77 comments

[ 5.1 ms ] story [ 125 ms ] thread
The linked page doesn't seem to have any info other than the stats. Can someone explain the reason for the spike?
I can't find anything blatant in the news that would explain something like this, especially of this magnitude.

I think it might be a botnet or something similar, although that's just conjecture at this point.

It roughly coincides with news about WhatsApp and the U.S. inauguration. Both seem vaguely relevant but not very compelling or explanatory.

Why would a botnet be so centralized in the UAE? Seems like the opposite of what you'd want if you could help it, so maybe they can't help it?

Some kind of state-sponsored test/attack against the Tor network seems like the best explanation to me.

Well, a botnet that targeted users in the UAE would have a lot of tor network "users" showing from the UAE. Seems plausible to me.
Any chance this could be a state-sponsored attack aimed at correlating traffic?
This is probably the case. I don't think that there's any indication that UAE users are starting to use Tor en masse.
My guess is that this is a state sponsored attack that uses HTTP Injection at the ISP level to hack as much users as possible, and the C&C is most probably a hidden service that's why they also deployed Tor.
Wouldn't a state-sponsored entity be smarter than routing all their traffic through UAE such that it could receive attention on HN? I like the botnet explanation better.
I don't know, but I find that expediency is usually a very real concern in such operations so it seems plausible for the UAE to cut corners and route traffic in a convenient (though not covert) manner.

Moreover, they may wish to route traffic through nodes they control.

I understand your point, but then again, I don't see why a botnet would route it's traffic through the UAE either.

It may be a botnet that's targeting users in the UAE, and therefore connecting to the tor network from there.
(comment deleted)
Could this be a result of the articles about a "backdoor" in whatsapp?
I don't think so. The news about WhatsApp supposed backdoor was published on the 13th: https://www.theguardian.com/technology/2017/jan/13/whatsapp-... and the uptick of UAE users began around the 15th and the 16th: https://metrics.torproject.org/userstats-relay-country.html?... Wouldn't there have been a more direct correlation between the 13th and the numbers of users?
I wouldn't be surprised if it took a couple days for people to switch over, you'd need to talk to people you communIcate with before switching, for one.
(comment deleted)
Why would only people in the UAE react to those articles by using Tor en masse?
Protonmail added support for TOR this week but that can't be it
It must be something that was posted on hacker news lately!
Did they block pr0n there?
Even Skype was blocked in Abu Dhabi last time I was there.
Skype is currently only blocked over cellular networks. Voice calling using apps such as WhatsApp, Viber, and Telegram is completely blocked, even over regular internet links.

The TRA (https://www.tra.gov.ae/en/home.aspx) outlaws ISPs from allowing VoIP services. Obviously, the goal is to ensure that ISPs maximize their profits. Note that both ISPs - Etisalat and du - are majority government-owned.

I always wonder why Etisalat or Du even bother to give advertisements.
Earlier VPN (which is illegal) was required to make Skype->Phone calls, otherwise the calls gets disconnected immediately after the other guy picks up. From last few months Skype->Phone calls are working without VPN in Etisalat elife connection.
Yes, porn is blocked in the UAE. Most people use VPN to circumvent this.
First thing that came to my mind was a botnet; it would be one of the easiest ways to get a huge spike in Tor usage, I'd think.
Last time this happened it was indeed a botnet. I didn't read the article (comments first) so maybe they already discussed that probability, but I find it likely. A 25× increase is not something that happens overnight I'd say.
Just out of curiosity: How is Tor looking these days, security-wise? Does someone have a recent analysis of the attacks Tor is facing from state-level attackers currently? Just wondering if any new threats to Tor have come up in the recent years that hadn't been considered before stuff like Snowden happened.
Tor isn't safe from state-level attackers, as demonstrated by the Sybil attack launched by Carnegie Mellon the other year.
Do you have a link to the paper?

"Sybil attack" is a rather large category of attacks and I'm curious about the specifics of this particular one. In particular, certain vulnerabilities can still be prohibitively expensive for use in dragnet-surveillance.

Interesting and concerning. Thanks.
It's not concerning. The flaw was 1) only about hidden services, 2) was patched the next day it was released 3) The Tor Project have been doing some extraordinary work on creating a stronger and secure onion service infrastructure which will be deployed by hopefully mid-2017.
It's concerning that the paper was never released.
My impressions from the research community have been that the consensus is 1. Using Tor is more private (and possibly more secure) than a VPN or nothing at all, 2. Tor will not protect you from a targeted attack by a well-funded, state-level adversary, 3. It may or may not defend you against more dragnet types of attacks, depending on the state of the cat-and-mouse between offense and defense (it most likely will protect you on any particular session, but the more you use Tor, the more likely you'll use it while an attack is viable in the wild).

So far though, the overwhelming majority of attacks on Tor users comes from things that aren't Tor itself --- e.g. Firefox vulnerabilities, timing side-channels on when the user was home, etc. Additionally, if you're not doing anything illegal, you're less likely to be targeted on Tor. Not that this is to say "if you're not doing something illegal you have nothing to hide!", just that your adversaries are likely not powerful or motivated enough to target you on Tor if what you're doing isn't illegal. Even in places like China, where every attempt to block Tor is made, they typically don't spend much effort in targeting those who do try to use Tor. This means if your motivation for Tor is to do things like stop web site trackers, it's not only a good option, it's probably the best available.

Thanks for the detailed reply, that was kinda what I was interested in.
Malicious exit nodes still seem to be an issue one should be aware of, especially for unencrypted connections (http).
What this really indicates, bot or not, is that once you educate people, they will act in their self (and more importantly, self+others) interests. Oppressive and controlling (controlling or controling, I can never decide) regimes will try to prevent it. But it is like trying to prevent wind.

The wind will come. You must adapt and accept. And if you are against the wind, you must change.

I appreciate the poetry but blocking Tor is a lot easier than preventing the wind and some governments (e.g. China) successfully do so.
Blocking Tor is one thing. But once people have made an effort to use Tor, you have lost as a regime.
Holy shit! -4 to that? I don't mean to get all meta, but really I must be further out of touch than I realized.
I didn't downvote you, but I can imagine two different reasons that people might have done so:

(1) They want to emphasize that there are lots of reasons to use Tor other than political dissidence and that Tor use should be normal or common for lots of people in lots of situations.

(2) They feel like the role of tools like Tor in facilitating political dissidence is overstated and that you were implying that Tor will be crucial or extremely powerful in political conflict situations, rather than, say, hopefully somewhat useful.

edit: (3) They feel like you're overstating how effective political dissidence can be (because having public opinion turn against a government doesn't mean that the government will lose power).

It's a matter of intent. If people are willing to try to get around oppression, they have already indicated their intent to strive for better. Maybe it takes a year, or 5, or 10, or more, but people will group and work for freedom.

That is my point.

The same could be said for tyranny.
I don't know what this means. People in the U.S. use Tor, has it lost as a regime? What does "lost" mean in this context? Some moral authority? All moral authority? I think we can say that as governments do in fact continue to exist while their citizens use Tor, that the statement is sufficiently vague that it's meaningless.
China is also doing large-scale experiments with artifical changing of the weather, so...
>What this really indicates, bot or not, is that once you educate people, they will act in their self (and more importantly, self+others) interests.

That's an idealistic sentiment that's unfortunately not actually true. There are abundant examples if you look at politics or gambling.

Gambling is a (serious) game, where you're totally supposed to eat you neighbour to get on top.

Politics works on a heavily skewed sample of power-hungry people. Politicians are nothing like their people. Most are among the top 1%, which is a weird bunch: they are visible, powerful, don't have the same incentives, and don't live under the same social pressures as the rest of us.

The economic incentives over TOR have really improved TOR

I was pulling 800k/sec the other day, pretty surprised.

Some circuits are still slow. But I remember not that long ago (18 months?) it was a miserable expereince

Which incentives are you referring to here?
The markets and cryptocurrency.
I haven't heard that these have led people to add more capacity to the Tor network (although that's definitely plausible). Is there a public source for this connection?
No source I can think of on top of my head, just the various efforts and willingness to do so.

Basically open source volunteer projects fail pretty hard until an economic incentive is added.

On another note, I2P has attempted several times to add a cryptocurrency to its protocol layer.

I believe that tor metrics counts when a connection starts, not when a connection is _established_

This is a important difference, because if there is active DPI that is shutting down a connection before handshake can happen, it will inflate the numbers massively.

I suspect what actually is happening is a ISP in UAE has deployed a DPI system that can detect the Tor TLS signature

This sounds convincing, a 25-fold spike in real users seems unlikely.

If your theory is correct, then the title is slightly misleading.

And even if they were only counting successful connections, connections != users.
In the land of Tor can you distinguish the difference in any meaningful way? I agree generally but I don't see how Tor could differentiate.
You'd have to do an anonymous survey of 'do you use Tor?' & project from there
The title isn't misleading, "the estimated number of directly-connecting clients" is what is meant by "users".

I'm not very familiar with TOR, but does this reaffirm what OP is asking, that this might be DPI causing re-connections for TOR in UAE? If so is this a new policy of banning TOR, or is this just a recent ramp up in existing policy?

It is a little misleading. Misleading I think should be the correct word choice. It might not be incorrect, but it is misleading.

Another example that comes to mind is the Colorado newspaper headline that crime has "doubled" in the last decade. That leads a person down the train of thought that crime is out of control. In reality, it grew in proportion to the population. The headline, "Crime grows in proportion with population" doesn't evoke gasps and sales of your paper.

It's possible that the geoIP records for a large IP block or set of IP blocks has been corrected (or broken) to reflect UAE.
The same rise was seen in Turkey last month. The phenomenon is caused by failed reconnect due to DPI-based censorship. See Annex A: https://turkeyblocks.org/2016/12/18/tor-blocked-in-turkey-vp...
Turkey Blocks' research and terminal capture suggest each failed attempt causes about 100 broken Tor connections, explaining the spike in metrics where one would really expect a drop.
I don't think DPI is the answer here:

o In the case of Turkey, they had more than 10k direct users, the DPI-based censorship yielded a 50k spike, that's a 1:5 ratio, whereas in the case of the UAE it's a freaking 1:30 ratio and it doesn't stop from increasing.

o In the case of Turkey, the spike was followed by a spike in bridge use, most using the obfs4 pluggable transport. There's however no such apparent spike for UAE, in fact it's only a nearly constant 300 obfs4 users https://metrics.torproject.org/userstats-bridge-combined.htm...

Actually bridge use has just gone up like Turkey. It took a couple of days after your comment for the UAE charts to get updated.

Wait a week more and we'll see if the same noisy zig-zag pattern appears in unbridged connections that showed up in Turkey. That's the smoking gun.

Unless the massive uptick in Tor client connections can be correlated to a massive uptick in Tor client downloads its not a societal event and is more likely government sponsored.
If this is an attempt by the UAE to prevent TOR connections via DPI, who would the primary target(s) be? I recognize that's an awkward question to ask of an anonymized service like TOR, but who are the actors in the UAE who might use TOR and why target them now?
Perhaps they accidentally lifted the blocking rules. Or it will drop as soon as they upgrade their censorship software.