On Tue, 13 Dec 2016 16:26:02 -0500 David Goulet dgoulet@ev0ke.net wrote:
On 13 Dec (21:11:17), Yawning Angel wrote:
On Tue, 13 Dec 2016 10:37:31 -0800 David Fifield david@bamsoftware.com wrote:
This is a bit of a followup to my earlier post on obfs4 bridges with formulaic nicknames: https://lists.torproject.org/pipermail/tor-project/2016-November/000809.html
Those bridges are still there, but today I noticed a new weirdness: 756 bridges all having the nickname "ki". 756 is 21.8% of the total number, 3464. At the moment, "ki" far outnumbers every other nickname, apart from "Unnamed":
[snip]
Should both groups be dropped at the BridgeAuth or what? As far as I am aware, there is nothing that is doing Sybil detection at the Bridge level, and I don't really think that's an arms race that's winnable (even at the standard relay level, it feels like an uphill battle).
If I were to hypothesize, it's probably someone's botnet/malware or something (in both cases), but that's just a guess and it could be something either more nefarious, or more benign.
Yes, we should be safe here and reject those.
Looking forward...
What are we going to do/can we do when the person wises up and changes the bridge naming scheme?
IMO we *should* run as much of the sybil detection stuff that we can on bridges, but this relies on code that someone has to write, and infrastructure that someone has to set up, so my opinion probably doesn't count for much since I do not have the time to do either. Should our Bridge anomaly detector have access to unsanitized bridge descriptors? Does it need to?
Regards,