My relay says it receives about 50k v1/v2/v3 connections each day to the 60k v4 connections that come in.
"Entry-ips" says it has about 35k guard- clients. Blutmagie says there are no pre-0.2.4 relays talking anything other than v4.
So I'm left thinking that 95% or more of the bandwidth consumption and client count is from crusty old botnet bots running ancient versions of the Tor daemon.
But all that bot traffic creates a lot of statistical "background noise," and so may be providing a service in making it more difficult for advanced adversaries to perform traffic correlation analysis.
Thoughts anyone?
Would be interesting to have an outdate-consensus handling deprecated relays just for statistics or maybe also to set them all to flagged as bad or throttle them somehow?
Am Mittwoch, 19. August 2015 17:11 schrieb starlight.2015q3@binnacle.cx:
My relay says it receives about 50k v1/v2/v3 connections each day to the 60k v4 connections that come in.
"Entry-ips" says it has about 35k guard- clients. Blutmagie says there are no pre-0.2.4 relays talking anything other than v4.
So I'm left thinking that 95% or more of the bandwidth consumption and client count is from crusty old botnet bots running ancient versions of the Tor daemon.
But all that bot traffic creates a lot of statistical "background noise," and so may be providing a service in making it more difficult for advanced adversaries to perform traffic correlation analysis.
Thoughts anyone?
tor-relays mailing list tor-relays@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
Just thoughts: To throttle how about assign twisted consensus weight to outdated versions? Highest consensus weight to slowest relays and vice versa? Wouldnt they overload/throttle themselfes nicely?
Am Sonntag, 23. August 2015 10:24 schrieb tor-server-creator@use.startmail.com:
Would be interesting to have an outdate-consensus handling deprecated relays just for statistics or maybe also to set them all to flagged as bad or throttle them somehow?
Am Mittwoch, 19. August 2015 17:11 schrieb starlight.2015q3@binnacle.cx:
My relay says it receives about 50k v1/v2/v3 connections each day to the 60k v4 connections that come in.
"Entry-ips" says it has about 35k guard- clients. Blutmagie says there are no pre-0.2.4 relays talking anything other than v4.
So I'm left thinking that 95% or more of the bandwidth consumption and client count is from crusty old botnet bots running ancient versions of the Tor daemon.
But all that bot traffic creates a lot of statistical "background noise," and so may be providing a service in making it more difficult for advanced adversaries to perform traffic correlation analysis.
Thoughts anyone?
tor-relays mailing list tor-relays@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
At 11:11 8/19/2015 -0400, you wrote:
But all that bot traffic creates a lot of statistical "background noise," and so may be providing a service in making it more difficult for advanced adversaries to perform traffic correlation analysis.
Thoughts anyone?
Here is one excellent reason to love Bot traffic:
The Latest Rules on How Long NSA Can Keep Americans Encrypted Data Look Too Familiar by Marshall Erwin January 22, 2015
https://www.justsecurity.org/19308/congress-latest-rules-long-spies-hold-enc...
Recently-enacted legislation permits the NSA to retain all US domestic "incidentally collected" encrypted traffic they think might be of interest _forever_ with the idea that it might be decrypted or analyzed more completely with future technology.
So the more garbage flung around by bots, the better (as long as Tor remains usable), as it increases the difficulty and cost of storing Tor traffic by orders-of-magnitude.
On Sun, Aug 23, 2015 at 10:45 PM, starlight.2015q3@binnacle.cx wrote:
So the more garbage flung around by bots, the better (as long as Tor remains usable), as it increases the difficulty and cost of storing Tor traffic by orders-of-magnitude.
This may not be in the interest of tax-paying Americans, considering that NSA is a government agency. More bot traffic won't increase the "difficulty", I think NSA can figure that out. It will however increase the cost, which simply means that they need a bigger budget.
This is curious: Appears a large number of Tor client-bots have set
UseEntryGuards 0
From current relays that have never had the guard flag:
extra-info moep DA8C1123CDB3ACD3B36CD7E7CEFBEA685DED2276 entry-ips us=360,de=296,fr=232,it=192,es=160,jp=104,ru=104,br=96,ir=96. . .
extra-info motor BBBBBAD453263D786EC34AB68A06214288910345 entry-ips us=392,de=352,fr=344,it=312,es=248,ru=136,br=128. . .ir=104. . .
extra-info BaconPancakes B5882F8BA0AA89BCA4101A893A6116006D229496 entry-ips de=832,us=800,fr=776,it=776,es=600,br=336,pl=304,gb=296. . .
And reaching back in time to a fast relay at birth, twelve hours prior to receiving the initial Guard flag assignment:
consensuses-2014-04/21/2014-04-21-23-00-00-consensus ==================================================== r bauruine202 9Zbhse+Y4d273JNNtyKvVAaYaPY yp4BOAjicQhv1Pb1RMAzbejupVw s Fast HSDir Running Unnamed V2Dir Valid v Tor 0.2.4.21 w Bandwidth=27100
server-descriptors-2014-04/c/a/ca9e013808e271086fd4f6f544c0336de8eea55c ======================================================================= router bauruine202 62.210.137.230 8443 0 8080 platform Tor 0.2.4.21 on Linux published 2014-04-21 22:04:49 fingerprint F596 E1B1 EF98 E1DD BBDC 934D B722 AF54 0698 68F6 uptime 620454 (7 DAYS 4 HOURS 21 MINUTES) bandwidth 15728640 20971520 16192064 extra-info-digest D7E071CF34679666DD9D80AB5F24020522D63F00
extra-infos-2014-04/d/7/d7e071cf34679666dd9d80ab5f24020522d63f00 ================================================================ extra-info bauruine202 F596E1B1EF98E1DDBBDC934DB722AF54069868F6 published 2014-04-21 22:04:49 entry-stats-end 2014-04-21 17:43:50 (86400 s) !!!entry-ips de=57728,us=48520,es=44432,fr=39688,br=38264,it=32816. . .
Well over 100,000 client contacts here before the Guard flag was ever assigned.
At 11:11 8/19/2015 -0400, you wrote:
My relay says it receives about 50k v1/v2/v3 connections each day to the 60k v4 connections that come in.
"Entry-ips" says it has about 35k guard- clients. Blutmagie says there are no pre-0.2.4 relays talking anything other than v4.
So I'm left thinking that 95% or more of the bandwidth consumption and client count is from crusty old botnet bots running ancient versions of the Tor daemon.
But all that bot traffic creates a lot of statistical "background noise," and so may be providing a service in making it more difficult for advanced adversaries to perform traffic correlation analysis.
Thoughts anyone?
On Mon, Sep 07, 2015 at 10:30:38AM -0400, starlight.2015q3@binnacle.cx wrote:
This is curious: Appears a large number of Tor client-bots have set
UseEntryGuards 0From current relays that have never had the guard flag:
extra-info moep DA8C1123CDB3ACD3B36CD7E7CEFBEA685DED2276 entry-ips us=360,de=296,fr=232,it=192,es=160,jp=104,ru=104,br=96,ir=96. . .
These are likely clients using a version from before we introduced directory guards. So they probably use entry guards like normal, and they just choose relays at random to fetch their directory info.
This is why relays report dirreq-v3-reqs lines (number of v3 consensus requests) in their extra-info descriptors too, and not just total connection counts.
Hope that helps, --Roger
On Tue, 8 Sep 2015 02:03:07 -0400 Roger Dingledine arma@mit.edu wrote:
On Mon, Sep 07, 2015 at 10:30:38AM -0400, starlight.2015q3@binnacle.cx wrote:
This is curious: Appears a large number of Tor client-bots have set
UseEntryGuards 0From current relays that have never had the guard flag:
extra-info moep DA8C1123CDB3ACD3B36CD7E7CEFBEA685DED2276 entry-ips us=360,de=296,fr=232,it=192,es=160,jp=104,ru=104,br=96,ir=96. . .
These are likely clients using a version from before we introduced directory guards. So they probably use entry guards like normal, and they just choose relays at random to fetch their directory info.
This is why relays report dirreq-v3-reqs lines (number of v3 consensus requests) in their extra-info descriptors too, and not just total connection counts.
This does present us with an opportunity to gain an actual estimate for the number of botnet clients since there's a way to distinguish them from normal users.
Not sure if we'd require actual metrics or if this is just a matter of analysis.
Regards,
On Wed, Aug 19, 2015 at 11:11:59AM -0400, starlight.2015q3@binnacle.cx wrote:
So I'm left thinking that 95% or more of the bandwidth consumption and client count is from crusty old botnet bots running ancient versions of the Tor daemon.
Client count (for non guards), yes I think that's a fair guess. Bandwidth consumption, I don't think so. Last I heard, the main set of bots running old Tor versions were basically idle -- they try to phone home to their onion service command-and-control center periodically, but they aren't being used by it.
That is, the botnet operator added Tor clients to some of his infected click fraud computers because it seemed like a good idea at the time, but then later he decided that it wasn't a worthwhile idea.
It still adds a lot of numbers to client counts, since we estimate number of clients by how many directory fetches happen. And it still adds a lot of circuits, since a million or however many bots making onion service connections periodically will soak up a lot of circuits. But I think they use a very small amount of bandwidth each.
This ties into another fine question: how do we communicate to the next jerk in the Ukraine that the previous one actually decided it wasn't worth doing? I can easily imagine some new botnet operator deciding that it's way cool so of course he should do it too. Maybe they share notes in their underground forums. I'm not sure.
--Roger
tor-relays@lists.torproject.org
-
Anders Andersson -
Roger Dingledine -
starlight.2015q3@binnacle.cx -
tor-server-creator@use.startmail.com -
Yawning Angel