[tor-dev] Running doctor's sybil checker over archived consensuses
phw at nymity.ch
Thu Jan 15 15:25:10 UTC 2015
I reimplemented doctor's sybil checker  in Go  which makes it
possible to (somewhat) quickly analyse archived consensuses. The
algorithm is quite simple. It iterates over every consensus ever
published, keeps track of all relay fingerprints, and tells us how many
previously unseen relay fingerprints are present in every consensus.
I put the results, time series ranging from 2007 to 2014, online .
One can see a bunch of suspicious spikes in some of the years. I
manually checked the events and summed them up below. But first, here
are some basic statistics about the amount of new fingerprints:
Min. : 0.000
1st Qu.: 4.000
Median : 6.000
Mean : 6.377
3rd Qu.: 8.000
The median amount of new fingerprints in a consensus is six. The
maximum number observed is 3,020 which was caused by the sybil attack
Here are some preliminary notes about the most significant spikes. I'll
have a more detailed analysis at some point in the future.
2007-11-12: Missing consensuses.
2008-07-22: Missing consensuses.
2008-09-19: Some missing consensuses and a small group called "torism"
2008-10-25: Missing consensuses.
2010-06-26: Several hundred PlanetLab relays came online. At least
their nickname contained "planetlab" or some variation
2010-09-23: The trotsky relays which were suspected to be part of a
2010-10-02: Again trotsky relays.
2012-11-15: Several hundred clearly related relays, at least some of
which in Amazon's EC2 IP address space, come online.
2013-02-04: A group very similar to the previous one comes online.
2014-01-30: A clearly related group of relays comes online, presumably
the one from the pulled Blackhat talk.
2014-11-17: Several probably related relays in the Google cloud get
2014-12-26: Many relays named LizardNSA and FuslVZTOR come online.
2014-12-30: Many relays named anonpoke come online.
More information about the tor-dev