On Tue, Mar 14, 2017 at 12:02:46AM +0000, Matthew Finkel wrote:
But I spoke with someone at IFF from the region last week and their current thought is that this is caused by some group running a bot (of some kind)
Typically botnets have victims in many countries, though, right? How did they manage to contain their bots to just UAE hosts?
(Geofenced malicious ads? A vulnerability in an app that only UAE people install? Malware on a government website that many people need to visit? Or maybe the bots are more widespread, but for some reason the bot operator chose to only transition the UAE hosts to using Tor?)
dirreq-v3-ips ae=115824,in=2504,nl=1256,us=888,jo=728,[...] dirreq-v3-reqs ae=495328,nl=14928,us=7696,in=5136,gb=4168,[...] bridge-ips ae=144992,in=4248,nl=1344,us=1104,jo=952,[...]
Those are huge numbers, and they convince me that the phenomenon is real -- there really are many many Tor clients connecting from many many different IP addresses.
That said, when they shifted from vanilla Tor connections to bridge connections... they all shifted to one bridge? That lends a lot of credibility to the "a bunch of Tor clients, all using the same configuration, so it's all really coordinated" point.
--Roger