sbws should send scanner metadata as part of every HTTP request

We can't find out which torflow instances are using a bandwidth server: https://lists.torproject.org/pipermail/tor-project/2018-December/002108.html

As far as I can tell, sbws doesn't provide any scanner info in its HTTP requests.

Here's some things we might want:

• software-name: sbws
• software-version
• scanner-nickname
• scanner-IP-address? (pro: doscover users who haven't set nickname, con: discover users)

Non-standard HTTP headers start with "X-".

Assigning to 1.0, because this is vital debugging info.

changed milestone to %sbws: 1.0.x-final

added component::core tor/sbws milestone::sbws: 1.0.x-final priority::medium resolution::fixed reviewer::dgoulet severity::normal status::closed type::defect labels

Non-standard HTTP headers start with "X-".

I thought RFC 6648 deprecated that convention?

Replying to iang:

Non-standard HTTP headers start with "X-".

I thought RFC 6648 deprecated that convention?

Thanks for letting us know.

Replying to teor:

Here's some things we might want:

• software-name: sbws
• software-version

These might be user-agent, unless requests sets its own user agent.

• scanner-nickname

I'm not sure if there is a generic HTTP header for a nickname or other client identifier.

• scanner-IP-address? (pro: discover users who haven't set nickname, con: discover users)

We should look for a generic HTTP header for the client IP address. sbws doesn't guarantee any anonymity, and discovering rogue scanners is more important than the risk of malicious servers using the IP address.

Assigning to 1.0, because this is vital debugging info.

Replying to teor:

Here's some things we might want:

• software-name: sbws
• software-version

These might be user-agent, unless requests sets its own user agent.

Python Requests allows to setup custom User-Agent (http://docs.python-requests.org/en/master/community/faq/#custom-user-agents)

So, this would be: User-Agent: sbws/x.y.z

• scanner-nickname

I'm not sure if there is a generic HTTP header for a nickname or other client identifier.

Can't find any in https://en.wikipedia.org/wiki/List_of_HTTP_header_fields#Standard_request_fields

Following https://tools.ietf.org/html/rfc6648#appendix-B ("incorporate the organization's name"), this could be: Tor-bwauth-Nickname:

• scanner-IP-address? (pro: discover users who haven't set nickname, con: discover users)

We should look for a generic HTTP header for the client IP address. sbws doesn't guarantee any anonymity, and discovering rogue scanners is more important than the risk of malicious servers using the IP address.

I also can't find any. It could be: Tor-bwauth-Address:

Replying to juga:

Replying to teor:

Here's some things we might want:

• software-name: sbws
• software-version

These might be user-agent, unless requests sets its own user agent.

Python Requests allows to setup custom User-Agent (http://docs.python-requests.org/en/master/community/faq/#custom-user-agents)

So, this would be: User-Agent: sbws/x.y.z

Ok.

• scanner-nickname

I'm not sure if there is a generic HTTP header for a nickname or other client identifier.

Can't find any in https://en.wikipedia.org/wiki/List_of_HTTP_header_fields#Standard_request_fields

Following https://tools.ietf.org/html/rfc6648#appendix-B ("incorporate the organization's name"), this could be: Tor-bwauth-Nickname:

Some tweaks:

Words are capitalised; Abbreviations are rarely used; It's a bandwidth scanner:

Tor-Bandwidth-Scanner-Nickname: IDidntEditTheConfig

• scanner-IP-address? (pro: discover users who haven't set nickname, con: discover users)

We should look for a generic HTTP header for the client IP address. sbws doesn't guarantee any anonymity, and discovering rogue scanners is more important than the risk of malicious servers using the IP address.

I also can't find any. It could be: Tor-bwauth-Address:

The standard proxy client address header is: Forwarded: for=192.0.2.1

Replying to teor:

sbws doesn't guarantee any anonymity, and discovering rogue scanners is more important than the risk of malicious servers using the IP address.

Thinking more this, i'm not totally convinced. If we find rogue scanners, are we going to try to contact them?. I'm also not sure if that might be a problem on the server side due data privacy laws. What about creating a random unique identifier the first time that it's saved locally so the scanner can always send the same?.

I thought it would be useful to have Tor version and library version in the user-agent too. I've added a uuid field for now. I can change it to IP address. The header would looks like: 'Tor-Bandwidth-Scanner-UUID': '4c0cf773-46d9-4633-9c3e-57a26b250be1', 'User-Agent': 'sbws/1.0.3-dev0 (kernel-version-platform-os) Python/x.y.z Requests/2.19.1 Stem/1.7.0 Tor/0.x.y.z (git-sha)' 'Tor-Bandwidth-Scanner-Nickname': 'foo'

https://github.com/torproject/sbws/pull/315

Ok, then we can block scanners if we need to.

Trac:
Status: new to needs_review

Trac:
Reviewer: N/A to dgoulet

lgtm;

Trac:
Status: needs_review to merge_ready

Merged

Trac:
Status: merge_ready to closed
Resolution: N/A to fixed

closed

mentioned in issue #29355 (moved)

mentioned in issue #29551 (moved)

moved to tpo/network-health/sbws#28741 (closed)

mentioned in issue tpo/network-health/sbws#29355 (moved)

mentioned in issue tpo/network-health/sbws#29551 (closed)

mentioned in issue tpo/network-health/onbasca#88 (closed)