[anti-censorship-team] Significant ?? country users of snowflake-01 in August 2024

[David Fifield]

On Thu, Sep 05, 2024 at 10:15:16PM -0400, Nathan of Guardian wrote:
> 
> On Thu, Sep 5, 2024, at 3:05 PM, David Fifield wrote:
> > Did something happen on 2024-08-13? Is this a new source of proxies with
> > an implementation bug? Some kind of attack? (Against the bridge?)
> >
> 
> We rolled out a new release of Orbot around then. Are you saying this is an issue with Snowflake proxies, not clients?
> 
> I can review more deeply tomorrow.

It is the proxy that reports the client IP address to the bridge, not
the client. The "client IP address" is just the IP address of the
proxy's WebRTC peer. The proxy attaches that information in a
?client_ip=X.X.X.X URL query parameter in its initial WebSocket HTTP
request to the bridge.

I think it's unlikely that a change in Orbot would manifest this way. If
that were the case, in the ratio N/D, the total D would stay the same,
but the address-reporting fraction N would go down. (The same old bunch
of proxies, except a few are malfunctioning and not reporting the
address.) Whereas in this case, we have N staying the same, with D going
up. Facially, that means that there are more proxies now than before,
and the "new" ones are not reporting addresses.

One possibility, I suppose, is that an Orbot upgrade caused a subset of
existing proxies not only to stop reporting client_ip, but also to fail
connections, period. (Or fail probabilistically, perhaps.) That might
cause the total number of apparent connections (D) to increase, while
clients retry until they find a working proxy, keeping the number of
client_ip connections (N) the same. I am not sure exactly at what point
a "connection" is counted inside snowflake-server for purposes of the
N/D ratio.