[tor-bugs] #13287 [Tor]: Investigate mysterious 24-hour lump in hsdir desc fetches

Tor Bug Tracker & Wiki blackhole at torproject.org
Mon Sep 29 17:37:00 UTC 2014


#13287: Investigate mysterious 24-hour lump in hsdir desc fetches
------------------------+------------------------------
     Reporter:  arma    |      Owner:
         Type:  task    |     Status:  new
     Priority:  normal  |  Milestone:  Tor: 0.2.???
    Component:  Tor     |    Version:
   Resolution:          |   Keywords:  SponsorR, tor-hs
Actual Points:          |  Parent ID:
       Points:          |
------------------------+------------------------------

Comment (by arma):

 Replying to [ticket:13287 arma]:
 > special asked me about TAP vs NTor handshakes in that period. I have
 them only in six hour chunks, but here they are:
 > {{{
 > Sep 27 17:15:38.409 [notice] Circuit handshake stats since last time:
 8147/8147 TAP, 1679/1679 NTor.
 > Sep 27 23:15:38.468 [notice] Circuit handshake stats since last time:
 83002/83004 TAP, 3420/3420 NTor.
 > Sep 28 05:15:38.710 [notice] Circuit handshake stats since last time:
 208974/208980 TAP, 3859/3859 NTor.
 > Sep 28 11:15:38.662 [notice] Circuit handshake stats since last time:
 273477/273487 TAP, 2835/2835 NTor.
 > Sep 28 17:15:38.897 [notice] Circuit handshake stats since last time:
 241216/241222 TAP, 2817/2817 NTor.
 > Sep 28 23:15:38.673 [notice] Circuit handshake stats since last time:
 126686/126717 TAP, 2637/2637 NTor.
 > }}}
 >
 > If my next entry is indeed much lower on TAP, that would argue that
 these hsdesc fetches were made by TAP-using clients, which is another vote
 for the botnet C&C theory.

 {{{
 Sep 29 05:15:38.627 [notice] Circuit handshake stats since last time:
 1113/1113 TAP, 2629/2629 NTor.
 Sep 29 11:15:38.713 [notice] Circuit handshake stats since last time:
 1271/1271 TAP, 2775/2775 NTor.
 }}}

 Looks like it matches the theory.

--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/13287#comment:3>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online


More information about the tor-bugs mailing list