[tor-relays] Odd network activity

I see on every exit node I check on the metrics page, a massive bump in bandwidth used without a change in exit probability. Is this perhaps an attacker squeezing the bandwidth of the network so people are more likely to use their malicious nodes?

awffelwaffels via tor-relays:

I see on every exit node I check on the metrics page, a massive bump in bandwidth used without a change in exit probability. Is this perhaps an attacker squeezing the bandwidth of the network so people are more likely to use their malicious nodes?

You could mail the bad-relays mailing list with your findings, so the bad-relays team can investigate further.

Sure, I mean it's bad traffic not bad relays but sure.

···

------- Original Message -------

On Thursday, March 3rd, 2022 at 10:10 PM, Georg Koppen <gk@torproject.org> wrote:

awffelwaffels via tor-relays:

> I see on every exit node I check on the metrics page, a massive bump in bandwidth used without a change in exit probability. Is this perhaps an attacker squeezing the bandwidth of the network so people are more likely to use their malicious nodes?

You could mail the bad-relays mailing list with your findings, so the

bad-relays team can investigate further.

_______________________________________________

tor-relays mailing list

tor-relays@lists.torproject.org

tor-relays Info Page

_______________________________________________
tor-relays mailing list
tor-relays@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays

Hi

[..]
ffelwaffels via tor-relays:

I see on every exit node I check on the metrics page, a massive bump in bandwidth used without a change in exit probability. Is this perhaps an attacker squeezing the bandwidth of the network so people are more likely to use their malicious nodes?

[..]

Do you mean behavior like the following?

Feb. 25-26.: FDAA4F76F778215F02B0B02DCE8E8504179BCDC6
Cross-check: tor traffic (Munin :: par.exit.tor.loki.tel :: 12.par.exit.tor.loki.tel :: tor traffic)

Feb. 25-26.: FDAA4F76F778215F02B0B02DCE8E8504179BCDC6
Cross-check: tor traffic (Munin :: vie.exit.tor.loki.tel :: 04.vie.exit.tor.loki.tel :: tor traffic)

I am not sure about this either. But I can't confirm this increase in my Munin graphs or on the server itself.

···

On 3/3/22 21:12, awffelwaffels via tor-relays wrote:

--
Martin

Hello there.

I see on every exit node I check on the metrics page, a massive bump
in bandwidth used without a change in exit probability.

I just checked the metrics page for the relay I operate
(791E637A38C715336290E8AC0EB6C99BD02A5F0E) and I noticed a bump similar
to the one from FDAA4F76F778215F02B0B02DCE8E8504179BCDC6. However, my
relay is not and has never been an exit relay. Also, it looks like the
data changed retroactively: I usually check the metrics about once a
day and I'm sure I would have noticed the peak of 26/02 the day after -
I mean, it is a more than x3 increment from the day before (that also
had the highest value ever until then).
Should I worry about that? And should I report my own relay to
the bad-relays mailing list?
Thanks for the help.

Eldali√ę

···

On Thu, 03 Mar 2022 19:01:37 +0000 awffelwaffels via tor-relays <tor-relays@lists.torproject.org> wrote:

I see on every exit node I check on the metrics page, a massive bump
in bandwidth used without a change in exit probability. Is this
perhaps an attacker squeezing the bandwidth of the network so people
are more likely to use their malicious nodes?

--
Eldali√ę
My private key is attached. Please, use it and provide me yours!

(Attachment 7CE7571174A1961293D0CEF91EACF195B8F3D922.asc is missing)

Eldali√ę via tor-relays:

Hello there.

I see on every exit node I check on the metrics page, a massive bump
in bandwidth used without a change in exit probability.

I just checked the metrics page for the relay I operate
(791E637A38C715336290E8AC0EB6C99BD02A5F0E) and I noticed a bump similar
to the one from FDAA4F76F778215F02B0B02DCE8E8504179BCDC6. However, my
relay is not and has never been an exit relay. Also, it looks like the
data changed retroactively: I usually check the metrics about once a
day and I'm sure I would have noticed the peak of 26/02 the day after -
I mean, it is a more than x3 increment from the day before (that also
had the highest value ever until then).
Should I worry about that? And should I report my own relay to
the bad-relays mailing list?

No, it's fine. I am not sure yet what the problem is but I suspect it's a bug in one of our recent code changes. See:

Graphs for multiple relays that have the same fingerprint (#40022) · Issues · The Tor Project / Network Health / Metrics / Onionoo · GitLab

for more details. We've reverted that change for now and things should normalize again assuming the traffic increase you see is indeed related to it.

Georg

···

Thanks for the help.

Eldali√ę

On Thu, 03 Mar 2022 19:01:37 +0000 > awffelwaffels via tor-relays <tor-relays@lists.torproject.org> wrote:

I see on every exit node I check on the metrics page, a massive bump
in bandwidth used without a change in exit probability. Is this
perhaps an attacker squeezing the bandwidth of the network so people
are more likely to use their malicious nodes?

_______________________________________________
tor-relays mailing list
tor-relays@lists.torproject.org
tor-relays Info Page

1 Like

Hi,

This was a bug that was briefly introduced between yesterday afternoon and early morning today (UTC times). I have reverted the commit this morning around 5.00 AM (UTC) so you should start seeing your graphs back to normal.

Thanks for noticing and apologies for that.

Cheers,

-hiro

···

On 3/3/22 20:01, awffelwaffels via tor-relays wrote:

I see on every exit node I check on the metrics page, a massive bump in bandwidth used without a change in exit probability. Is this perhaps an attacker squeezing the bandwidth of the network so people are more likely to use their malicious nodes?

_______________________________________________
tor-relays mailing list
tor-relays@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays

Thanks very much. The anomalous peaks disappeared for most of the days
indeed, it remained only for 26/02.

Eldali√ę

···

On Fri, 4 Mar 2022 07:26:26 +0000 Georg Koppen <gk@torproject.org> wrote:

Eldali√ę via tor-relays:
> Hello there.
>
>> I see on every exit node I check on the metrics page, a massive
>> bump in bandwidth used without a change in exit probability.
>
> I just checked the metrics page for the relay I operate
> (791E637A38C715336290E8AC0EB6C99BD02A5F0E) and I noticed a bump
> similar to the one from FDAA4F76F778215F02B0B02DCE8E8504179BCDC6.
> However, my relay is not and has never been an exit relay. Also, it
> looks like the data changed retroactively: I usually check the
> metrics about once a day and I'm sure I would have noticed the peak
> of 26/02 the day after - I mean, it is a more than x3 increment
> from the day before (that also had the highest value ever until
> then). Should I worry about that? And should I report my own relay
> to the bad-relays mailing list?

No, it's fine. I am not sure yet what the problem is but I suspect
it's a bug in one of our recent code changes. See:

Graphs for multiple relays that have the same fingerprint (#40022) · Issues · The Tor Project / Network Health / Metrics / Onionoo · GitLab

for more details. We've reverted that change for now and things
should normalize again assuming the traffic increase you see is
indeed related to it.

Georg

> Thanks for the help.
>
> Eldali√ę
>
>
> On Thu, 03 Mar 2022 19:01:37 +0000 > > awffelwaffels via tor-relays <tor-relays@lists.torproject.org> > > wrote:
>
>> I see on every exit node I check on the metrics page, a massive
>> bump in bandwidth used without a change in exit probability. Is
>> this perhaps an attacker squeezing the bandwidth of the network so
>> people are more likely to use their malicious nodes?
>
>
>
>
>
> _______________________________________________
> tor-relays mailing list
> tor-relays@lists.torproject.org
> tor-relays Info Page

--
Eldali√ę
My private key is attached. Please, use it and provide me yours!

(Attachment 7CE7571174A1961293D0CEF91EACF195B8F3D922.asc is missing)

Thanks very much. The anomalous peaks disappeared for most of the days
indeed, it remained only for 26/02.

Yes, working to fix the bump for 26/02.

-hiro

···

On 4/3/22 11:40, Eldali√ę via tor-relays wrote:

Eldali√ę

On Fri, 4 Mar 2022 07:26:26 +0000 > Georg Koppen <gk@torproject.org> wrote:

Eldali√ę via tor-relays:

Hello there.

I see on every exit node I check on the metrics page, a massive
bump in bandwidth used without a change in exit probability.

I just checked the metrics page for the relay I operate
(791E637A38C715336290E8AC0EB6C99BD02A5F0E) and I noticed a bump
similar to the one from FDAA4F76F778215F02B0B02DCE8E8504179BCDC6.
However, my relay is not and has never been an exit relay. Also, it
looks like the data changed retroactively: I usually check the
metrics about once a day and I'm sure I would have noticed the peak
of 26/02 the day after - I mean, it is a more than x3 increment
from the day before (that also had the highest value ever until
then). Should I worry about that? And should I report my own relay
to the bad-relays mailing list?

No, it's fine. I am not sure yet what the problem is but I suspect
it's a bug in one of our recent code changes. See:

  Graphs for multiple relays that have the same fingerprint (#40022) · Issues · The Tor Project / Network Health / Metrics / Onionoo · GitLab

for more details. We've reverted that change for now and things
should normalize again assuming the traffic increase you see is
indeed related to it.

Georg

Thanks for the help.

Eldali√ę

On Thu, 03 Mar 2022 19:01:37 +0000 >>> awffelwaffels via tor-relays <tor-relays@lists.torproject.org> >>> wrote:

I see on every exit node I check on the metrics page, a massive
bump in bandwidth used without a change in exit probability. Is
this perhaps an attacker squeezing the bandwidth of the network so
people are more likely to use their malicious nodes?

_______________________________________________
tor-relays mailing list
tor-relays@lists.torproject.org
tor-relays Info Page

_______________________________________________
tor-relays mailing list
tor-relays@lists.torproject.org
tor-relays Info Page

_______________________________________________
tor-relays mailing list
tor-relays@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays

Hi all,

I can now confirm the data has been restored and no relay or bridge should exhibit any bump in traffic due to this but.

Cheers,

-hiro

···

On 4/3/22 15:11, Silvia/Hiro wrote:

On 4/3/22 11:40, Eldali√ę via tor-relays wrote:

Thanks very much. The anomalous peaks disappeared for most of the days
indeed, it remained only for 26/02.

Yes, working to fix the bump for 26/02.

-hiro

Eldali√ę

On Fri, 4 Mar 2022 07:26:26 +0000 >> Georg Koppen <gk@torproject.org> wrote:

Eldali√ę via tor-relays:

Hello there.

I see on every exit node I check on the metrics page, a massive
bump in bandwidth used without a change in exit probability.

I just checked the metrics page for the relay I operate
(791E637A38C715336290E8AC0EB6C99BD02A5F0E) and I noticed a bump
similar to the one from FDAA4F76F778215F02B0B02DCE8E8504179BCDC6.
However, my relay is not and has never been an exit relay. Also, it
looks like the data changed retroactively: I usually check the
metrics about once a day and I'm sure I would have noticed the peak
of 26/02 the day after - I mean, it is a more than x3 increment
from the day before (that also had the highest value ever until
then). Should I worry about that? And should I report my own relay
to the bad-relays mailing list?

No, it's fine. I am not sure yet what the problem is but I suspect
it's a bug in one of our recent code changes. See:

Graphs for multiple relays that have the same fingerprint (#40022) · Issues · The Tor Project / Network Health / Metrics / Onionoo · GitLab

for more details. We've reverted that change for now and things
should normalize again assuming the traffic increase you see is
indeed related to it.

Georg

Thanks for the help.

Eldali√ę

On Thu, 03 Mar 2022 19:01:37 +0000 >>>> awffelwaffels via tor-relays <tor-relays@lists.torproject.org> >>>> wrote:

I see on every exit node I check on the metrics page, a massive
bump in bandwidth used without a change in exit probability. Is
this perhaps an attacker squeezing the bandwidth of the network so
people are more likely to use their malicious nodes?

_______________________________________________
tor-relays mailing list
tor-relays@lists.torproject.org
tor-relays Info Page

_______________________________________________
tor-relays mailing list
tor-relays@lists.torproject.org
tor-relays Info Page

_______________________________________________
tor-relays mailing list
tor-relays@lists.torproject.org
tor-relays Info Page

_______________________________________________
tor-relays mailing list
tor-relays@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays

1 Like