3 September 2011
Massive Automated Tor Bridge Requests: Why?
Date: Sat, 3 Sep 2011 04:39:53 -0400
From: Roger Dingledine <arma[at]mit.edu>
Subject: [tor-talk] massive automated bridge requests: why?
Over the past few months the number of bridge users has spiked, most prominently
in Italy, but also plenty in Spain, Brazil, Israel, and others.
I believe it started out with a Tor bundle that somebody made that had three
bridges pre-configured -- we found a torrc file along with an unofficial
Windows Tor bundle. At the beginning, those few bridges had tens of thousands
of users each, and that was it.
Since then, we've seen an enormous spike in automated connections to
-- more than a million requests an hour. Now just about every bridge that's
given out via the https pool (as opposed to the gmail pool or the reserve
pool) is seeing many many thousands of users from Italy and these other
It seems clear that somebody's unofficial Tor bundle automatically grabs
some bridges for its users, and that this somebody didn't understand the
notion of being polite to a remote service -- I think each user is hitting
the bridges page roughly every 30 seconds.
We've taken steps to defend the bridgedb service from this overload. And
I can imagine further steps, like finally rolling out a captcha on that page,
to block people from using it like a remote API (which I always thought was
kind of a neat option). Or heck, just moving to a different URL and abandoning
But the question first is: what's going on? Can those of you near or in these
countries please ask around and try to get some answers?
I don't think it's a censoring adversary trying to collect the list of bridges.
For one, it's way overkill; for another, why use the bridges afterwards?
I don't think it's malware or some automated botnet that happens to use bridges
-- if it were, we should be seeing spikes in well-connected countries like
tor-talk mailing list