[tor-project] New UAE Users

Matthew Finkel matthew.finkel at gmail.com
Tue Mar 14 00:02:46 UTC 2017 

On Fri, Mar 10, 2017 at 03:01:27PM -0800, David Fifield wrote:
> On Fri, Mar 10, 2017 at 03:01:56PM -0500, David Goulet wrote:
> > On 08 Mar (17:07:36), David Fifield wrote:
> > > On Thu, Mar 09, 2017 at 01:05:15AM +0000, Matthew Finkel wrote:
> > > > Anyone know what caused the remarkable jump in direct and obfs3 users from
> > > > the UAE that began on 16 Jan and 06 Feb, respectively?
> > > > 
> > > > Sorry if I already missed the discussion about this.
> > > > 
> > > > https://metrics.torproject.org/userstats-relay-country.html?start=2017-01-14&end=2017-03-08&country=ae&events=off
> > > > https://metrics.torproject.org/userstats-bridge-country.html?start=2017-02-04&end=2017-03-08&country=ae
> > > 
> > > We don't know the cause AFAIK, but we have some entries for it with
> > > links, near the bottom of
> > > https://trac.torproject.org/projects/tor/wiki/doc/MetricsTimeline#Unknown
> > 
> > Seems obfs4 is now what they are "testing"....
> > 
> > http://rougmnvswfsmd4dq.onion/userstats-bridge-transport.html?start=2016-12-10&end=2017-03-10&transport=obfs3&transport=obfs4
> 
> The UAE graph doesn't show an increase in obfs4:
> https://metrics.torproject.org/userstats-bridge-combined.html?start=2016-12-10&end=2017-03-10&country=ae
> 
> The spike at the end of the overall obfs4 graph might not be a real
> sustained change, because in clients.csv it goes back to normal the next
> day. (The second-to-last column is the one to look at.)
> 
> date,node,country,transport,version,lower,upper,clients,frac
> 2017-03-01,bridge,,obfs4,,,,34392,65
> 2017-03-02,bridge,,obfs4,,,,33200,66
> 2017-03-03,bridge,,obfs4,,,,33568,65
> 2017-03-04,bridge,,obfs4,,,,31734,64
> 2017-03-05,bridge,,obfs4,,,,31621,63
> 2017-03-06,bridge,,obfs4,,,,33240,65
> 2017-03-07,bridge,,obfs4,,,,34563,65
> 2017-03-08,bridge,,obfs4,,,,63618,34
> 2017-03-09,bridge,,obfs4,,,,35922,50
> 2017-03-10,bridge,,obfs4,,,,2045,25


Yeah, it is interesting that obfs3/obfs4 possibly crossed:

http://rougmnvswfsmd4dq.onion/userstats-bridge-transport.html?start=2017-03-05&end=2017-03-12&transport=obfs3&transport=obfs4

But I spoke with someone at IFF from the region last week and their current
thought is that this is caused by some group running a bot (of some kind) and
inflating our metrics for the country. They weren't sure about the goal of
this, so our guess is probably as good as their's. Overall the usage pattern
doesn't look extraordinarily artifical, except the jump of +200k relay users
within a week. The rapid decay beginning on 03 Feb seems plausible.

It's interesting, looking at the raw data, it seems this began on 12 or 13 Jan:

date,node,country,transport,version,lower,upper,clients,frac
2017-01-06,relay,ae,,,5738,8495,7195,81
2017-01-07,relay,ae,,,5850,8968,7268,81
2017-01-08,relay,ae,,,6023,9340,7316,82
2017-01-09,relay,ae,,,5800,9458,7293,82
2017-01-10,relay,ae,,,5985,8905,7251,82
2017-01-11,relay,ae,,,5909,8751,7351,81
2017-01-12,relay,ae,,,5854,8869,7854,81
2017-01-13,relay,ae,,,5595,8914,9145,82
2017-01-14,relay,ae,,,5971,8564,10570,81
2017-01-15,relay,ae,,,6240,8442,11499,82
2017-01-16,relay,ae,,,6079,8711,30377,82
2017-01-17,relay,ae,,,6159,8552,119908,82
2017-01-18,relay,ae,,,6082,8886,208090,81
2017-01-19,relay,ae,,,6459,9547,258835,81
2017-01-20,relay,ae,,,7623,11028,317643,82
2017-01-21,relay,ae,,,8652,12783,318948,82

There is a jump of ~500 users on 12 Jan, but that's semi-plausible. The jump of
~1300 users on the 13th seems less likely. Between the 12th and 18th, there
were (approx.) deltas of:

06 to 07:    +50
07 to 08:    +50
08 to 09:    -20
09 to 10:    -40
10 to 11:     -0
11 to 12:   +500
12 to 13:  +1300
13 to 14:  +1400
14 to 15:   +900
15 to 16: +19000
16 to 17: +80000
17 to 18: +90000
18 to 19: +50000
19 to 20: +60000
20 to 21:  +1000


And for bridges:

date,node,country,transport,version,lower,upper,clients,frac
2017-01-25,bridge,ae,,,,,377,66
2017-01-26,bridge,ae,,,,,366,66
2017-01-27,bridge,ae,,,,,367,66
2017-01-28,bridge,ae,,,,,363,66
2017-01-29,bridge,ae,,,,,387,67
2017-02-01,bridge,ae,,,,,423,67
2017-02-02,bridge,ae,,,,,411,68
2017-02-03,bridge,ae,,,,,363,66
2017-02-04,bridge,ae,,,,,413,64
2017-02-05,bridge,ae,,,,,796,58
2017-02-06,bridge,ae,,,,,5961,65
2017-02-07,bridge,ae,,,,,8762,55
2017-02-08,bridge,ae,,,,,8057,51
2017-02-09,bridge,ae,,,,,27016,63
2017-02-10,bridge,ae,,,,,66323,65
2017-02-11,bridge,ae,,,,,82979,65
2017-02-12,bridge,ae,,,,,64968,64
2017-02-13,bridge,ae,,,,,77667,62
2017-02-14,bridge,ae,,,,,87850,53
2017-02-15,bridge,ae,,,,,47517,58
2017-02-16,bridge,ae,,,,,45346,54
2017-02-17,bridge,ae,,,,,82640,60
2017-02-18,bridge,ae,,,,,107386,60
2017-02-19,bridge,ae,,,,,105322,62

It seems, on average, there were ~380 bridge users throughout 2016 and 2017
until 2017-02-05. For consistency, the approximate deltas between 01 Feb and
19 Feb:

02 to 03:    -50
03 to 04:    +50
04 to 05:   +370
05 to 06:  +5200
06 to 07:  +2800
07 to 08:   -700
08 to 09: +19000
09 to 10: +39000
10 to 11: +16600
11 to 12: -18000
12 to 13: +13000
13 to 14: +10000
14 to 15: -40000
15 to 16:  -2200
16 to 17: +37000
17 to 18: +25000
18 to 19:  -2000


It's interesting that the bridge users count began increasing a few days
after relay users began decreasing. Actually, I found which bridge is
supporting these new users. I confirmed it isn't one of the default bridges.


{"version":"4.0",
"relays_published":"2017-03-13 22:00:00",
"relays":[
],
"bridges_published":"2017-03-13 20:57:29",
"bridges":[
{"nickname":"Unnamed","hashed_fingerprint":"220B66EBF7625B31D3313491C0B888E488F2E66B","or_addresses":["10.64.118.173:56651"],"last_seen":"2017-03-13 20:57:29","first_seen":"2016-01-18 11:55:20","running":true,"flags":["Fast","HSDir","Running","Stable","V2Dir","Valid"],"last_restarted":"2017-03-09 06:48:03","advertised_bandwidth":2503701,"platform":"Tor 0.2.9.5-alpha on Linux","transports":["scramblesuit","obfs3","obfs4"]}
]}

https://onionoo.torproject.org/details?fingerprint=220B66EBF7625B31D3313491C0B888E488F2E66B
https://atlas.torproject.org/#details/3E0908F131AC417C48DDD835D78FB6887F4CD126



I'll follow up with additional analysis tomorrow, but here's the data from 2017-03-12 00:09:00

amnesia at amnesia:~$ grep -A 23 220B66EBF7625B31D3313491C0B888E488F2E66B 2017-03-12-00-09-00-extra-infos | grep -e "^extra-info" -e history -e dirreq-v3-reqs -e bridge-ips -e "ae="
extra-info Unnamed 220B66EBF7625B31D3313491C0B888E488F2E66B
write-history 2017-03-11 19:14:11 (14400 s) 40817088512,48679548928,39163826176,34126496768,60959848448,85227308032
read-history 2017-03-11 19:14:11 (14400 s) 3655943168,4583458816,5928579072,6270611456,7911438336,10202891264
dirreq-write-history 2017-03-11 18:33:19 (14400 s) 56407040000,32424969216,44282493952,30598066176,49384162304,72785624064
dirreq-read-history 2017-03-11 18:33:19 (14400 s) 684358656,690675712,1961063424,1814886400,1891488768,2772764672
dirreq-v3-ips ae=115824,in=2504,nl=1256,us=888,jo=728,gb=720,de=496,sa=280,fr=240,om=200,ca=96,jp=80,bh=72,??=64,be=64,kw=56,qa=48,sg=32,it=24,pk=24,iq=16,ir=16,at=8,au=8,bd=8,bg=8,bn=8,br=8,by=8,ch=8,cl=8,cn=8,dj=8,dz=8,eg=8,hk=8,ie=8,il=8,kr=8,lb=8,lv=8,ly=8,md=8,mu=8,mx=8,ng=8,no=8,pr=8,ro=8,ru=8,sc=8,sd=8,se=8,si=8,so=8,tm=8,tn=8,tr=8,ua=8,uz=8,za=8
dirreq-v3-reqs ae=495328,nl=14928,us=7696,in=5136,gb=4168,fr=4128,de=3344,be=2984,jo=2240,it=928,sa=784,ca=544,om=440,qa=208,bh=184,ie=184,kw=176,jp=136,??=112,ch=104,sg=88,iq=56,at=48,bg=48,pk=48,ru=48,hk=32,ir=32,tr=32,bn=24,dz=16,il=16,lb=16,pr=16,se=16,so=16,au=8,bd=8,br=8,by=8,cl=8,cn=8,dj=8,eg=8,kr=8,lv=8,ly=8,md=8,mu=8,mx=8,ng=8,no=8,ro=8,sc=8,sd=8,si=8,tm=8,tn=8,ua=8,uz=8,za=8
bridge-ips ae=144992,in=4248,nl=1344,us=1104,jo=952,gb=800,de=560,sa=360,fr=304,om=280,ca=112,bh=104,jp=104,??=96,kw=80,be=64,qa=64,pk=32,sg=32,iq=24,it=24,so=24,bn=16,hk=16,ir=16,pr=16,ru=16,se=16,at=8,au=8,bd=8,bg=8,br=8,by=8,ch=8,cl=8,cn=8,dj=8,dz=8,eg=8,ie=8,il=8,is=8,kr=8,kz=8,lb=8,lv=8,ly=8,md=8,mu=8,mx=8,ng=8,no=8,ro=8,sc=8,sd=8,si=8,sk=8,tm=8,tn=8,tr=8,ua=8,uz=8,vn=8,ye=8,za=8

More information about the tor-project mailing list