[tor-project] Many bridges (22%) have nickname "ki"

isis agora lovecruft isis at torproject.org
Mon Jan 9 20:59:23 UTC 2017

David Goulet transcribed 3.0K bytes:
> On 13 Dec (16:26:02), David Goulet wrote:
> > On 13 Dec (21:11:17), Yawning Angel wrote:
> > > On Tue, 13 Dec 2016 10:37:31 -0800
> > > David Fifield <david at bamsoftware.com> wrote:
> > > 
> > > > This is a bit of a followup to my earlier post on obfs4 bridges with
> > > > formulaic nicknames:
> > > > https://lists.torproject.org/pipermail/tor-project/2016-November/000809.html
> > > > 
> > > > 
> > > > Those bridges are still there, but today I noticed a new weirdness:
> > > > 756 bridges all having the nickname "ki". 756 is 21.8% of the total
> > > > number, 3464. At the moment, "ki" far outnumbers every other
> > > > nickname, apart from "Unnamed":
> > > [snip]
> > > 
> > > Should both groups be dropped at the BridgeAuth or what?  As far as I
> > > am aware, there is nothing that is doing Sybil detection at the Bridge
> > > level, and I don't really think that's an arms race that's winnable
> > > (even at the standard relay level, it feels like an uphill battle).
> > > 
> > > If I were to hypothesize, it's probably someone's botnet/malware or
> > > something (in both cases), but that's just a guess and it could be
> > > something either more nefarious, or more benign.
> > 
> > Yes, we should be safe here and reject those.
> > 
> > What's the procedure with the BridgeAuth? The dirauth-conf git repository
> > isn't made for the bridge authority.
> I want to bump this here btw.... I don't feel very comfortable with those
> bridge still around so we should REALLY block them soon.
> If I remember correctly, Roger told me on IRC that we either have to go
> through the BridgeAuth directly with reject rules (unconfirmed) or we block
> them on BridgeDB.
> I need someone with knowledge here and Isis needs to be in the loop as she
> basically run both service :).
> Thanks!
> David


Sorry, I missed this thread and David kindly made me aware of it last Friday.

I've patched BridgeDB (#21162) and added a file to blacklist these bridges by
fingerprint.  However, looking at the onionoo results which David original
pasted, the IP addresses are all different (10.x.x.x) in onionoo for the ki
bridges.  Perhaps something is wrong with onionoo's hashed-IP file thing?

However, looking at both the BridgeAuthority and BridgeDB, these bridges all
share only 3 distinct IP addresses.  This seems to suggest to me that only 6
of them would have made it into the BridgeAuthority networkstatus-bridges
file, since tor only allows 2 instances from any given IP address.  Looking at
the networkstatus-bridges on BridgeDB, this appears to be the case, and
grepping the logs I only see a couple instances of "ki" bridges being added to
the database per hour (and each hour these are the same few) so it appears to
be the case that nearly none of these were ever distributed.

In any case, the few that made it into the database should now be blacklisted.

Could I maybe request that, if there's something super important you want from
me, that the subject be something like "ISIS DO THIS RIGHT NOW", please?  I
can't read every single mailing in any semblance of a timely fashion if
something is actually urgent.  Thanks. :)

Best regards,
 ♥Ⓐ isis agora lovecruft
OpenPGP: 4096R/0A6A58A14B5946ABDE18E207A3ADB67A2CDB8B35
Current Keys: https://fyb.patternsinthevoid.net/isis.txt
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 1240 bytes
Desc: Digital signature
URL: <http://lists.torproject.org/pipermail/tor-project/attachments/20170109/4b802418/attachment.sig>

More information about the tor-project mailing list