[tor-dev] Running doctor's sybil checker over archived consensuses

Philipp Winter phw at nymity.ch
Thu Jan 15 15:25:10 UTC 2015


I reimplemented doctor's sybil checker [0] in Go [1] which makes it
possible to (somewhat) quickly analyse archived consensuses.  The
algorithm is quite simple.  It iterates over every consensus ever
published, keeps track of all relay fingerprints, and tells us how many
previously unseen relay fingerprints are present in every consensus.
I put the results, time series ranging from 2007 to 2014, online [2].
One can see a bunch of suspicious spikes in some of the years.  I
manually checked the events and summed them up below.  But first, here
are some basic statistics about the amount of new fingerprints:

 Min.   :   0.000
 1st Qu.:   4.000
 Median :   6.000
 Mean   :   6.377
 3rd Qu.:   8.000
 Max.   :3020.000

The median amount of new fingerprints in a consensus is six.  The
maximum number observed is 3,020 which was caused by the sybil attack
last December.

Here are some preliminary notes about the most significant spikes.  I'll
have a more detailed analysis at some point in the future.

2007-11-12: Missing consensuses.
2008-07-22: Missing consensuses.
2008-09-19: Some missing consensuses and a small group called "torism"
            came online.
2008-10-25: Missing consensuses.
2010-06-26: Several hundred PlanetLab relays came online.  At least
            their nickname contained "planetlab" or some variation
            thereof.
2010-09-23: The trotsky relays which were suspected to be part of a
            botnet.
2010-10-02: Again trotsky relays.
2012-11-15: Several hundred clearly related relays, at least some of
            which in Amazon's EC2 IP address space, come online.
2013-02-04: A group very similar to the previous one comes online.
2014-01-30: A clearly related group of relays comes online, presumably
            the one from the pulled Blackhat talk.
2014-11-17: Several probably related relays in the Google cloud get
            online.
2014-12-26: Many relays named LizardNSA and FuslVZTOR come online.
2014-12-30: Many relays named anonpoke come online.

[0] <https://gitweb.torproject.org/doctor.git/tree/sybil_checker.py>
[1] <https://gitweb.torproject.org/user/phw/sybilhunter.git/>
[2] <http://www.nymity.ch/new_fingerprints/>

Cheers,
Philipp


More information about the tor-dev mailing list