[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

Re: [tor-talk] massive automated bridge requests: why?

Hopefully this will not be a double. I seem to forget easily what email
is subscribed to what lists :(.

On 9/3/11 10:39 AM, Roger Dingledine wrote:
> Hi folks,
> Over the past few months the number of bridge users has spiked, most
> prominently in Italy, but also plenty in Spain, Brazil, Israel, and
> others.
True. I have also some rudimentary statistics built from bridges.csv,
that highlighted this issue some time ago, but from what I understand
this is starting to become a serious problem.

> I believe it started out with a Tor bundle that somebody made that had
> three bridges pre-configured -- we found a torrc file along with an
> unofficial Windows Tor bundle. At the beginning, those few bridges had
> tens of thousands of users each, and that was it.

Yup, the package in question that apparently is shipped mainly for a
Chinese audience is a bundle that contains also Tor. The problem is that
the torrc contains statically hardcoded bridge IP address.

Here is a link to the commit in question:

When I first saw this the dates did match up with the traffic spikes to
Tor bridges, though it did seem strange that these requests where linked
to non Chinese speaking countries (Italy, Brazil, Spain).

> Since then, we've seen an enormous spike in automated connections to
> https://bridges.torproject.org/ -- more than a million requests an hour.
> Now just about every bridge that's given out via the https pool (as
> opposed to the gmail pool or the reserve pool) is seeing many many
> thousands of users from Italy and these other countries.
This highlights that the issue is probably much more complex. Somebody
has developed a custom crawler to scrape https://bridges.torproject.org
for fresh and new Tor bridges.

I can imagine that the person who developed this though it was the
smartest idea in the world and I don't believe he meant no harm. Yet the
responsible application/tool/bundle must be identified and the developer
instructed to stop doing so.

> It seems clear that somebody's unofficial Tor bundle automatically grabs
> some bridges for its users, and that this somebody didn't understand
> the notion of being polite to a remote service -- I think each user is
> hitting the bridges page roughly every 30 seconds.
Since the requests are coming in from every client every 30 seconds,
this must be seen as an attacks. What they are doing, in effect, is
conducting a DDoS on bridges.tp.org.

For this reason I think it would be appropriate to manage the issue as
if we where up against an adversary and start by trying to fingerprint
the application making the requests.
This would require probably to patch BridgeDB
(https://gitweb.torproject.org/bridgedb.git) to log anonymized request
of the attacker.

Once the application responsible is spotted we should get in contact
with them and have them fix the bundle to stop doing these requests. If
this is not possible we could maybe write a snort rule or something
inside of BridgeDB directly to filter out and stop responding to illicit
malicious requests.

> We've taken steps to defend the bridgedb service from this overload. And
> I can imagine further steps, like finally rolling out a captcha on that
> page, to block people from using it like a remote API (which I always
> thought was kind of a neat option). Or heck, just moving to a different
> URL and abandoning that one.
The CAPTCHA solution would work, however if the issue can be solved
easily by just detecting the UserAgent of the client making the request
(in case this is not being spoofed by the application, see above point).
Maybe implementing something slightly more complex, but that leaves the
user experience unaltered such as matching for request header order.

On the second solution I remember reading a couple of papers on it and I
believe there was also a presentation at CCC 2010 on it. I can't seem to
find them at the moment but I will update as soon as I find out.

> But the question first is: what's going on? Can those of you near or in
> these countries please ask around and try to get some answers?
I will try to do so and update you on the status of the inquiries.

> I don't think it's a censoring adversary trying to collect the list of
> bridges. For one, it's way overkill; for another, why use the bridges
> afterwards?
That seem highly unlikely to me too.

> I don't think it's malware or some automated botnet that happens to
> use bridges -- if it were, we should be seeing spikes in well-connected
> countries like Japan.
Maybe some OSINT tool? Somebody who wishes to have highly levels of
anonymity by not disclosing that he is about to connect to Tor, but is
too lazy to setup a custom Tor bridge?

- Art.

tor-talk mailing list