On Wed, Aug 19, 2015 at 11:11:59AM -0400, starlight.2015q3@binnacle.cx wrote:
So I'm left thinking that 95% or more of the bandwidth consumption and client count is from crusty old botnet bots running ancient versions of the Tor daemon.
Client count (for non guards), yes I think that's a fair guess. Bandwidth consumption, I don't think so. Last I heard, the main set of bots running old Tor versions were basically idle -- they try to phone home to their onion service command-and-control center periodically, but they aren't being used by it.
That is, the botnet operator added Tor clients to some of his infected click fraud computers because it seemed like a good idea at the time, but then later he decided that it wasn't a worthwhile idea.
It still adds a lot of numbers to client counts, since we estimate number of clients by how many directory fetches happen. And it still adds a lot of circuits, since a million or however many bots making onion service connections periodically will soak up a lot of circuits. But I think they use a very small amount of bandwidth each.
This ties into another fine question: how do we communicate to the next jerk in the Ukraine that the previous one actually decided it wasn't worth doing? I can easily imagine some new botnet operator deciding that it's way cool so of course he should do it too. Maybe they share notes in their underground forums. I'm not sure.
--Roger