[tor-dev] Running doctor's sybil checker over archived consensuses

David Fifield david at bamsoftware.com
Thu Jan 15 21:34:01 UTC 2015


On Thu, Jan 15, 2015 at 04:25:10PM +0100, Philipp Winter wrote:
> 2014-01-30: A clearly related group of relays comes online, presumably
>             the one from the pulled Blackhat talk. (A)
> 2014-11-17: Several probably related relays in the Google cloud get
>             online. (B)
> 2014-12-26: Many relays named LizardNSA and FuslVZTOR come online. (C)
> 2014-12-30: Many relays named anonpoke come online. (D)

The visualizer program only works on archived microdescriptors, which
only go back through 2014. But I ran it on all of 2014 and you can see
the four incidents above.

The stripes in the background are months.

https://people.torproject.org/~dcf/graphs/microdescs/microdescs-2014.png (8760×62986 pixels)
https://people.torproject.org/~dcf/graphs/microdescs/microdescs-2014-short.png (8760×2048 pixels)

(Wow, who knew there were over 60000 distinct descriptors in 2014?)

Maybe the checker should also check for when a lot of relays go away at
once. It looks that happened in mid-April, where relays that had been
started at different times in the beginning of the year all stopped at
once.

(Oh, on further reflection, that must have been Heartbleed!)

David Fifield
-------------- next part --------------
A non-text attachment was scrubbed...
Name: microdescs-2014-small-annotated.jpg
Type: image/jpeg
Size: 181140 bytes
Desc: not available
URL: <http://lists.torproject.org/pipermail/tor-dev/attachments/20150115/85296cab/attachment-0001.jpg>


More information about the tor-dev mailing list