[tor-relays] Bots, love 'em or hate 'em?

starlight.2015q3 at binnacle.cx starlight.2015q3 at binnacle.cx
Mon Sep 7 14:30:38 UTC 2015


This is curious:  Appears a large number of Tor
client-bots have set

    UseEntryGuards 0

>From current relays that have never had the guard flag:

extra-info moep DA8C1123CDB3ACD3B36CD7E7CEFBEA685DED2276
entry-ips us=360,de=296,fr=232,it=192,es=160,jp=104,ru=104,br=96,ir=96. . .

extra-info motor BBBBBAD453263D786EC34AB68A06214288910345
entry-ips us=392,de=352,fr=344,it=312,es=248,ru=136,br=128. . .ir=104. . .

extra-info BaconPancakes B5882F8BA0AA89BCA4101A893A6116006D229496
entry-ips de=832,us=800,fr=776,it=776,es=600,br=336,pl=304,gb=296. . .


And reaching back in time to a fast relay
at birth, twelve hours prior to receiving
the initial Guard flag assignment:


consensuses-2014-04/21/2014-04-21-23-00-00-consensus
====================================================
r bauruine202 9Zbhse+Y4d273JNNtyKvVAaYaPY yp4BOAjicQhv1Pb1RMAzbejupVw
s Fast HSDir Running Unnamed V2Dir Valid
v Tor 0.2.4.21
w Bandwidth=27100


server-descriptors-2014-04/c/a/ca9e013808e271086fd4f6f544c0336de8eea55c
=======================================================================
router bauruine202 62.210.137.230 8443 0 8080
platform Tor 0.2.4.21 on Linux
published 2014-04-21 22:04:49
fingerprint F596 E1B1 EF98 E1DD BBDC 934D B722 AF54 0698 68F6
uptime 620454  (7 DAYS 4 HOURS 21 MINUTES)
bandwidth 15728640 20971520 16192064
extra-info-digest D7E071CF34679666DD9D80AB5F24020522D63F00


extra-infos-2014-04/d/7/d7e071cf34679666dd9d80ab5f24020522d63f00
================================================================
extra-info bauruine202 F596E1B1EF98E1DDBBDC934DB722AF54069868F6               
published 2014-04-21 22:04:49                                                 
entry-stats-end 2014-04-21 17:43:50 (86400 s)
!!!entry-ips de=57728,us=48520,es=44432,fr=39688,br=38264,it=32816. . .


Well over 100,000 client contacts here before
the Guard flag was ever assigned.




At 11:11 8/19/2015 -0400, you wrote:
>My relay says it receives about 50k v1/v2/v3
>connections each day to the 60k v4
>connections that come in.
>
>"Entry-ips" says it has about 35k guard-
>clients.  Blutmagie says there are no
>pre-0.2.4 relays talking anything other
>than v4.
>
>So I'm left thinking that 95% or more of the
>bandwidth consumption and client count is from
>crusty old botnet bots running ancient versions
>of the Tor daemon.
>
>But all that bot traffic creates a lot
>of statistical "background noise," and
>so may be providing a service in making
>it more difficult for advanced adversaries
>to perform traffic correlation analysis.
>
>Thoughts anyone?



More information about the tor-relays mailing list