[anti-censorship-team] Spike in client polls from Snowflake broker metrics
Cecylia Bocovich
cohosh at torproject.org
Sat Sep 2 19:16:59 UTC 2023
On 2023-09-02 14:33, Roger Dingledine wrote:
> On Sat, Sep 02, 2023 at 09:59:39AM -0400, Cecylia Bocovich wrote:
>> The bridge metrics show a small increase in usage on August 30th (the day it
>> stopped), but not for August 28th or 29th, and definitely not proportional
>> to the increase in client polls. This could indicate a DoS attack that only
>> affected the broker, where connections are severed or the SDP information
>> didn't contain enough information to establish a datachannel between the
>> client and matched proxy. Or it could be that most of these polls were
>> coming from a small set of IP addresses.
>>
>> Whatever it was, the biggest consequence was a shortage of proxies with
>> unrestricted NAT types, and that standalone proxies with the default
>> configuration of no limit to the number of clients were OOM killed[0]
>
> Is this behavior also compatible with somebody who tried to enumerate
> all of the available snowflake proxies?
>
> That is, this is what it would look like if somebody did an enumeration
> attack on the broker?
>
> --Roger
Yes, though to be honest I'd expect it to be quieter. I'm sure you could
get just as much information over the course of three days and not be as
obvious about it. But yeah, it's very possible that's what this was.
More information about the anti-censorship-team
mailing list