
United Arab Emirates goes from 10k Tor users to 250k in days - temp
https://metrics.torproject.org/userstats-relay-country.html?start=2016-10-23&end=2017-01-21&country=ae&events=off
======
benjojo12
I believe that tor metrics counts when a connection starts, not when a
connection is _established_

This is a important difference, because if there is active DPI that is
shutting down a connection before handshake can happen, it will inflate the
numbers massively.

I suspect what actually is happening is a ISP in UAE has deployed a DPI system
that can detect the Tor TLS signature

~~~
theptip
This sounds convincing, a 25-fold spike in real users seems unlikely.

If your theory is correct, then the title is slightly misleading.

~~~
scoot
And even if they were only counting successful connections, connections !=
users.

~~~
notyourwork
In the land of Tor can you distinguish the difference in any meaningful way? I
agree generally but I don't see how Tor could differentiate.

~~~
__s
You'd have to do an anonymous survey of 'do you use Tor?' & project from there

------
indice
The same rise was seen in Turkey last month. The phenomenon is caused by
failed reconnect due to DPI-based censorship. See Annex A:
[https://turkeyblocks.org/2016/12/18/tor-blocked-in-turkey-
vp...](https://turkeyblocks.org/2016/12/18/tor-blocked-in-turkey-vpn-ban/)

~~~
baseio
I don't think DPI is the answer here:

o In the case of Turkey, they had more than 10k direct users, the DPI-based
censorship yielded a 50k spike, that's a 1:5 ratio, whereas in the case of the
UAE it's a freaking 1:30 ratio and it doesn't stop from increasing.

o In the case of Turkey, the spike was followed by a spike in bridge use, most
using the obfs4 pluggable transport. There's however no such apparent spike
for UAE, in fact it's only a nearly constant 300 obfs4 users
[https://metrics.torproject.org/userstats-bridge-
combined.htm...](https://metrics.torproject.org/userstats-bridge-
combined.html?start=2017-01-13&end=2017-01-22&country=ae)

~~~
indice
Actually bridge use has just gone up like Turkey. It took a couple of days
after your comment for the UAE charts to get updated.

Wait a week more and we'll see if the same noisy zig-zag pattern appears in
unbridged connections that showed up in Turkey. That's the smoking gun.

------
blunte
What this really indicates, bot or not, is that once you educate people, they
will act in their self (and more importantly, self+others) interests.
Oppressive and controlling (controlling or controling, I can never decide)
regimes will try to prevent it. But it is like trying to prevent wind.

The wind will come. You must adapt and accept. And if you are against the
wind, you must change.

~~~
olalonde
I appreciate the poetry but blocking Tor is a lot easier than preventing the
wind and some governments (e.g. China) successfully do so.

~~~
blunte
Blocking Tor is one thing. But once people have made an effort to use Tor, you
have lost as a regime.

~~~
blunte
Holy shit! -4 to that? I don't mean to get all meta, but really I must be
further out of touch than I realized.

~~~
schoen
I didn't downvote you, but I can imagine two different reasons that people
might have done so:

(1) They want to emphasize that there are lots of reasons to use Tor other
than political dissidence and that Tor use should be normal or common for lots
of people in lots of situations.

(2) They feel like the role of tools like Tor in facilitating political
dissidence is overstated and that you were implying that Tor will be crucial
or extremely powerful in political conflict situations, rather than, say,
hopefully somewhat useful.

edit: (3) They feel like you're overstating how effective political dissidence
can be (because having public opinion turn against a government doesn't mean
that the government will lose power).

~~~
blunte
It's a matter of intent. If people are willing to try to get around
oppression, they have already indicated their intent to strive for better.
Maybe it takes a year, or 5, or 10, or more, but people will group and work
for freedom.

That is my point.

~~~
morsch
The same could be said for tyranny.

------
omginternets
Any chance this could be a state-sponsored attack aimed at correlating
traffic?

~~~
noobermin
Wouldn't a state-sponsored entity be smarter than routing all their traffic
through UAE such that it could receive attention on HN? I like the botnet
explanation better.

~~~
omginternets
I don't know, but I find that expediency is usually a very real concern in
such operations so it seems plausible for the UAE to cut corners and route
traffic in a convenient (though not covert) manner.

Moreover, they may wish to route traffic through nodes they control.

I understand your point, but then again, I don't see why a botnet would route
it's traffic through the UAE either.

~~~
libeclipse
It may be a botnet that's targeting users in the UAE, and therefore connecting
to the tor network from there.

------
Raed667
This also happened in Tunisia in 2013 [0]. We believe that it was a bot. [1]

[0] : [http://imgur.com/a/mjYsP](http://imgur.com/a/mjYsP)

[1] : [http://gizmodo.com/the-anonymous-internet-is-under-
attack-12...](http://gizmodo.com/the-anonymous-internet-is-under-
attack-1257343241)

~~~
Cyph0n
Interesting! But if this had happened pre-2011, I would have argued otherwise
:P

------
falloutx
The same graph with censorship events on:
[https://metrics.torproject.org/userstats-relay-
country.html?...](https://metrics.torproject.org/userstats-relay-
country.html?start=2016-10-23&end=2017-01-21&country=ae&events=on)

Just on the start the spike, there are many events. Though I don't know how to
find information on those events.

~~~
marksomnian
That's just statistical anomaly detection[0] of users connecting. Those may or
may not be actual censorship events.

[0]:
[https://research.torproject.org/techreports/detector-2011-09...](https://research.torproject.org/techreports/detector-2011-09-09.pdf)

------
Asdfbla
Just out of curiosity: How is Tor looking these days, security-wise? Does
someone have a recent analysis of the attacks Tor is facing from state-level
attackers currently? Just wondering if any new threats to Tor have come up in
the recent years that hadn't been considered before stuff like Snowden
happened.

~~~
tga_d
My impressions from the research community have been that the consensus is 1.
Using Tor is more private (and possibly more secure) than a VPN or nothing at
all, 2. Tor will not protect you from a targeted attack by a well-funded,
state-level adversary, 3. It may or may not defend you against more dragnet
types of attacks, depending on the state of the cat-and-mouse between offense
and defense (it most likely will protect you on any particular session, but
the more you use Tor, the more likely you'll use it while an attack is viable
in the wild).

So far though, the overwhelming majority of attacks on Tor users comes from
things that aren't Tor itself --- e.g. Firefox vulnerabilities, timing side-
channels on when the user was home, etc. Additionally, if you're not doing
anything illegal, you're less likely to be targeted on Tor. Not that this is
to say "if you're not doing something illegal you have nothing to hide!", just
that your adversaries are likely not powerful or motivated enough to target
you on Tor if what you're doing isn't illegal. Even in places like China,
where every attempt to block Tor is made, they typically don't spend much
effort in targeting those who do try to use Tor. This means if your motivation
for Tor is to do things like stop web site trackers, it's not only a good
option, it's probably the best available.

~~~
Asdfbla
Thanks for the detailed reply, that was kinda what I was interested in.

------
rmela
Looks like the UAE has outlawed use of torque, and is also using DPI to block
it, resulting in inflated numbers due to dropped connections and ensuing
attempted reconnects.

[https://trac.torproject.org/projects/tor/ticket/6246](https://trac.torproject.org/projects/tor/ticket/6246)

------
Jeaye
First thing that came to my mind was a botnet; it would be one of the easiest
ways to get a huge spike in Tor usage, I'd think.

~~~
lucb1e
Last time this happened it was indeed a botnet. I didn't read the article
(comments first) so maybe they already discussed that probability, but I find
it likely. A 25× increase is not something that happens overnight I'd say.

------
libeclipse
I can't find anything blatant in the news that would explain something like
this, especially of this magnitude.

I think it might be a botnet or something similar, although that's just
conjecture at this point.

~~~
allemagne
It roughly coincides with news about WhatsApp and the U.S. inauguration. Both
seem vaguely relevant but not very compelling or explanatory.

Why would a botnet be so centralized in the UAE? Seems like the opposite of
what you'd want if you could help it, so maybe they can't help it?

Some kind of state-sponsored test/attack against the Tor network seems like
the best explanation to me.

~~~
libeclipse
Well, a botnet that targeted users in the UAE would have a lot of tor network
" _users_ " showing from the UAE. Seems plausible to me.

------
elastic_church
The economic incentives over TOR have really improved TOR

I was pulling 800k/sec the other day, pretty surprised.

Some circuits are still slow. But I remember not that long ago (18 months?) it
was a miserable expereince

~~~
schoen
Which incentives are you referring to here?

~~~
elastic_church
The markets and cryptocurrency.

~~~
schoen
I haven't heard that these have led people to add more capacity to the Tor
network (although that's definitely plausible). Is there a public source for
this connection?

~~~
elastic_church
No source I can think of on top of my head, just the various efforts and
willingness to do so.

Basically open source volunteer projects fail pretty hard until an economic
incentive is added.

On another note, I2P has attempted several times to add a cryptocurrency to
its protocol layer.

------
nullrouten
It's possible that the geoIP records for a large IP block or set of IP blocks
has been corrected (or broken) to reflect UAE.

------
ajaimk
Protonmail added support for TOR this week but that can't be it

------
k-mcgrady
The linked page doesn't seem to have any info other than the stats. Can
someone explain the reason for the spike?

------
TheSageMage
If this is an attempt by the UAE to prevent TOR connections via DPI, who would
the primary target(s) be? I recognize that's an awkward question to ask of an
anonymized service like TOR, but who are the actors in the UAE who might use
TOR and why target them now?

------
foota
Could this be a result of the articles about a "backdoor" in whatsapp?

~~~
_xgw
I don't think so. The news about WhatsApp supposed backdoor was published on
the 13th:
[https://www.theguardian.com/technology/2017/jan/13/whatsapp-...](https://www.theguardian.com/technology/2017/jan/13/whatsapp-
backdoor-allows-snooping-on-encrypted-messages) and the uptick of UAE users
began around the 15th and the 16th: [https://metrics.torproject.org/userstats-
relay-country.html?...](https://metrics.torproject.org/userstats-relay-
country.html?start=2017-01-10&end=2017-01-21&country=ae&events=off) Wouldn't
there have been a more direct correlation between the 13th and the numbers of
users?

~~~
foota
I wouldn't be surprised if it took a couple days for people to switch over,
you'd need to talk to people you communIcate with before switching, for one.

------
aarontyree
Unless the massive uptick in Tor client connections can be correlated to a
massive uptick in Tor client downloads its not a societal event and is more
likely government sponsored.

------
farrokhi
Perhaps they accidentally lifted the blocking rules. Or it will drop as soon
as they upgrade their censorship software.

------
anaccountwow
It must be something that was posted on hacker news lately!

------
SCAQTony
Not that is possible to detect gender but I suspect the bulk of those users
are female since they are the most repressed.
[http://www.thenational.ae/business/telecoms/uae-top-for-
fema...](http://www.thenational.ae/business/telecoms/uae-top-for-female-
internet-use-in-gcc)

