[tor-project] New UAE Users

Roger Dingledine arma at mit.edu
Tue Mar 14 15:40:15 UTC 2017


On Tue, Mar 14, 2017 at 12:02:46AM +0000, Matthew Finkel wrote:
> But I spoke with someone at IFF from the region last week and their current
> thought is that this is caused by some group running a bot (of some kind)

Typically botnets have victims in many countries, though, right? How
did they manage to contain their bots to just UAE hosts?

(Geofenced malicious ads? A vulnerability in an app that only UAE
people install? Malware on a government website that many people need
to visit? Or maybe the bots are more widespread, but for some reason
the bot operator chose to only transition the UAE hosts to using Tor?)

> dirreq-v3-ips ae=115824,in=2504,nl=1256,us=888,jo=728,[...]
> dirreq-v3-reqs ae=495328,nl=14928,us=7696,in=5136,gb=4168,[...]
> bridge-ips ae=144992,in=4248,nl=1344,us=1104,jo=952,[...]

Those are huge numbers, and they convince me that the phenomenon is
real -- there really are many many Tor clients connecting from many many
different IP addresses.

That said, when they shifted from vanilla Tor connections to bridge
connections... they all shifted to one bridge? That lends a lot of
credibility to the "a bunch of Tor clients, all using the same
configuration, so it's all really coordinated" point.

--Roger



More information about the tor-project mailing list