My guess is that this is a state sponsored attack that uses HTTP Injection at the ISP level to hack as much users as possible, and the C&C is most probably a hidden service that's why they also deployed Tor.
Wouldn't a state-sponsored entity be smarter than routing all their traffic through UAE such that it could receive attention on HN? I like the botnet explanation better.
I don't know, but I find that expediency is usually a very real concern in such operations so it seems plausible for the UAE to cut corners and route traffic in a convenient (though not covert) manner.
Moreover, they may wish to route traffic through nodes they control.
I understand your point, but then again, I don't see why a botnet would route it's traffic through the UAE either.
I wouldn't be surprised if it took a couple days for people to switch over, you'd need to talk to people you communIcate with before switching, for one.
Skype is currently only blocked over cellular networks. Voice calling using apps such as WhatsApp, Viber, and Telegram is completely blocked, even over regular internet links.
The TRA (https://www.tra.gov.ae/en/home.aspx) outlaws ISPs from allowing VoIP services. Obviously, the goal is to ensure that ISPs maximize their profits. Note that both ISPs - Etisalat and du - are majority government-owned.
Earlier VPN (which is illegal) was required to make Skype->Phone calls, otherwise the calls gets disconnected immediately after the other guy picks up. From last few months Skype->Phone calls are working without VPN in Etisalat elife connection.
Last time this happened it was indeed a botnet. I didn't read the article (comments first) so maybe they already discussed that probability, but I find it likely. A 25× increase is not something that happens overnight I'd say.
Just out of curiosity: How is Tor looking these days, security-wise? Does someone have a recent analysis of the attacks Tor is facing from state-level attackers currently? Just wondering if any new threats to Tor have come up in the recent years that hadn't been considered before stuff like Snowden happened.
"Sybil attack" is a rather large category of attacks and I'm curious about the specifics of this particular one. In particular, certain vulnerabilities can still be prohibitively expensive for use in dragnet-surveillance.
It's not concerning. The flaw was 1) only about hidden services, 2) was patched the next day it was released 3) The Tor Project have been doing some extraordinary work on creating a stronger and secure onion service infrastructure which will be deployed by hopefully mid-2017.
My impressions from the research community have been that the consensus is 1. Using Tor is more private (and possibly more secure) than a VPN or nothing at all, 2. Tor will not protect you from a targeted attack by a well-funded, state-level adversary, 3. It may or may not defend you against more dragnet types of attacks, depending on the state of the cat-and-mouse between offense and defense (it most likely will protect you on any particular session, but the more you use Tor, the more likely you'll use it while an attack is viable in the wild).
So far though, the overwhelming majority of attacks on Tor users comes from things that aren't Tor itself --- e.g. Firefox vulnerabilities, timing side-channels on when the user was home, etc. Additionally, if you're not doing anything illegal, you're less likely to be targeted on Tor. Not that this is to say "if you're not doing something illegal you have nothing to hide!", just that your adversaries are likely not powerful or motivated enough to target you on Tor if what you're doing isn't illegal. Even in places like China, where every attempt to block Tor is made, they typically don't spend much effort in targeting those who do try to use Tor. This means if your motivation for Tor is to do things like stop web site trackers, it's not only a good option, it's probably the best available.
What this really indicates, bot or not, is that once you educate people, they will act in their self (and more importantly, self+others) interests. Oppressive and controlling (controlling or controling, I can never decide) regimes will try to prevent it. But it is like trying to prevent wind.
The wind will come. You must adapt and accept. And if you are against the wind, you must change.
I didn't downvote you, but I can imagine two different reasons that people might have done so:
(1) They want to emphasize that there are lots of reasons to use Tor other than political dissidence and that Tor use should be normal or common for lots of people in lots of situations.
(2) They feel like the role of tools like Tor in facilitating political dissidence is overstated and that you were implying that Tor will be crucial or extremely powerful in political conflict situations, rather than, say, hopefully somewhat useful.
edit: (3) They feel like you're overstating how effective political dissidence can be (because having public opinion turn against a government doesn't mean that the government will lose power).
It's a matter of intent. If people are willing to try to get around oppression, they have already indicated their intent to strive for better. Maybe it takes a year, or 5, or 10, or more, but people will group and work for freedom.
I don't know what this means. People in the U.S. use Tor, has it lost as a regime? What does "lost" mean in this context? Some moral authority? All moral authority? I think we can say that as governments do in fact continue to exist while their citizens use Tor, that the statement is sufficiently vague that it's meaningless.
Gambling is a (serious) game, where you're totally supposed to eat you neighbour to get on top.
Politics works on a heavily skewed sample of power-hungry people. Politicians are nothing like their people. Most are among the top 1%, which is a weird bunch: they are visible, powerful, don't have the same incentives, and don't live under the same social pressures as the rest of us.
I haven't heard that these have led people to add more capacity to the Tor network (although that's definitely plausible). Is there a public source for this connection?
I believe that tor metrics counts when a connection starts, not when a connection is _established_
This is a important difference, because if there is active DPI that is shutting down a connection before handshake can happen, it will inflate the numbers massively.
I suspect what actually is happening is a ISP in UAE has deployed a DPI system that can detect the Tor TLS signature
The title isn't misleading, "the estimated number of directly-connecting clients" is what is meant by "users".
I'm not very familiar with TOR, but does this reaffirm what OP is asking, that this might be DPI causing re-connections for TOR in UAE? If so is this a new policy of banning TOR, or is this just a recent ramp up in existing policy?
It is a little misleading. Misleading I think should be the correct word choice. It might not be incorrect, but it is misleading.
Another example that comes to mind is the Colorado newspaper headline that crime has "doubled" in the last decade. That leads a person down the train of thought that crime is out of control. In reality, it grew in proportion to the population. The headline, "Crime grows in proportion with population" doesn't evoke gasps and sales of your paper.
Turkey Blocks' research and terminal capture suggest each failed attempt causes about 100 broken Tor connections, explaining the spike in metrics where one would really expect a drop.
o In the case of Turkey, they had more than 10k direct users, the DPI-based censorship yielded a 50k spike, that's a 1:5 ratio, whereas in the case of the UAE it's a freaking 1:30 ratio and it doesn't stop from increasing.
o In the case of Turkey, the spike was followed by a spike in bridge use, most using the obfs4 pluggable transport. There's however no such apparent spike for UAE, in fact it's only a nearly constant 300 obfs4 users https://metrics.torproject.org/userstats-bridge-combined.htm...
Unless the massive uptick in Tor client connections can be correlated to a massive uptick in Tor client downloads its not a societal event and is more likely government sponsored.
If this is an attempt by the UAE to prevent TOR connections via DPI, who would the primary target(s) be? I recognize that's an awkward question to ask of an anonymized service like TOR, but who are the actors in the UAE who might use TOR and why target them now?
Looks like the UAE has outlawed use of torque, and is also using DPI to block it, resulting in inflated numbers due to dropped connections and ensuing attempted reconnects.
77 comments
[ 5.1 ms ] story [ 125 ms ] threadI think it might be a botnet or something similar, although that's just conjecture at this point.
Why would a botnet be so centralized in the UAE? Seems like the opposite of what you'd want if you could help it, so maybe they can't help it?
Some kind of state-sponsored test/attack against the Tor network seems like the best explanation to me.
Moreover, they may wish to route traffic through nodes they control.
I understand your point, but then again, I don't see why a botnet would route it's traffic through the UAE either.
The TRA (https://www.tra.gov.ae/en/home.aspx) outlaws ISPs from allowing VoIP services. Obviously, the goal is to ensure that ISPs maximize their profits. Note that both ISPs - Etisalat and du - are majority government-owned.
Just on the start the spike, there are many events. Though I don't know how to find information on those events.
[0]: https://research.torproject.org/techreports/detector-2011-09...
[0] : http://imgur.com/a/mjYsP
[1] : http://gizmodo.com/the-anonymous-internet-is-under-attack-12...
"Sybil attack" is a rather large category of attacks and I'm curious about the specifics of this particular one. In particular, certain vulnerabilities can still be prohibitively expensive for use in dragnet-surveillance.
So far though, the overwhelming majority of attacks on Tor users comes from things that aren't Tor itself --- e.g. Firefox vulnerabilities, timing side-channels on when the user was home, etc. Additionally, if you're not doing anything illegal, you're less likely to be targeted on Tor. Not that this is to say "if you're not doing something illegal you have nothing to hide!", just that your adversaries are likely not powerful or motivated enough to target you on Tor if what you're doing isn't illegal. Even in places like China, where every attempt to block Tor is made, they typically don't spend much effort in targeting those who do try to use Tor. This means if your motivation for Tor is to do things like stop web site trackers, it's not only a good option, it's probably the best available.
The wind will come. You must adapt and accept. And if you are against the wind, you must change.
(1) They want to emphasize that there are lots of reasons to use Tor other than political dissidence and that Tor use should be normal or common for lots of people in lots of situations.
(2) They feel like the role of tools like Tor in facilitating political dissidence is overstated and that you were implying that Tor will be crucial or extremely powerful in political conflict situations, rather than, say, hopefully somewhat useful.
edit: (3) They feel like you're overstating how effective political dissidence can be (because having public opinion turn against a government doesn't mean that the government will lose power).
That is my point.
That's an idealistic sentiment that's unfortunately not actually true. There are abundant examples if you look at politics or gambling.
Politics works on a heavily skewed sample of power-hungry people. Politicians are nothing like their people. Most are among the top 1%, which is a weird bunch: they are visible, powerful, don't have the same incentives, and don't live under the same social pressures as the rest of us.
I was pulling 800k/sec the other day, pretty surprised.
Some circuits are still slow. But I remember not that long ago (18 months?) it was a miserable expereince
Basically open source volunteer projects fail pretty hard until an economic incentive is added.
On another note, I2P has attempted several times to add a cryptocurrency to its protocol layer.
This is a important difference, because if there is active DPI that is shutting down a connection before handshake can happen, it will inflate the numbers massively.
I suspect what actually is happening is a ISP in UAE has deployed a DPI system that can detect the Tor TLS signature
If your theory is correct, then the title is slightly misleading.
I'm not very familiar with TOR, but does this reaffirm what OP is asking, that this might be DPI causing re-connections for TOR in UAE? If so is this a new policy of banning TOR, or is this just a recent ramp up in existing policy?
Another example that comes to mind is the Colorado newspaper headline that crime has "doubled" in the last decade. That leads a person down the train of thought that crime is out of control. In reality, it grew in proportion to the population. The headline, "Crime grows in proportion with population" doesn't evoke gasps and sales of your paper.
And for Turkey: https://metrics.torproject.org/userstats-relay-country.html?...
o In the case of Turkey, they had more than 10k direct users, the DPI-based censorship yielded a 50k spike, that's a 1:5 ratio, whereas in the case of the UAE it's a freaking 1:30 ratio and it doesn't stop from increasing.
o In the case of Turkey, the spike was followed by a spike in bridge use, most using the obfs4 pluggable transport. There's however no such apparent spike for UAE, in fact it's only a nearly constant 300 obfs4 users https://metrics.torproject.org/userstats-bridge-combined.htm...
Wait a week more and we'll see if the same noisy zig-zag pattern appears in unbridged connections that showed up in Turkey. That's the smoking gun.
https://trac.torproject.org/projects/tor/ticket/6246