[tor-dev] Running doctor's sybil checker over archived consensuses

Philipp Winter phw at nymity.ch
Mon Jan 19 16:30:13 UTC 2015


On Thu, Jan 15, 2015 at 01:34:01PM -0800, David Fifield wrote:
> Maybe the checker should also check for when a lot of relays go away at
> once. It looks that happened in mid-April, where relays that had been
> started at different times in the beginning of the year all stopped at
> once.
> 
> (Oh, on further reflection, that must have been Heartbleed!)

That's a good idea.  Here's the visualisation:
<http://www.nymity.ch/hunting_sybils/leaving_relays/>

Some of the spikes represent the same sybils already present in the
previous visualisation.  That makes sense because it's not surprising
that these group disappeared just as quickly as they appeared.

However, there are some additional groups which were not present in the
previous visualisation:

- 2008-05-14: More than 200 relays disappear.  I am not sure why.
- 2008-08-19: More than 150 relays disappear.  Also not sure why.
- 2009-09-24: About 60 relays disappear.  There's a group of 10 relays
              with the same nickname, so this might be a false positive.
- 2012-01-23: About 100 relays disappear.  Not sure why.
- 2012-09-16: More than 150 relays disappear.  Many of them are in the
              same /24 and many have the same nickname pattern.
- 2013-04-11: Same as above.
- 2014-04-17: 247 relays disappear.  These relays were rejected from the
              consensus because of the heartbleed bug.
- 2014-04-18: 906 relays disappear.  These relays were rejected from the
              consensus because of the heartbleed bug.

In the next step, I'll work on a similarity metric to compare and
cluster relay descriptors.  That should help with manual analysis.

Cheers,
Philipp


More information about the tor-dev mailing list