Opened 6 years ago

Closed 6 years ago

Last modified 5 years ago

#9653 closed defect (implemented)

Learn whether the botnet clients are doing v2 vs v3 link handshakes

Reported by: arma Owned by:
Priority: Medium Milestone: Tor: unspecified
Component: Core Tor/Tor Version:
Severity: Keywords: tor-relay
Cc: Actual Points:
Parent ID: #9657 Points:
Reviewer: Sponsor:

Description

We're not sure what version the two million new botnet clients are running. It might be Tor 0.2.2, in which case we can distinguish them by their link handshake version.

We have lines like

dirreq-v3-reqs us=56,fr=32,it=32,de=24,es=24,br=16,ru=16,ua=16,??=8,ar=8,at=8,au
=8,bd=8,be=8,bj=8,ca=8,ch=8,co=8,cz=8,dz=8,eg=8,gb=8,ge=8,hk=8,id=8,ie=8,il=8,in
=8,ir=8,is=8,jp=8,kr=8,lb=8,lt=8,lv=8,ma=8,md=8,mx=8,nl=8,no=8,ph=8,pl=8,ro=8,sa
=8,se=8,sg=8,sy=8,tr=8,tw=8,ve=8
dirreq-v2-reqs 

in extra info descriptors. We could add new similar lines for link handshakes. I worry about a few edge cases though, where there's one client left in the world using the v1 handshake, and somehow the exit relay can recognize it too, and now the guard node tells everybody that it's the guard for that client.

In any case, step one is to write a quick hack to count them up, for overloaded relay operators to run.

Child Tickets

Attachments (1)

task-9653-moria1.png (62.7 KB) - added by karsten 6 years ago.
Link handshake versions seen by moria1

Download all attachments as: .zip

Change History (7)

comment:1 Changed 6 years ago by arma

Here's what moria1 saw the past few weeks:

Jul 21,2: 62206
Jul 21,3: 224212
Jul 21,4: 27151
Jul 22,2: 86096
Jul 22,3: 283511
Jul 22,4: 34524
Jul 23,2: 84227
Jul 23,3: 293425
Jul 23,4: 34488
Jul 24,2: 81765
Jul 24,3: 285076
Jul 24,4: 35410
Jul 25,2: 79394
Jul 25,3: 288675
Jul 25,4: 35417
Jul 26,2: 77626
Jul 26,3: 289154
Jul 26,4: 37640
Jul 27,2: 77086
Jul 27,3: 286725
Jul 27,4: 38826
Jul 28,2: 77958
Jul 28,3: 295656
Jul 28,4: 39039
Jul 29,2: 78053
Jul 29,3: 287968
Jul 29,4: 37526
Jul 30,2: 79460
Jul 30,3: 293127
Jul 30,4: 42302
Jul 31,2: 81492
Jul 31,3: 295472
Jul 31,4: 42425

Aug 01,2: 82405
Aug 01,3: 294653
Aug 01,4: 41192
Aug 02,2: 80841
Aug 02,3: 295262
Aug 02,4: 41349
Aug 03,2: 83814
Aug 03,3: 310445
Aug 03,4: 44485
Aug 04,2: 86149
Aug 04,3: 342685
Aug 04,4: 47049
Aug 05,2: 95813
Aug 05,3: 330629
Aug 05,4: 47927
Aug 06,2: 84819
Aug 06,3: 313313
Aug 06,4: 46083
Aug 07,2: 84917
Aug 07,3: 295535
Aug 07,4: 40402
Aug 08,2: 80770
Aug 08,3: 266404
Aug 08,4: 34852
Aug 09,2: 63203
Aug 09,3: 269369
Aug 09,4: 36659
Aug 10,2: 62638
Aug 10,3: 280872
Aug 10,4: 36736
Aug 11,2: 63844
Aug 11,3: 293634
Aug 11,4: 36424
Aug 12,2: 74986
Aug 12,3: 286471
Aug 12,4: 36707
Aug 13,2: 64824
Aug 13,3: 279132
Aug 13,4: 39700
Aug 14,2: 63520
Aug 14,3: 271643
Aug 14,4: 39180
Aug 15,2: 63388
Aug 15,3: 267476
Aug 15,4: 38891
Aug 16,2: 62872
Aug 16,3: 279317
Aug 16,4: 40047
Aug 17,2: 62261
Aug 17,3: 275285
Aug 17,4: 39829
Aug 18,2: 63911
Aug 18,3: 273754
Aug 18,4: 39848
Aug 19,2: 66507
Aug 19,3: 294001
Aug 19,4: 44662
Aug 20,2: 63302
Aug 20,3: 324115
Aug 20,4: 43809
Aug 21,2: 62838
Aug 21,3: 328170
Aug 21,4: 43831
Aug 22,2: 64110
Aug 22,3: 417116
Aug 22,4: 45379
Aug 23,2: 64032
Aug 23,3: 466446
Aug 23,4: 49330
Aug 24,2: 63219
Aug 24,3: 406818
Aug 24,4: 49360
Aug 25,2: 62657
Aug 25,3: 392968
Aug 25,4: 48832
Aug 26,2: 66051
Aug 26,3: 420282
Aug 26,4: 51043
Aug 27,2: 64457
Aug 27,3: 475714
Aug 27,4: 51249
Aug 28,2: 65786
Aug 28,3: 516095
Aug 28,4: 55662
Aug 29,2: 67409
Aug 29,3: 584132
Aug 29,4: 59524
Aug 30,2: 65481
Aug 30,3: 628906
Aug 30,4: 59044
Aug 31,2: 66945
Aug 31,3: 788500
Aug 31,4: 62062

Sep 01,2: 70535
Sep 01,3: 757951
Sep 01,4: 67511
Sep 02,2: 84058
Sep 02,3: 813246
Sep 02,4: 70983
Sep 03,2: 61396
Sep 03,3: 574812
Sep 03,4: 52118

comment:2 Changed 6 years ago by arma

Looks like our new mystery clients are running Tor 0.2.3.x using the v3 link handshake. How sad.

comment:3 Changed 6 years ago by arma

Parent ID: #9657

Changed 6 years ago by karsten

Attachment: task-9653-moria1.png added

Link handshake versions seen by moria1

comment:4 Changed 6 years ago by karsten

Attached a graph of moria1's data.

comment:5 Changed 6 years ago by arma

Resolution: implemented
Status: newclosed
Summary: Count v2 vs v3 link handshakes at relaysLearn whether the botnet clients are doing v2 vs v3 link handshakes

I'm repurposing this ticket to the more precise thing we did with it. If we want to change later Tor relays to report this, we can do that later.

comment:6 Changed 5 years ago by arma

For posterity, here's another run, from Feb/Mar 2015:

Feb 22,2: 47203
Feb 22,3: 100912
Feb 22,4: 524078
Feb 23,2: 46098
Feb 23,3: 94292
Feb 23,4: 543469
Feb 24,2: 50065
Feb 24,3: 100005
Feb 24,4: 523193
Feb 25,2: 55229
Feb 25,3: 103894
Feb 25,4: 558955
Feb 26,2: 54989
Feb 26,3: 101710
Feb 26,4: 532618
Feb 27,2: 54026
Feb 27,3: 94889
Feb 27,4: 520761
Feb 28,2: 56391
Feb 28,3: 98093
Feb 28,4: 538264

Mar 01,2: 74628
Mar 01,3: 104423
Mar 01,4: 532302
Mar 02,2: 56577
Mar 02,3: 113165
Mar 02,4: 539597
Mar 03,2: 51958
Mar 03,3: 98862
Mar 03,4: 539481
Mar 04,2: 51818
Mar 04,3: 98661
Mar 04,4: 533369
Mar 05,2: 53652
Mar 05,3: 97283    
Mar 05,4: 534328   
Mar 06,2: 59036    
Mar 06,3: 97601    
Mar 06,4: 541571   
Mar 07,2: 52434    
Mar 07,3: 96433    
Mar 07,4: 536922   
Mar 08,2: 50032    
Mar 08,3: 89048    
Mar 08,4: 507547   
Mar 09,2: 65650    
Mar 09,3: 98722    
Mar 09,4: 553253

Note that these numbers include all the relay reachability tests that moria1 does, too.

Note: See TracTickets for help on using tickets.