On Tue, 8 Sep 2015 02:03:07 -0400 Roger Dingledine arma@mit.edu wrote:
On Mon, Sep 07, 2015 at 10:30:38AM -0400, starlight.2015q3@binnacle.cx wrote:
This is curious: Appears a large number of Tor client-bots have set
UseEntryGuards 0From current relays that have never had the guard flag:
extra-info moep DA8C1123CDB3ACD3B36CD7E7CEFBEA685DED2276 entry-ips us=360,de=296,fr=232,it=192,es=160,jp=104,ru=104,br=96,ir=96. . .
These are likely clients using a version from before we introduced directory guards. So they probably use entry guards like normal, and they just choose relays at random to fetch their directory info.
This is why relays report dirreq-v3-reqs lines (number of v3 consensus requests) in their extra-info descriptors too, and not just total connection counts.
This does present us with an opportunity to gain an actual estimate for the number of botnet clients since there's a way to distinguish them from normal users.
Not sure if we'd require actual metrics or if this is just a matter of analysis.
Regards,