[tor-bugs] #31252 [Circumvention/BridgeDB]: Equip BridgeDB with anti-bot mechanism
Tor Bug Tracker & Wiki
blackhole at torproject.org
Fri Jul 26 03:16:07 UTC 2019
#31252: Equip BridgeDB with anti-bot mechanism
----------------------------------------+----------------------
Reporter: phw | Owner: phw
Type: enhancement | Status: assigned
Priority: Medium | Milestone:
Component: Circumvention/BridgeDB | Version:
Severity: Normal | Keywords:
Actual Points: | Parent ID:
Points: 4 | Reviewer:
Sponsor: |
----------------------------------------+----------------------
BridgeDB sees many bot requests. The ones I've seen cycle over exit relays
to fetch several bridge types (obfs2 (!), obfs3, obfs4, scramblesuit, and
vanilla) from BridgeDB's HTTPS interface. Interestingly, they get most
captchas right.
We don't know who's operating these bots or what they are doing with their
bridges but we should make BridgeDB more resistant to these attacks. Let's
add a mechanism that allows us to configure request headers that BridgeDB
should ignore, e.g., requests whose user agent contains curl.
Ideally, instead of BridgeDB responding "bots aren't allowed to get
bridges," we could serve an empty response, or a decoy bridge whose only
purpose is to find out what the bot operators are doing with it.
--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/31252>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online
More information about the tor-bugs
mailing list