items on the form they must complete is the geolocation of the IP address block they are being assigned. That geolocation is often the location of the provider company, not necessarily the location of the server(s) the IP(s) point to.

Server providers register as autonomous systems, and purchase IP space in large blocks. They often have servers at multiple data centers, with VLAN routing configured to switch packets at the ingress IP to whichever server that IP is assigned to. When a client rents a server from a provider, the provider assigns the client some number of IP addresses from its available pool. Many times, the provider does not actually SWIP (officially delegate via ARIN) these IP addresses to the client, so the registration with ARIN will not reflect the owner of the server an IP currently points to.

tl;dr When a packet goes to an IP belonging to an AS registered with a certain geolocation, the AS can switch that packet to wherever it wants.

Geolocating IP addresses is very flawed and making maps from such data is bad science.

While the other commenters may be correct and seem to know more about this than I, almost every time I've seen stuff geolocate to "Kansas" it's geolocating to the United States, with no further level of detail available. The mapping software finds the geographic center of the United States (which is somewhere in Kansas) and puts it there

I suspect this is partly due to how notoriously overpriced and under-performing Australian internet access is.

I'm wondering if this might because Australia has less traffic per node, so most of the Australian nodes aren't reaching the display threshold (top 500 or whatever nodes).

This is traffic between relays, not Tor users.

Then you're missing half of the point of Tor, the other half being hidden services which don't require an exit node at all.

Can you elaborate?

If you use encryption you don't need to.