David Goulet transcribed 3.0K bytes:
On 13 Dec (16:26:02), David Goulet wrote:
On 13 Dec (21:11:17), Yawning Angel wrote:
On Tue, 13 Dec 2016 10:37:31 -0800 David Fifield david@bamsoftware.com wrote:
This is a bit of a followup to my earlier post on obfs4 bridges with formulaic nicknames: https://lists.torproject.org/pipermail/tor-project/2016-November/000809.html
Those bridges are still there, but today I noticed a new weirdness: 756 bridges all having the nickname "ki". 756 is 21.8% of the total number, 3464. At the moment, "ki" far outnumbers every other nickname, apart from "Unnamed":
[snip]
Should both groups be dropped at the BridgeAuth or what? As far as I am aware, there is nothing that is doing Sybil detection at the Bridge level, and I don't really think that's an arms race that's winnable (even at the standard relay level, it feels like an uphill battle).
If I were to hypothesize, it's probably someone's botnet/malware or something (in both cases), but that's just a guess and it could be something either more nefarious, or more benign.
Yes, we should be safe here and reject those.
What's the procedure with the BridgeAuth? The dirauth-conf git repository isn't made for the bridge authority.
I want to bump this here btw.... I don't feel very comfortable with those bridge still around so we should REALLY block them soon.
If I remember correctly, Roger told me on IRC that we either have to go through the BridgeAuth directly with reject rules (unconfirmed) or we block them on BridgeDB.
I need someone with knowledge here and Isis needs to be in the loop as she basically run both service :).
Thanks! David
Hi!
Sorry, I missed this thread and David kindly made me aware of it last Friday.
I've patched BridgeDB (#21162) and added a file to blacklist these bridges by fingerprint. However, looking at the onionoo results which David original pasted, the IP addresses are all different (10.x.x.x) in onionoo for the ki bridges. Perhaps something is wrong with onionoo's hashed-IP file thing?
However, looking at both the BridgeAuthority and BridgeDB, these bridges all share only 3 distinct IP addresses. This seems to suggest to me that only 6 of them would have made it into the BridgeAuthority networkstatus-bridges file, since tor only allows 2 instances from any given IP address. Looking at the networkstatus-bridges on BridgeDB, this appears to be the case, and grepping the logs I only see a couple instances of "ki" bridges being added to the database per hour (and each hour these are the same few) so it appears to be the case that nearly none of these were ever distributed.
In any case, the few that made it into the database should now be blacklisted.
Could I maybe request that, if there's something super important you want from me, that the subject be something like "ISIS DO THIS RIGHT NOW", please? I can't read every single mailing in any semblance of a timely fashion if something is actually urgent. Thanks. :)
Best regards,