Tor Operators,
It's been about a year since I switched my middle node to a bridge. Since then, usage on that node has increased and I have the bandwidth for it, so that's good. But, 16 days ago, this node started moving a lot more data, hitting the bandwidth limits, constantly. And its serving many more clients, more than 100 times the recent average.
On this list, I see some messages regarding SSH abuse traffic using Tor. I also see a call from Phillip W. about more obfs4 bridges.
1) Can we be pretty sure the bulk of this sudden increase in users is abuse traffic? If not, is this a problem?
2) What should I do about it, if anything?
3) Would using obfuscation help this problem?
Thanks,
On Mon, Sep 16, 2019 at 12:25:03PM -0700, Porcelain Mouse wrote:
- Can we be pretty sure the bulk of this sudden increase in users is
abuse traffic? If not, is this a problem?
Are most of your new clients from Iran? We believe that some popular third-party software started using our bridges, causing these spikes.
- What should I do about it, if anything?
There's not much to do at this point. If this is becoming a burden for your bridge, you could change its port(s), which may get rid of these third-party users -- at least temporarily.
- Would using obfuscation help this problem?
I'm not sure what protocols this third-party software uses. Since you're asking, I assume your bridge only runs vanilla Tor?
Cheers, Philipp
On Wed, 18 Sep 2019 12:11, Philipp Winter wrote:
On Mon, Sep 16, 2019 at 12:25:03PM -0700, Porcelain Mouse wrote:
- Can we be pretty sure the bulk of this sudden increase in users is
abuse traffic? If not, is this a problem?
Are most of your new clients from Iran? We believe that some popular third-party software started using our bridges, causing these spikes.
Funny story...my ISP forced an IP changed on me yesterday. Now I'm not getting any traffic at all. From a recent thread on this list, I understand that it could take a while to get back to normal. But, in any case, I cannot check, now. I'll keep that in mind, though, if I get blasted again.
2)What should I do about it, if anything?
There's not much to do at this point. If this is becoming a burden for your bridge, you could change its port(s), which may get rid of these third-party users -- at least temporarily.
Okay, thanks for that suggestion. I will keep that in my bag of tricks for the future. I didn't know that could slow down attacks.
- Would using obfuscation help this problem?
I'm not sure what protocols this third-party software uses. Since you're asking, I assume your bridge only runs vanilla Tor?
I run RPM-base distro and would prefer to stick with packages I can get easily. But, I could build tor for myself, if it came to that. I was specifically thinking of obsf4 when I asked this question, but I only looked into it, briefly, and don't know exactly how it works. I seems like it answers connections for tor, ala inetd and tcp wrappers, and you can just add it to your torrc. Is that not right? Anyway, I guess it doesn't matter, the issue has passed. I just saw your call for obsf4 and couldn't figure out what it does that is useful to the project. I want my node to be useful.
P.S. Sorry about misspelling your name.
On Wed, Sep 18, 2019 at 08:46:53PM -0700, Porcelain Mouse wrote:
I run RPM-base distro and would prefer to stick with packages I can get easily. But, I could build tor for myself, if it came to that. I was specifically thinking of obsf4 when I asked this question, but I only looked into it, briefly, and don't know exactly how it works. I seems like it answers connections for tor, ala inetd and tcp wrappers, and you can just add it to your torrc. Is that not right? Anyway, I guess it doesn't matter, the issue has passed. I just saw your call for obsf4 and couldn't figure out what it does that is useful to the project. I want my node to be useful.
Yes, that is correct. When a client is using obfs4, it's talking to the bridge's obfs4 port (exposed by obfs4proxy), and not to its OR port (exposed by tor). The idea of pluggable transports is to decouple obfuscation from anonymity. Obfuscation is currently provided by obfs4proxy while anonymity is provided by tor.
On Wed, 18 Sep 2019 12:11, Philipp Winter wrote:
On Mon, Sep 16, 2019 at 12:25:03PM -0700, Porcelain Mouse wrote:
- Can we be pretty sure the bulk of this sudden increase in users is
abuse traffic? If not, is this a problem?
Are most of your new clients from Iran? We believe that some popular third-party software started using our bridges, causing these spikes.
Yes.
So, I'm seeing the same symptoms, again after about a week of almost no traffic. FYI.
On Wed, Oct 09, 2019 at 12:31:31AM -0700, Porcelain Mouse wrote:
Are most of your new clients from Iran? We believe that some popular third-party software started using our bridges, causing these spikes.
Yes.
So, I'm seeing the same symptoms, again after about a week of almost no traffic. FYI.
Thanks for running a bridge!
I've heard versions of your stories from three or four other people who run bridges too. The basic pattern seems to me that suddenly they have tens of thousands of extra bridge users, and it lasts for a week or so and then the traffic vanishes again.
I assume that somebody is shipping a Tor client and a custom bridge list in some software that has this many users. And they keep updating their software with newer bridge lists.
I remain curious what the software is. :)
--Roger
Roger Dingledine:
On Wed, Oct 09, 2019 at 12:31:31AM -0700, Porcelain Mouse wrote:
Are most of your new clients from Iran? We believe that some popular third-party software started using our bridges, causing these spikes.
Yes.
So, I'm seeing the same symptoms, again after about a week of almost no traffic. FYI.
Thanks for running a bridge!
I've heard versions of your stories from three or four other people who run bridges too. The basic pattern seems to me that suddenly they have tens of thousands of extra bridge users, and it lasts for a week or so and then the traffic vanishes again.
I assume that somebody is shipping a Tor client and a custom bridge list in some software that has this many users. And they keep updating their software with newer bridge lists.
I remain curious what the software is. :)
I too have heard those stories.
Yes, it's usually a few weeks from a particular country, then the unique users dies down and flat lines under 100 a day.
I suspect Roger is right on the cause, and it would be nice to know what's behind it. In the past, I suspected a bridge IP became viral among a group of people, but now, some circumvention application seems more likely.
I don't think the bridge IP is being blocked from the respective country, since a decent number of connections do continue from that particular country.
g
tor-relays@lists.torproject.org
-
George -
Philipp Winter -
Porcelain Mouse -
Roger Dingledine