[tor-dev] Why the seeming correlation between flash proxy and meek on metrics graphs?

David Fifield david at bamsoftware.com
Tue Sep 16 01:36:33 UTC 2014 

In comparing the user graphs of pluggable transports, I found that there
seems to be a correlation between the graphs of flashproxy and meek.
They are not equal, but they seem to go up and down at the same time.
Other transports don't show such an effect as far as I can tell. What
could the cause be? I am trying to rule out a measurement error. Could
it be an artifact of both transports running on the same bridge?

After the "How to use meek" blog post on August 15, there was a
noticeable increase in the number of meek users, from about 5 to about
20 concurrent users:

https://metrics.torproject.org/users.html?graph=userstats-bridge-transport&start=2014-07-01&end=2014-09-16&transport=meek#userstats-bridge-transport

The blog post also seems to have had a positive effect on flashproxy and
scramblesuit, too. I suspect it is because the blog post also named
other transports and suggested to try them first:

https://metrics.torproject.org/users.html?graph=userstats-bridge-transport&start=2014-07-01&end=2014-09-16&transport=websocket#userstats-bridge-transport
https://metrics.torproject.org/users.html?graph=userstats-bridge-transport&start=2014-07-01&end=2014-09-16&transport=scramblesuit#userstats-bridge-transport

On the other hand, I don't see any noticeable rise for obfs3 and fte:

https://metrics.torproject.org/users.html?graph=userstats-bridge-transport&start=2014-07-01&end=2014-09-16&transport=obfs3#userstats-bridge-transport
https://metrics.torproject.org/users.html?graph=userstats-bridge-transport&start=2014-07-01&end=2014-09-16&transport=fte#userstats-bridge-transport

What's interesting is when we plot meek and flashproxy together (this is
the first attached image). There seems to be a strong correspondence
between the two. They both jump on August 15, as expected, but then they
both jump again together on August 21. In early September they settle
back down, but still mostly match each other's up/down patterns:

https://metrics.torproject.org/users.html?graph=userstats-bridge-transport&start=2014-07-01&end=2014-09-16&transport=websocket&transport=meek#userstats-bridge-transport

What's really intriguing is that the apparent correlation goes back in
time, even before August 15. Compare the shapes of the graphs during
July, for example.

The correlation between meek and scramblesuit appears to be not as
strong (this is the second attached image). There's a rise around August
15, but no big secondary spike, although the first part of September
matches pretty well.

https://metrics.torproject.org/users.html?graph=userstats-bridge-transport&start=2014-07-01&end=2014-09-16&transport=meek&transport=scramblesuit#userstats-bridge-transport

There's no obvious positive correlation between meek and fte (this is
the third attached image) nor meek and obfs3 (this is the fourth
attached image).

https://metrics.torproject.org/users.html?graph=userstats-bridge-transport&start=2014-07-01&end=2014-09-16&transport=fte&transport=meek#userstats-bridge-transport

Why could this be? Some hypotheses:
 * meek and flashproxy have similar capabilities (resistance to IP
   blocking), so maybe the circumstances where they work are similar. If
   one works, so does the other, so we expect them to more or less track
   one another.
 * There is a bug in metrics collection, so that, for example, sometimes
   a meek connection is counted as flashproxy or vice versa. The backend
   bridge for both meek and flashproxy is the same; i.e.,
   tor2.bamsoftware.com. (Before May 8, 2014, it was a different bridge,
   namely tor1, but both transports were still running on it together.)
 * After my blog post, a bunch of people just picked transports at
   random until they found one that worked, which was likely one of
   {flashproxy, meek, scramblesuit}, and now we're just seeing the
   aggregation of those user's daily usage. Doesn't explain a match
   before August 15, though.

To figure this out I'm thinking of i) counting bytes transferred on the
flashproxy and meek external ports, or ii) moving one to a different
bridge (or different tor instance), to see if the effect remains. Do you
have any other ideas?

David Fifield
-------------- next part --------------
A non-text attachment was scrubbed...
Name: userstats-bridge-transport-websocket-meek-2014-07-01-2014-09-16.png
Type: image/png
Size: 32016 bytes
Desc: not available
URL: <http://lists.torproject.org/pipermail/tor-dev/attachments/20140915/0ffea69e/attachment-0004.png>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: userstats-bridge-transport-meek-scramblesuit-2014-07-01-2014-09-16.png
Type: image/png
Size: 32043 bytes
Desc: not available
URL: <http://lists.torproject.org/pipermail/tor-dev/attachments/20140915/0ffea69e/attachment-0005.png>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: userstats-bridge-transport-fte-meek-2014-07-01-2014-09-16.png
Type: image/png
Size: 28951 bytes
Desc: not available
URL: <http://lists.torproject.org/pipermail/tor-dev/attachments/20140915/0ffea69e/attachment-0006.png>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: userstats-bridge-transport-obfs3-meek-2014-07-01-2014-09-16.png
Type: image/png
Size: 24302 bytes
Desc: not available
URL: <http://lists.torproject.org/pipermail/tor-dev/attachments/20140915/0ffea69e/attachment-0007.png>

More information about the tor-dev mailing list