[tor-project] Many bridges (22%) have nickname "ki"

David Fifield david at bamsoftware.com
Wed Feb 15 23:29:20 UTC 2017

On Tue, Dec 13, 2016 at 10:37:31AM -0800, David Fifield wrote:
> This is a bit of a followup to my earlier post on obfs4 bridges with
> formulaic nicknames:
> https://lists.torproject.org/pipermail/tor-project/2016-November/000809.html
> Those bridges are still there, but today I noticed a new weirdness: 756
> bridges all having the nickname "ki". 756 is 21.8% of the total number,
> 3464. At the moment, "ki" far outnumbers every other nickname, apart from
> "Unnamed":

Upcoming research paper mentions the "ki" bridges, but still doesn't
determine their purpose:

	Section V-A
	The yellow middle bar represents a cluster of 3 bridges run by
	the same organization, that we call by their nickname, Ki, which
	change fingerprint up to once an hour (but keep their IP
	addresses stable, see Section VI). The Ki cluster produced a few
	dozen fingerprints in July 2012, jumped to a few hundreds in
	December 2012 and to a few thousands in February 2014. In March
	2016, those 3 bridges are responsible for 32% of all
	fingerprints, corresponding to 7% of the active fingerprints and
	68% of the inactive fingerprints, as most of their fingerprints
	do not live long enough to obtain the Running flag. After
	discounting those extraneous fingerprints, the number of active
	fingerprints in April 2016 is slightly over 5K.

	Section V-D
	Port 444 is a special case since in principle is associated to
	the Simple Network Paging Protocol (SNPP), a not so popular
	protocol. However, according to CollecTor data, roughly 3K
	active fingerprints are using it on April 2016. The reason for
	this is that this OR port is used by the Ki bridges that change
	fingerprint often, as introduced in Section V-A. Those Ki
	bridges artificially inflate the usage of this OR port, a
	behavior that does not manifest on other OR ports.

	Section VI-A
	Overall, 94.1% of the bridge IP addresses did not change
	fingerprint, 5.5% changed fingerprint once, and 0.4% changed
	fingerprint multiple times. The bridges with multiple
	fingerprint changes include the 3 Ki bridges, which present a
	different fingerprint every time we connect to them (on a closer
	look we find that they change fingerprint roughly every hour).
	Furthermore, we observe that over 70% of the IP addresses with
	fingerprint changes belong to 2 clusters of private bridges each
	using multiple nearby IP addresses. These IPs change fingerprint
	on the same dates, so it is possible that bridges in each
	cluster were reassigned IP addresses on those dates.

More information about the tor-project mailing list