Keyboard shortcuts

Press or to navigate between chapters

Press S or / to search in the book

Press ? to show this help

Press Esc to hide this help

Network anomalies

Directory Authorities

1 2

Churn

Winter et al.3 proposed a way to measure churn in the Tor network by keeping track of relays between two consecutive consensuses. They calculate the churn rate due to newly joined relays separately from the rate caused by relays that left the network (p.5/6): the former is obtained by dividing the number of relays not available in the previous consensus by the number of relays in the current one, while the latter is the result of dividing the number of relays available in the previous consensus (but not the current one) by the number of relays in the previous one.

To detect changes in the underlying time series trend (flat hills) they smooth the churn rates using a moving average (p.6)

In order to figure out a good threshold for raising churn related alerts they investigate several candidate thresholds based on data from 2015 (p.11/12). It turns out that a threshold of 0.012 using a smoothing window size of 24h might be a reasonable starting point as that would result in roughly one alert every other day, which is still possible to investigate.

Implementation status

Churn according to Winter et al. is currently tracked in our Grafana setup4, although there is no reporting configured yet, in case the churn rates would cross specified thresholds.

We have unrelated tooling that is taking care of large amounts of relays joining the network, though:

  • DocTor5: sends an alert to the tor-consensus-health mailing list6, in case of more than 50 relays having joined the network during the last hour.
  • general alerting infrastructure7: sends alerts with different priorities to the metrics-alerts mailing list8 in case of
    • amount of relays joining per same country
      • > 50 over 1h (high)
      • > 50 over 24h (medium)
    • amount of relays joining per same autonomous system
      • > 50 over 1h (high)
      • > 50 over 24h (medium)
    • amount of relays joining per same flag
      • > 50 over 2h (medium)
    • amount of relays joining per same nickname prefix (5 characters)
      • > 10 over 2h (medium)
    • amount of relays joining per contact information
      • > 10 over 2h (medium)

  1. Höller, Tobias et al.: Analyzing inconsistencies in the Tor consensus. In: Proc. iiWAS2021: The 23rd International Conference on Information Integration and Web Intelligence 2021, pp. 487-496.

  2. Zhongtang Luo et al.: Attacking and Improving the Tor Directory Protocol In: Proceedings of the 45th IEEE Symposium on Security and Privacy, 2024, pp. 3221-3237.

  3. Winter, Philipp et al.: Identifying and characterizing Sybils in the Tor network. In: Proceedings of the 25th Usenix Security Symposium, 2016.

  4. See: https://grafana2.torproject.org/d/relays-cw-churn-lost-new/ and https://grafana2.torproject.org/d/churn_lost_new2/.

  5. https://gitlab.torproject.org/tpo/network-health/doctor.

  6. https://lists.torproject.org/mailman3/postorius/lists/tor-consensus-health.lists.torproject.org/.

  7. See: https://gitlab.torproject.org/tpo/tpa/prometheus-alerts and https://gitlab.torproject.org/tpo/network-health/metrics/monitoring-and-alerting.

  8. https://lists.torproject.org/mailman3/postorius/lists/metrics-alerts.lists.torproject.org/.