Making some graphs for the August 2024 Snowflake bridge report, there are a couple of weird things to comment on.
On August 22–23, there was a drop in users across both bridges that later almost evened out. (See first attachment.) It affected both bridges.
From August 16–31, the ?? country broke into the top 5 countries by user
count, on the snowflake-01 bridge only. (See third attachment.) Because the country code comes from the proxy, which reports the remote IP address of the client, a country code of ?? means that either the proxy did not report an IP address (no client_ip WebSocket URL parameter), or the IP address was not found in a geolocation lookup. Here's a past case where a bug in the WebExtension was resulting in ?? countries: https://bugs.torproject.org/tpo/anti-censorship/pluggable-transports/snowfla...
The snowflake server logs daily the fraction N/D of connections that had client_ip set. In the case before, N decreased while D remained constant. In this case, it looks like N is remaining constant while D is greatly increasing. See in the listing below how N/D suddenly drops from 99% to 41% on 2024-08-13. In the last couple of days, ⅔ to ¾ of connections have been missing the client_ip parameter. The client_ip-less connections must not represent very many user-hours, otherwise they would completely dominate the user graphs.
Did something happen on 2024-08-13? Is this a new source of proxies with an implementation bug? Some kind of attack? (Against the bridge?)
$ grep 'connections had client_ip$' /var/log/snowflake-server/snowflake-server.log | perl -ane '$F[7] =~ m#^(.*)/(.*)$#; printf("%s %s %8d/%-8d %6.2f%%\n", $F[0], $F[1], $1, $2, 100 * ($2 == 0 ? 0.0 : $1/$2));' 2024/08/06 08:57:22 463234/464597 99.71% 2024/08/07 08:57:22 462398/463581 99.74% 2024/08/08 08:57:22 453003/454165 99.74% 2024/08/09 08:57:22 450344/451707 99.70% 2024/08/10 08:57:22 450057/452228 99.52% 2024/08/11 08:57:22 449782/452296 99.44% 2024/08/12 08:57:22 452387/475006 95.24% 2024/08/13 08:57:22 450993/1089806 41.38% 2024/08/14 08:57:22 455701/828402 55.01% 2024/08/15 08:57:22 449159/886577 50.66% 2024/08/16 08:57:22 430698/1061690 40.57% 2024/08/17 08:57:22 426891/1240861 34.40% 2024/08/18 08:57:22 428010/1139078 37.58% 2024/08/19 08:57:22 425667/1363289 31.22% 2024/08/20 08:57:22 427042/1181316 36.15% 2024/08/21 08:57:22 422347/1407363 30.01% 2024/08/22 08:57:22 418760/1437024 29.14% 2024/08/23 08:57:22 271142/1217897 22.26% 2024/08/24 08:57:22 353388/1291375 27.37% 2024/08/25 08:57:22 366323/1117172 32.79% 2024/08/26 08:57:22 382452/1107561 34.53% 2024/08/27 08:57:22 416759/1451520 28.71% 2024/08/28 08:57:22 413329/1445703 28.59% 2024/08/29 08:57:22 403754/1490629 27.09% 2024/08/30 08:57:22 388147/1490993 26.03% 2024/08/31 08:57:22 395311/1377168 28.70% 2024/09/01 08:57:22 389361/1344726 28.95% 2024/09/02 08:57:22 377702/1169902 32.28% 2024/09/03 08:57:22 369956/1272026 29.08% 2024/09/04 08:57:22 368266/1330355 27.68% 2024/09/05 08:57:22 371429/1260571 29.47%
