Trying to understand how claudflare onion routing principle works

Once I noticed that many websites that include constant interaction with themselves (for example those that provide information that should be updated in real time, like account marketplaces or currency exchange sites and so on) eventually disappear in onion circuits while in the same time interaction with them still occurs. But in the same time there appear many, many connections to some onion addresses that always are different but always starting with “claud”. When I investigated it a little I found out about cloudflare routing mechanism. I have read articles about it but I don’t have the technical knowledge to understand if it can be a threat or on the contrary - good.
Do I understand this mechanism right? - When owner of the website enabled Tor cloudflare routing then when Tor user connects to his site then he (user) gets special header that tells Tor Browser what circuit it should to build and that it should to use special claudflare onion node as exit node for this circuit? But what I see in my onion circuits is that Tor always builds many circuits to connect to many different, unknown onion addresses starting with “claudflare”. So these addresses are considered to be those “exit nodes”? And cloudflare somehow uses them to establish constant interaction with the target website?
If I understood all this correctly then why they say that it’s safer and more anonimous than usual straight connection? They say that this way they can somehow distinguish “legal” Tor users from abusers. That sounds not so anonimous. :slight_smile: How can they do all this without breaking user’s anonimity? Isn’t replacing a exit node with their own is a weakening of anonymity, not a strengthening of it?

1 Like

No, not exactly as you described it.

I read this article too and this is one of the reasons why I am confused. They say:

" * Tor users no longer access your site via exit nodes, which can sometimes be compromised, and may snoop on user traffic".
Why they say that Tor users no longer access site via exit nodes? Then what they use instead of exit nodes? Exit nodes provided by Cloudflare? The only thing I always seen was normal Tor circuits connected to always different claudflare onion addresses. The only thing I can assume that they mean that these addresses serve as additional fourth nodes by which users connect to those sites. Did I get that right?

Human Tor users and bots can be distinguished by our Onion services, such that interactive challenges are only served to malicious bot traffic”.
If my previous assumption was correct, then it means that those cloudflare addresses (additional nodes) analyze users’ traffic and determine, through specific patterns, what traffic generates human and what traffic generates bot. Am I correct?

1 Like

Here is a more detailed Bloudflare blog article:

This is enough information to answer your questions, so let’s start with the most important concept, rendezvous points:

When connecting to a Tor onion service, a rendezvous point is created as the third relay for the client to use to establish a connection with the server. So, the third relay is no longer an exit relay in the sense that it “exits” to the clearnet, but rather that its traffic between the client and server stays in the internal Tor network. This is how Cloudflare is able to avoid using Tor exit relays, by presumably generating a Tor onion service for the domain, then providing an Alternative Service header within the HTTP response to redirect to it using the rendezvous point.

To deal with legitimate users and malicious bot traffic, Cloudflare uses the Proxy Protocol header and sends the Tor circuit number as an IPv6 address in an unused range within the header whenever a packet is forwarded to the server. As directly quoted from the Cloudflare blog article:

This allows explicit identification of each Tor circuit number, so if malicious activity occurs on them, it can be isolated and dealt with using the methods mentioned in the last sense of the quote above.

1 Like

Ok, it’s hard to assimilate so much text in English, but if I understood it right it’s just exactly what I was talking in the last comment. There are three nodes (entry + middle + exit). Exit node connects to onion service provided by Cloudflare and this service re-routs all to destination site. So this way the onion service serves as an exit node for destination site.

1 Like

No, there are six Tor relays used total. Quoted from the Tor Project page linked earlier: