This is curious: Appears a large number of Tor client-bots have set
UseEntryGuards 0
From current relays that have never had the guard flag:
extra-info moep DA8C1123CDB3ACD3B36CD7E7CEFBEA685DED2276 entry-ips us=360,de=296,fr=232,it=192,es=160,jp=104,ru=104,br=96,ir=96. . .
extra-info motor BBBBBAD453263D786EC34AB68A06214288910345 entry-ips us=392,de=352,fr=344,it=312,es=248,ru=136,br=128. . .ir=104. . .
extra-info BaconPancakes B5882F8BA0AA89BCA4101A893A6116006D229496 entry-ips de=832,us=800,fr=776,it=776,es=600,br=336,pl=304,gb=296. . .
And reaching back in time to a fast relay at birth, twelve hours prior to receiving the initial Guard flag assignment:
consensuses-2014-04/21/2014-04-21-23-00-00-consensus ==================================================== r bauruine202 9Zbhse+Y4d273JNNtyKvVAaYaPY yp4BOAjicQhv1Pb1RMAzbejupVw s Fast HSDir Running Unnamed V2Dir Valid v Tor 0.2.4.21 w Bandwidth=27100
server-descriptors-2014-04/c/a/ca9e013808e271086fd4f6f544c0336de8eea55c ======================================================================= router bauruine202 62.210.137.230 8443 0 8080 platform Tor 0.2.4.21 on Linux published 2014-04-21 22:04:49 fingerprint F596 E1B1 EF98 E1DD BBDC 934D B722 AF54 0698 68F6 uptime 620454 (7 DAYS 4 HOURS 21 MINUTES) bandwidth 15728640 20971520 16192064 extra-info-digest D7E071CF34679666DD9D80AB5F24020522D63F00
extra-infos-2014-04/d/7/d7e071cf34679666dd9d80ab5f24020522d63f00 ================================================================ extra-info bauruine202 F596E1B1EF98E1DDBBDC934DB722AF54069868F6 published 2014-04-21 22:04:49 entry-stats-end 2014-04-21 17:43:50 (86400 s) !!!entry-ips de=57728,us=48520,es=44432,fr=39688,br=38264,it=32816. . .
Well over 100,000 client contacts here before the Guard flag was ever assigned.
At 11:11 8/19/2015 -0400, you wrote:
My relay says it receives about 50k v1/v2/v3 connections each day to the 60k v4 connections that come in.
"Entry-ips" says it has about 35k guard- clients. Blutmagie says there are no pre-0.2.4 relays talking anything other than v4.
So I'm left thinking that 95% or more of the bandwidth consumption and client count is from crusty old botnet bots running ancient versions of the Tor daemon.
But all that bot traffic creates a lot of statistical "background noise," and so may be providing a service in making it more difficult for advanced adversaries to perform traffic correlation analysis.
Thoughts anyone?