Roger Dingledine:
On Fri, Jan 29, 2021 at 12:34:28AM +0100, nusenu wrote:
If dir auths (some or all) are willing to share (privately or publicly) the distribution of attack load (frequency, bandwidth, ...) by exit source IP in total or relative values I can correlate this data to strengthen a hypothesis that malicious/suspicious exits are involved to a greater extend than well-known long term exits.
I'll send you out-of-band a little snapshot of requests from relay IP addresses -- 160k requests over a 24 minute period from yesterday early evening.
I've looked at the data and found no clear indicators to support a hypothesis that malicious/suspicious exit operators are involved to a greater extend then others, but I'm not sure if 24 minutes is enough to draw any conclusions. 24 hours would probably more suitable.
Expected request frequency for exit IPs would also be interesting when looking and evaluating such data.
At one point later in the evening I was getting several tens of millions of requests per hour. That's when I started to realize that exit relay operators were probably seeing this increased load too.
Did any exit operator actually see increased load on their exits?
kind regards, nusenu