On Tue, Dec 13, 2016 at 10:37:31AM -0800, David Fifield wrote:
This is a bit of a followup to my earlier post on obfs4 bridges with formulaic nicknames: https://lists.torproject.org/pipermail/tor-project/2016-November/000809.html
Those bridges are still there, but today I noticed a new weirdness: 756 bridges all having the nickname "ki". 756 is 21.8% of the total number, 3464. At the moment, "ki" far outnumbers every other nickname, apart from "Unnamed":
Upcoming research paper mentions the "ki" bridges, but still doesn't determine their purpose: https://software.imdea.org/~juanca/papers/torbridges_ndss17.pdf
Section V-A The yellow middle bar represents a cluster of 3 bridges run by the same organization, that we call by their nickname, Ki, which change fingerprint up to once an hour (but keep their IP addresses stable, see Section VI). The Ki cluster produced a few dozen fingerprints in July 2012, jumped to a few hundreds in December 2012 and to a few thousands in February 2014. In March 2016, those 3 bridges are responsible for 32% of all fingerprints, corresponding to 7% of the active fingerprints and 68% of the inactive fingerprints, as most of their fingerprints do not live long enough to obtain the Running flag. After discounting those extraneous fingerprints, the number of active fingerprints in April 2016 is slightly over 5K.
Section V-D Port 444 is a special case since in principle is associated to the Simple Network Paging Protocol (SNPP), a not so popular protocol. However, according to CollecTor data, roughly 3K active fingerprints are using it on April 2016. The reason for this is that this OR port is used by the Ki bridges that change fingerprint often, as introduced in Section V-A. Those Ki bridges artificially inflate the usage of this OR port, a behavior that does not manifest on other OR ports.
Section VI-A Overall, 94.1% of the bridge IP addresses did not change fingerprint, 5.5% changed fingerprint once, and 0.4% changed fingerprint multiple times. The bridges with multiple fingerprint changes include the 3 Ki bridges, which present a different fingerprint every time we connect to them (on a closer look we find that they change fingerprint roughly every hour). Furthermore, we observe that over 70% of the IP addresses with fingerprint changes belong to 2 clusters of private bridges each using multiple nearby IP addresses. These IPs change fingerprint on the same dates, so it is possible that bridges in each cluster were reassigned IP addresses on those dates.