[anti-censorship-team] Do we expect to have as many standalone Snowflake proxies as we do?

Cecylia Bocovich cohosh at torproject.org
Thu Jul 8 12:54:01 UTC 2021 

On 2021-07-07 11:07 p.m., David Fifield wrote:
> I was looking at https://snowflake-broker.torproject.net/debug just now,
> and saw:
>
> 	current snowflakes available: 317
> 		standalone proxies: 216
> 		browser proxies: 0
> 		webext proxies: 101
> 		unknown proxies: 0
> 	NAT Types available:
> 		restricted: 278
> 		unrestricted: 2
> 		unknown: 37
>
> About 2/3 of proxies are standalone, which is more than I would have
> supposed. Has there been word getting out about how to run one, or
> something?

The snowflake metrics (looking at proxy counts each day by unique IP)
indeed show an increase in the number of standalone proxies, but it's
not quite 2/3. I've attached a plot of the number of standalone proxies
for the last few months and it looks like it jumped suddenly in May and
June to around 2-3k. Comparing this with total proxy counts that have
jumped up to 10k, it looks like around 1/4 of our proxies are now
standalone.

The higher poll rate relative to the metrics could be explained by the
fact that each standalone proxy by default polls for 10 clients, and at
a higher rate than web-based proxies, so the debug numbers will always
look higher than the actual metrics.

I am still surprised by the sudden increase in standalone proxies, and
that we have so many unique IPs. We have done a few things to make it
easier to run one:
- Jacobo's ansible playbook
- our community documentation improvements
- Docker container-based set up
But none of these to me suggest that we could jump up to 2k
uniquesnowflakes in a month.

More realistically, I think this might be due to misconfigured Orbot
proxies. I just had a look at the Orbot source code, because I
remembered them mentioning they wanted to allow users to use snowflake
as a Tor PT and behave as a proxy:

https://github.com/guardianproject/orbot/blob/920a4e30a6624bc79eeef252a30cf9924d348643/orbotservice/src/main/java/org/torproject/android/service/OrbotService.java#L393

The IptProxy source code uses a patchset on the Go proxy code and it
looks like they aren't changing the proxy type reported to the broker:

https://github.com/tladesignz/IPtProxy/blob/master/snowflake.patch

So my guess is these standalone proxies are from Orbot users, which
would also explain why many of them also have restricted NATs as meskio
pointed out :) I'll reach out them about it since I have a draft email
about other IptProxy work in progress.

Cecylia

-------------- next part --------------
A non-text attachment was scrubbed...
Name: standalone.png
Type: image/png
Size: 25870 bytes
Desc: not available
URL: <http://lists.torproject.org/pipermail/anti-censorship-team/attachments/20210708/118ac01b/attachment.png>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: total-proxies.png
Type: image/png
Size: 52846 bytes
Desc: not available
URL: <http://lists.torproject.org/pipermail/anti-censorship-team/attachments/20210708/118ac01b/attachment-0001.png>

More information about the anti-censorship-team mailing list