[tor-relays] Bots, love 'em or hate 'em?

Roger Dingledine arma at mit.edu
Tue Sep 8 05:57:19 UTC 2015


On Wed, Aug 19, 2015 at 11:11:59AM -0400, starlight.2015q3 at binnacle.cx wrote:
> So I'm left thinking that 95% or more of the
> bandwidth consumption and client count is from
> crusty old botnet bots running ancient versions
> of the Tor daemon.

Client count (for non guards), yes I think that's a fair guess. Bandwidth
consumption, I don't think so. Last I heard, the main set of bots running
old Tor versions were basically idle -- they try to phone home to their
onion service command-and-control center periodically, but they aren't
being used by it.

That is, the botnet operator added Tor clients to some of his infected
click fraud computers because it seemed like a good idea at the time,
but then later he decided that it wasn't a worthwhile idea.

It still adds a lot of numbers to client counts, since we estimate number
of clients by how many directory fetches happen. And it still adds a lot
of circuits, since a million or however many bots making onion service
connections periodically will soak up a lot of circuits. But I think
they use a very small amount of bandwidth each.

This ties into another fine question: how do we communicate to the next
jerk in the Ukraine that the previous one actually decided it wasn't
worth doing? I can easily imagine some new botnet operator deciding that
it's way cool so of course he should do it too. Maybe they share notes
in their underground forums. I'm not sure.

--Roger



More information about the tor-relays mailing list