Hopefully this will not be a double. I seem to forget easily what email is subscribed to what lists :(.
On 9/3/11 10:39 AM, Roger Dingledine wrote: > Hi folks, > > Over the past few months the number of bridge users has spiked, most > prominently in Italy, but also plenty in Spain, Brazil, Israel, and > others. > True. I have also some rudimentary statistics built from bridges.csv, that highlighted this issue some time ago, but from what I understand this is starting to become a serious problem. > I believe it started out with a Tor bundle that somebody made that had > three bridges pre-configured -- we found a torrc file along with an > unofficial Windows Tor bundle. At the beginning, those few bridges had > tens of thousands of users each, and that was it. > Yup, the package in question that apparently is shipped mainly for a Chinese audience is a bundle that contains also Tor. The problem is that the torrc contains statically hardcoded bridge IP address. Here is a link to the commit in question: http://code.google.com/p/portabletoolbox/source/browse/trunk/Data/tor/torrc?spec=svn88&r=88 When I first saw this the dates did match up with the traffic spikes to Tor bridges, though it did seem strange that these requests where linked to non Chinese speaking countries (Italy, Brazil, Spain). > Since then, we've seen an enormous spike in automated connections to > https://bridges.torproject.org/ -- more than a million requests an hour. > Now just about every bridge that's given out via the https pool (as > opposed to the gmail pool or the reserve pool) is seeing many many > thousands of users from Italy and these other countries. > This highlights that the issue is probably much more complex. Somebody has developed a custom crawler to scrape https://bridges.torproject.org for fresh and new Tor bridges. I can imagine that the person who developed this though it was the smartest idea in the world and I don't believe he meant no harm. Yet the responsible application/tool/bundle must be identified and the developer instructed to stop doing so. > It seems clear that somebody's unofficial Tor bundle automatically grabs > some bridges for its users, and that this somebody didn't understand > the notion of being polite to a remote service -- I think each user is > hitting the bridges page roughly every 30 seconds. > Since the requests are coming in from every client every 30 seconds, this must be seen as an attacks. What they are doing, in effect, is conducting a DDoS on bridges.tp.org. For this reason I think it would be appropriate to manage the issue as if we where up against an adversary and start by trying to fingerprint the application making the requests. This would require probably to patch BridgeDB (https://gitweb.torproject.org/bridgedb.git) to log anonymized request of the attacker. Once the application responsible is spotted we should get in contact with them and have them fix the bundle to stop doing these requests. If this is not possible we could maybe write a snort rule or something inside of BridgeDB directly to filter out and stop responding to illicit malicious requests. > We've taken steps to defend the bridgedb service from this overload. And > I can imagine further steps, like finally rolling out a captcha on that > page, to block people from using it like a remote API (which I always > thought was kind of a neat option). Or heck, just moving to a different > URL and abandoning that one. > The CAPTCHA solution would work, however if the issue can be solved easily by just detecting the UserAgent of the client making the request (in case this is not being spoofed by the application, see above point). Maybe implementing something slightly more complex, but that leaves the user experience unaltered such as matching for request header order. On the second solution I remember reading a couple of papers on it and I believe there was also a presentation at CCC 2010 on it. I can't seem to find them at the moment but I will update as soon as I find out. > But the question first is: what's going on? Can those of you near or in > these countries please ask around and try to get some answers? > I will try to do so and update you on the status of the inquiries. > I don't think it's a censoring adversary trying to collect the list of > bridges. For one, it's way overkill; for another, why use the bridges > afterwards? > That seem highly unlikely to me too. > I don't think it's malware or some automated botnet that happens to > use bridges -- if it were, we should be seeing spikes in well-connected > countries like Japan. > Maybe some OSINT tool? Somebody who wishes to have highly levels of anonymity by not disclosing that he is about to connect to Tor, but is too lazy to setup a custom Tor bridge? - Art. _______________________________________________ tor-talk mailing list [email protected] https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
