[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

[tor-talk] massive automated bridge requests: why?



Hi folks,

Over the past few months the number of bridge users has spiked, most
prominently in Italy, but also plenty in Spain, Brazil, Israel, and
others.

https://metrics.torproject.org/users.html#bridge-users
https://metrics.torproject.org/users.html?graph=bridge-users&start=2011-06-05&end=2011-09-03&country=it#bridge-users
https://metrics.torproject.org/users.html?graph=bridge-users&start=2011-06-05&end=2011-09-03&country=es#bridge-users
https://metrics.torproject.org/users.html?graph=bridge-users&start=2011-06-05&end=2011-09-03&country=br#bridge-users
https://metrics.torproject.org/users.html?graph=bridge-users&start=2011-06-05&end=2011-09-03&country=il#bridge-users

I believe it started out with a Tor bundle that somebody made that had
three bridges pre-configured -- we found a torrc file along with an
unofficial Windows Tor bundle. At the beginning, those few bridges had
tens of thousands of users each, and that was it.

Since then, we've seen an enormous spike in automated connections to
https://bridges.torproject.org/ -- more than a million requests an hour.
Now just about every bridge that's given out via the https pool (as
opposed to the gmail pool or the reserve pool) is seeing many many
thousands of users from Italy and these other countries.

It seems clear that somebody's unofficial Tor bundle automatically grabs
some bridges for its users, and that this somebody didn't understand
the notion of being polite to a remote service -- I think each user is
hitting the bridges page roughly every 30 seconds.

We've taken steps to defend the bridgedb service from this overload. And
I can imagine further steps, like finally rolling out a captcha on that
page, to block people from using it like a remote API (which I always
thought was kind of a neat option). Or heck, just moving to a different
URL and abandoning that one.

But the question first is: what's going on? Can those of you near or in
these countries please ask around and try to get some answers?

I don't think it's a censoring adversary trying to collect the list of
bridges. For one, it's way overkill; for another, why use the bridges
afterwards?

I don't think it's malware or some automated botnet that happens to
use bridges -- if it were, we should be seeing spikes in well-connected
countries like Japan.

--Roger

_______________________________________________
tor-talk mailing list
tor-talk@xxxxxxxxxxxxxxxxxxxx
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk