[tor-project] Many obfs4 bridges with similar nicknames and characteristics

David Fifield david at bamsoftware.com
Tue Nov 29 03:23:16 UTC 2016 

There are many bridges in Onionoo that seem to follow a common naming
convention: two dictionary words concatentated, then truncated to 16
characters. That, plus the fact that many of them run on the same
platform, run only the obfs4 transport, and have related last_restarted
times, makes me think they are somehow related and perhaps malicious. In
a sample of 200 Onionoo bridges, 19% followed the convention. I noticed
this by accident and I'm not planning to look into it more, so I'm
dropping notes here.

I downloaded https://onionoo.thecthulhu.com/details?type=bridge
("bridges_published":"2016-11-28 21:41:02") and manually looked at the
first 200 entries (of ~2500). I picked out the ones that followed the
naming convention: two dictionary words concatenated and truncated to 16
characters; the 40 matches are appended to this message. Of those, only
2 (mapletalon and coffledtileries) don't match the others with respect
to transports.

The words look like they are randomly chosen from a dictionary and some
of them are esoteric or proper names. For example,
	cubicsrepugned   = cubics + repugned
	instinctivevital = instinctive + vital
	stegosaurscontin = stegosaurs + contin(ue?)
	famishmentbarrac = famishment + barrac(ks?)
	Trobriandersbacc = Trobrianders + bacc(hannal?)
	friablerecitativ = friable + recitativ(e?)
	Ruidosospostcopu = Ruidosos + postcopu(latory?)
	introspectpacifi = introspect + pacifi(c?)
	cosponsorsangula = cosponsors + angula(r?)


Here's the list of 40 bridges I selected manually out of the 200. Notice
that 17 of them have a last_restarted time withing 10 minutes of
2016-11-11 00:00:00.
 
$ ./nodeinfo < suspicious-bridges.json
hashed_fingerprint                        nickname           first_seen           last_seen            last_restarted       platform              transports
BD2B73AE5F68276BE4E01534F97A28E992B24894  mapletalon         2015-05-01 22:57:41  2016-11-28 21:41:02  2016-10-18 17:48:08  Tor 0.2.8.9 on Linux  obfs3,scramblesuit,obfs4,fte
89BD7F3C63464D389B73914FAA818EBF61EE6B46  coffledtileries    2015-12-30 16:52:56  2016-11-28 21:41:02  2016-11-07 12:20:31  Tor 0.2.8.9 on Linux  obfs3
D6EC04069E89F08CAE4CBA0E2BE44FFD282BAB07  Trobriandersbacc   2016-09-04 05:38:16  2016-11-28 21:41:02  2016-11-10 00:05:41  Tor 0.2.8.9 on Linux  obfs4
5ECF6C485B3DD05EDB9F95073257B8C33C755EE2  ElchoCanarian      2016-11-09 03:41:02  2016-11-28 21:41:02  2016-11-10 11:07:26  Tor 0.2.8.9 on Linux  obfs4
FCA481C317E434590CFA06E77A4AE7F5E2E371A3  sailboaterecthym   2016-09-22 15:38:16  2016-11-28 21:41:02  2016-11-11 00:01:10  Tor 0.2.8.9 on Linux  obfs4
8A1D76B37B8BB17C35454454E19C729C1AC47E8A  orbitalprogymnas   1970-01-01 00:00:00  2016-11-28 21:41:02  2016-11-11 00:01:15  Tor 0.2.8.9 on Linux  obfs4
4B9C80E3798BAB6B21D7256EE47EA20BF8F4576C  Davossoutdroppin   2016-10-18 16:41:01  2016-11-28 21:41:02  2016-11-11 00:01:18  Tor 0.2.8.9 on Linux  obfs4
EFEB18D156E1E14837E417113B3971C04F4F5FBB  Ruidosospostcopu   1970-01-01 00:00:00  2016-11-28 21:41:02  2016-11-11 00:01:21  Tor 0.2.8.9 on Linux  obfs4
79C6F406B3D3927ABB881EB54323B29DF400F9E2  hypospadiasesdum   2016-10-03 03:38:17  2016-11-28 21:41:02  2016-11-11 00:02:30  Tor 0.2.8.9 on Linux  obfs4
B3B7B975DCD1D7E59D65202DB8E6E2D75655B358  stegosaurscontin   2016-10-23 17:41:01  2016-11-28 21:41:02  2016-11-11 00:02:48  Tor 0.2.8.9 on Linux  obfs4
43CBD641F40EE1563BB1AF7736175512A5B559A2  famishmentbarrac   2016-10-22 12:41:01  2016-11-28 21:41:02  2016-11-11 00:03:48  Tor 0.2.8.9 on Linux  obfs4
1931388E3C53689BED98E0BEFA7052F07BCC7F70  instinctivevital   2016-10-27 20:41:01  2016-11-28 21:41:02  2016-11-11 00:04:48  Tor 0.2.8.9 on Linux  obfs4
914CF5540F8B92672CA6C9AA270DA88928B6CA78  cubicsrepugned     1970-01-01 00:00:00  2016-11-28 21:41:02  2016-11-11 00:05:02  Tor 0.2.8.9 on Linux  obfs4
F791DD628CA38C402E2126DAD106EA19C67252F4  wheelsolla         2016-10-08 10:38:17  2016-11-28 21:41:02  2016-11-11 00:05:04  Tor 0.2.8.9 on Linux  obfs4
E5BA71654F739B20AA807362EBA4FE91B57331EC  IQsmediator        2016-11-09 18:41:02  2016-11-28 21:41:02  2016-11-11 00:05:16  Tor 0.2.8.9 on Linux  obfs4
C8A129620B9ACA9708EBF40F54536A4DB644260F  impulsivenesssle   2016-10-17 05:38:17  2016-11-28 21:41:02  2016-11-11 00:05:31  Tor 0.2.8.9 on Linux  obfs4
500F068CBA07D0E0CEB0343D1DFF2CB32AD77080  friablerecitativ   1970-01-01 00:00:00  2016-11-28 21:41:02  2016-11-11 00:05:37  Tor 0.2.8.9 on Linux  obfs4
71A74F4F94606B455B3CCE0AE4A21D57D557B489  imaginarysoverco   1970-01-01 00:00:00  2016-11-28 21:41:02  2016-11-11 00:05:49  Tor 0.2.8.9 on Linux  obfs4
E7A4C66517035A309C6D448070B964023D150A5F  aidedarticularly   2016-09-06 04:38:16  2016-11-28 21:41:02  2016-11-11 00:06:08  Tor 0.2.8.9 on Linux  obfs4
66B41CF3878A37254511C5E3F76F513F74075464  blessedergrisled   1970-01-01 00:00:00  2016-11-28 21:41:02  2016-11-11 00:06:31  Tor 0.2.8.9 on Linux  obfs4
C724E07A07E2C820208CD22D19A3B1B1FD40B7F3  whensquincentena   2016-11-03 05:41:02  2016-11-28 21:41:02  2016-11-11 05:02:03  Tor 0.2.8.9 on Linux  obfs4
6567256AC5857A83D57F6D3256FBAC5D8030803B  pipagelengthwise   2016-09-24 21:38:16  2016-11-28 21:41:02  2016-11-12 05:01:58  Tor 0.2.8.9 on Linux  obfs4
3168BC247CA693DF2871AD547F74DD93D9A8CB4E  recessionalsFols   2016-11-13 00:41:02  2016-11-28 21:41:02  2016-11-14 00:01:12  Tor 0.2.8.9 on Linux  obfs4
A9EE320C9BF3E5505C08CBB26135A9342435414B  amasseracrimonio   2016-11-14 23:41:02  2016-11-28 21:41:02  2016-11-16 00:01:13  Tor 0.2.8.9 on Linux  obfs4
666AAC1C83DC928E2E72F69A40B3DF31F008FCF0  harmonizeLorinda   2016-11-08 18:41:02  2016-11-28 21:41:02  2016-11-16 18:47:25  Tor 0.2.8.9 on Linux  obfs4
5D0BE64E6C00322D31B9CE83E5117F9D8860D291  supernaturesPoto   1970-01-01 00:00:00  2016-11-28 21:41:02  2016-11-17 00:01:03  Tor 0.2.8.9 on Linux  obfs4
C319A27A6B749518F8B5ABA508676E3A0307B5CE  pitchwomanPetrar   2016-11-18 16:41:02  2016-11-28 21:41:02  2016-11-18 16:23:52  Tor 0.2.8.9 on Linux  obfs4
8F366D5100DC5806D03839434D20EE6508C3C6D5  xenogeniescondon   2016-11-22 01:41:02  2016-11-23 00:41:02  2016-11-22 01:21:38  Tor 0.2.8.9 on Linux  obfs4
280608EF66099BC4DFE651E540B34EE2BAD53E0F  Hofmannscrimply    2016-11-24 17:41:02  2016-11-25 16:41:02  2016-11-24 17:15:04  Tor 0.2.8.9 on Linux  obfs4
75B88A93670C87243BEA433598B582BFA1FA38D5  otitisArchaeorni   1970-01-01 00:00:00  2016-11-28 21:41:02  2016-11-24 17:59:06  Tor 0.2.8.9 on Linux  obfs4
8C585AA14CA728E03892BEC51284DFE39CD52641  streetyNavaratra   2016-10-22 18:41:01  2016-11-28 21:41:02  2016-11-24 23:01:07  Tor 0.2.8.9 on Linux  obfs4
8475B61417F33A345F03A8939AAB8D011510A256  biffoximes         2016-11-26 05:41:02  2016-11-28 21:41:02  2016-11-26 05:22:06  Tor 0.2.8.9 on Linux  obfs4
B296B50F26467B9BF85553C53AC9C4BA8B7D54E6  ephorscranberry    2016-11-26 15:41:02  2016-11-27 14:41:02  2016-11-26 15:05:01  Tor 0.2.8.9 on Linux  obfs3
8292BA88B705EB5BC73EFBC49310FC2C57722AB7  memoirgores        2016-11-26 16:41:02  2016-11-27 22:41:02  2016-11-26 16:20:04  Tor 0.2.8.9 on Linux  obfs4
48B85C391D285184D25F7F9C80CD1400BC361F30  cosponsorsangula   2016-11-27 06:41:02  2016-11-28 05:41:02  2016-11-27 06:12:34  Tor 0.2.8.9 on Linux  obfs4
AD2FC88D84A85069D850011533A3ACA2F77A622C  forequotedferric   2016-11-27 20:41:02  2016-11-28 21:41:02  2016-11-27 20:22:42  Tor 0.2.8.9 on Linux  obfs4
3191235187A95599A4831D5B1891713A30B75110  dennetsreeder      1970-01-01 00:00:00  2016-11-28 21:41:02  2016-11-27 21:08:00  Tor 0.2.8.9 on Linux  obfs4
3D6B08D309B3080697B74DEAE724E41FFC89B6BC  introspectpacifi   2016-11-28 07:41:02  2016-11-28 21:41:02  2016-11-28 07:11:54  Tor 0.2.8.9 on Linux  obfs4
1F4CAB0568389C049623E41FA8ECD546F4821C53  pamphletaryDille   2016-11-25 20:41:02  2016-11-28 21:41:02  2016-11-28 08:01:58  Tor 0.2.8.9 on Linux  obfs4
1C3F2CC53203756A12A3E2AFB587CD535920767E  schlierenasympto   2016-11-28 10:41:02  2016-11-28 21:41:02  2016-11-28 11:33:41  Tor 0.2.8.9 on Linux  obfs4
-------------- next part --------------
A non-text attachment was scrubbed...
Name: bridges.json.xz
Type: application/x-xz
Size: 130148 bytes
Desc: not available
URL: <http://lists.torproject.org/pipermail/tor-project/attachments/20161128/ab7e4152/attachment-0001.xz>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: suspicious-bridges.json
Type: application/json
Size: 15862 bytes
Desc: not available
URL: <http://lists.torproject.org/pipermail/tor-project/attachments/20161128/ab7e4152/attachment-0001.json>
-------------- next part --------------
#!/usr/bin/env python

# Usage:
# wget -O relays.json https://onionoo.torproject.org/details?type=relay
# ./nodeinfo < relays.json

import datetime
import json
import sys

DATEFMT = "%Y-%m-%d %H:%M:%S"

FAMILY_LABELS = {}
def family_label(r):
    try:
        effective_family = r["effective_family"]
    except KeyError:
        return None
    key = [f[1:] for f in effective_family]
    key.append(r["fingerprint"])
    key = tuple(sorted(key))
    try:
        return FAMILY_LABELS[key]
    except KeyError:
        label = chr(ord("A") + len(FAMILY_LABELS))
        FAMILY_LABELS[key] = label
        return label

now = datetime.datetime.utcnow()

def output_relay(r):
    try:
        fingerprint = r["fingerprint"]
    except KeyError:
        fingerprint = r["hashed_fingerprint"]
    print "%s  %-17s  %s  %s  %s  %-26s  %s" % (
        fingerprint,
        r["nickname"],
        r["first_seen"].format(DATEFMT),
        r["last_seen"].format(DATEFMT),
        r["last_restarted"].format(DATEFMT),
        r["platform"],
        ",".join(r.get("transports", ())),
    )

j = json.load(sys.stdin)
for r in j["relays"] + j["bridges"]:
    # if r["fingerprint"] in OLD_FINGERPRINTS.intersection(FINGERPRINTS):
    # if r["fingerprint"] in FINGERPRINTS:
    output_relay(r)

More information about the tor-project mailing list