net4people
Discovery of 26,483 Tor Bridges Located in China
我编写了一个Python脚本,这个脚本会批量把Tor网桥的IP解析为ASN和国家信息。
以下是代码仓库:https://github.com/SexyOnion/tor_bridge_analyzer
在运行这个脚本之后,我发现了有26,483个位于中国的网桥。我在其中发现了来自以下组织的IP地址:
- Beijing Qihu Technology Company Limited
- China Education and Research Network Center
- Computer Network Information Center of Chinese Academy of Sciences CNIC-CAS
- Chinese Academy of Social Sciences
- Beijing IQIYI Science & Technology Co., Ltd.
- Tsinghua University
- CERNET2 IX at University of Science and Technology of China
- CERNET2 IX at South China University of Technology
- CERNET2 IX at Zhejiang University
- CERNET2 IX at Xiamen University
- CERNET2 regional IX at Fuzhou University
- CERNET2 IX at Huazhong University of Science and Technology
json文件:https://raw.githubusercontent.com/SexyOnion/tor_bridge_analyzer/refs/heads/main/example/china_tor_bridges.json
我认为26,483个网桥几乎全部是中国政府运行的蜜罐。
I wrote a Python script that batch resolves Tor bridge IPs to ASN and country information.
Here is the code repository: https://github.com/SexyOnion/tor_bridge_analyzer
After running this script, I discovered 26,483 bridges located in China. Among them, I found IP addresses from the following organizations:
- Beijing Qihu Technology Company Limited
- China Education and Research Network Center
- Computer Network Information Center of Chinese Academy of Sciences CNIC-CAS
- Chinese Academy of Social Sciences
- Beijing IQIYI Science & Technology Co., Ltd.
- Tsinghua University
- CERNET2 IX at University of Science and Technology of China
- CERNET2 IX at South China University of Technology
- CERNET2 IX at Zhejiang University
- CERNET2 IX at Xiamen University
- CERNET2 regional IX at Fuzhou University
- CERNET2 IX at Huazhong University of Science and Technology
JSON file: https://raw.githubusercontent.com/SexyOnion/tor_bridge_analyzer/refs/heads/main/example/china_tor_bridges.json
I believe that almost all of these 26,483 bridges are honeypots operated by the Chinese government.
一个有趣的细节,Tor-Bridges-Collector这个仓库的星标(Stargazers)列表里有一位来自福州大学的学生,而福州大学的IP正好在我观察到的Tor中国蜜罐列表里。真是个有趣的巧合!
页面存档:https://web.archive.org/web/20250526104620/https://github.com/scriptzteam/Tor-Bridges-Collector/stargazers
https://web.archive.org/web/20250526104743/https://github.com/rabbit-friend
An interesting detail: among the stargazers list of the Tor-Bridges-Collector repository, there's a student from Fuzhou University, and Fuzhou University's IP happens to be on the Tor China honeypot list I observed. What an interesting coincidence!
Page archive: https://web.archive.org/web/20250526104620/https://github.com/scriptzteam/Tor-Bridges-Collector/stargazers
https://web.archive.org/web/20250526104743/https://github.com/rabbit-friend
感谢您对于 Tor 的关注!
我稍微看了一下链接里面指向的示例文件的内容,可以看到绝大部分的国内代理都是 Snowflake 协议的代理。与其他协议的代理的不同之处是运行 Snowflake 代理不需要 TCP 入站端口,可以在任意联网设备上运行。因此,它可以被包括学生或者游客在不需要得到学校或机构的批准下直接运行,由此无法得出运行这些代理是官方行为的推论。诚然,由这些机构的监管下运行的代理有很高的被用作蜜罐的风险,但是仅根据 IP 地址并不能准确判断代理性质。与此同时,如果真的想运行蜜罐也可以买个国外 VPS 来运行,因此单纯按 IP 归属地来看是不是蜜罐意义不大。
与此同时 Github 上的加星操作的人和运行 Snowflake 代理的人都在同一个学校上学也可能是有人在关注 Tor 并运行网桥,并不是什么特别决定性的证据。毕竟人家的项目列表里面也没有魔改版 Snowflake。
(Machine Translated From Above)
Thank you for your interest in Tor. Upon reviewing the contents of the referenced sample files, it is evident that the majority of domestic proxies utilize the Snowflake protocol. Unlike other proxy protocols, Snowflake does not require an inbound TCP port to operate, allowing it to run on any network-connected device. As a result, individuals such as students or visitors can deploy these proxies without seeking approval from their institutions. Therefore, it is not reasonable to conclude that these proxies are operated by official entities based solely on their presence in institutional networks. While proxies managed under institutional supervision may indeed carry a higher risk of being used as honeypots, the nature of a proxy cannot be accurately determined based solely on its IP address. Furthermore, should someone wish to operate a honeypot, they could just as easily do so using a foreign VPS. Consequently, relying exclusively on IP attribution to assess whether a proxy is a honeypot is of limited value. Similarly, the fact that individuals who star related repositories on GitHub and those who operate Snowflake proxies may belong to the same academic institution simply suggests an interest in Tor and the operation of bridges. This, in itself, does not constitute conclusive evidence. Moreover, there is no indication in the user's project list of any modified or custom versions of Snowflake.
@xiaokangwang 谢谢您的回复。
我稍微看了一下链接里面指向的示例文件的内容,可以看到绝大部分的国内代理都是 Snowflake 协议的代理。与其他协议的代理的不同之处是运行 Snowflake 代理不需要 TCP 入站端口,可以在任意联网设备上运行。因此,它可以被包括学生或者游客在不需要得到学校或机构的批准下直接运行,由此无法得出运行这些代理是官方行为的推论。
当然,学生或游客的确有可能使用校园网络搭建Snowflake网桥。但是考虑到有多家国内大学的IP都有运行Snowflake网桥,我认为由学生运行的可能性不大。而且,有运行Snowflake网桥技术的学生不可能不知道在校园网络进行此类活动的法律风险,有这类技术的学生更有可能使用国外VPS运行而不是在校园网络运行。
我发现运行Snowflake网桥的组织远远不止中国高校,更有360这样的网络安全公司( https://en.wikipedia.org/wiki/Qihoo_360 )。由于360公司与中国政府关系密切,证明非常有可能是中国政府运行的钓鱼网桥。
在我发布的json文件中有大量中国IP地址,我暂时没有详细分析每个IP,但是如果仔细分析,应该能找到更多的证据表明其中的网桥是政府运行的蜜罐。如果您不信任我仓库中包含的json文件,可以自行运行脚本生成json文件。或前往Tor网桥数据来源仓库下载文件并查找我发布的json文件中对应的IP地址进行比对。
Tor网桥数据来源仓库Tor-Bridges-Collector伪造数据的概率较低,但如果不信任这个仓库,也可以自行抓取Tor网桥数据,相关文章:https://www.hackerfactor.com/blog/index.php?/archives/892-Tor-0day-Finding-Bridges.html
与此同时 Github 上的加星操作的人和运行 Snowflake 代理的人都在同一个学校上学也可能是有人在关注 Tor 并运行网桥,并不是什么特别决定性的证据。毕竟人家的项目列表里面也没有魔改版 Snowflake。
关于这个事情,我没有做出任何结论,只是我在浏览仓库时无意间的发现,我觉得很有意思,于是存档记录了下来。
@xiaokangwang Thank you for your reply.
I briefly looked at the content of the sample files linked, and I can see that the vast majority of domestic proxies are Snowflake protocol proxies. The difference from proxies of other protocols is that running Snowflake proxies does not require TCP inbound ports and can run on any networked device. Therefore, it can be run directly by students or visitors without needing approval from schools or institutions, so it cannot be concluded that running these proxies is official behavior.
Of course, students or visitors may indeed use campus networks to set up Snowflake bridges. However, considering that IP addresses from multiple domestic universities are running Snowflake bridges, I believe the possibility of being run by students is low. Moreover, students with the technical knowledge to run Snowflake bridges cannot possibly be unaware of the legal risks of conducting such activities on campus networks. Students with such technical skills would be more likely to use overseas VPS rather than running them on campus networks.
I found that the organizations running Snowflake bridges go far beyond Chinese universities, and even include network security companies like 360. Since 360 has close ties with the Chinese government, this proves it is very likely that these are honeypot bridges operated by the Chinese government.
There are a large number of Chinese IP addresses in the json file I published. I haven't analyzed each IP in detail yet, but if carefully analyzed, more evidence should be found to prove that the bridges among them are government-operated honeypots. If you don't trust the json files contained in my repository, you can run the scripts yourself to generate json files. Or go to the Tor Bridge Data Source Repository to download files and compare the corresponding IP addresses found in the json files I published.
Tor Bridge Data Source Repository: Tor-Bridges-Collector has a low probability of forged data, but if you don't trust this repository, you can also collect Tor bridge data yourself. Related article: https://www.hackerfactor.com/blog/index.php?/archives/892-Tor-0day-Finding-Bridges.html
At the same time, the fact that people who starred on Github and people running Snowflake proxies are from the same school might just be someone paying attention to Tor and running bridges, which is not particularly decisive evidence. After all, their project list doesn't include modified versions of Snowflake either.
Regarding this matter, I haven't drawn any conclusions. It was just an incidental discovery while browsing the repository that I found interesting, so I archived and recorded it.
(中文版本自英文原文机器翻译后人工校对)
感谢 @SexyOnion 花时间回复我的评论。
但是考虑到有多家国内大学的IP都有运行 Snowflake 网桥,我认为由学生运行的可能性不大。
关于这一点,我其中的逻辑我未能参透。完全可能是许多学生或访客在彼此之间并无联系或串通的情况下在不同大学校园运行代理。当然,目前的这个情况也可以解释为相关组织将运行 Snowflake 蜜罐的任务摊派给很多大学。但在没有确凿证据的情况下,我们更应假定 Snowflake 代理的运行者是出于善意。
而且,有运行 Snowflake 网桥技术的学生不可能不知道在校园网络进行此类活动的法律风险。
我理解运行 Snowflake 代理的确存在一定法律风险。但与 Tor 桥接节点的搭建相比,运行 Snowflake 代理要简单得多,甚至仅需安装浏览器插件即可。至于 Tor 桥接节点则会有额外的要求,如必须能够连接Tor目录服务器及其他 Tor 中继节点,而与这些服务器之间的连接已经被 GFW 封锁。许多入门技术水平的用户可能还会将运行 Snowflake 代理服务器与「浏览器转发 」混淆,为了绕过审查而运行了 Snowflake代理。
此外,你所引用的数据集似乎更偏向于历史归档,而非实时数据。该列表中包含了许多可能早已下线的桥接和 Snowflake 代理,因此直接引用“26,000+活跃代理”的说法具有一定误导性。请参考这篇论文第4.3节“Proxy churn”(我是作者之一)。对于Snowflake代理,其IP地址经常变动,很难保证数据中列举的节点数量始终有效。
最后,审查方直接使用中国大陆IP运营枚举基础设施的可能性不高。通过境外VPS或主机服务商进行相关操作则是更为常见和高效的方式,这样将会使其的行为更为隐蔽且难以追踪。
甚至包括像360这样的网络安全公司。
我同意,如果奇虎 360 确实以机构身份运行 Snowflake 代理,确实很不妙。但需要注意的是,IP地址的归属可能会随时间发生变化,因此我们应当对照代理运行的时间点与当时IP的实际归属来判断 360 是否运行了这个代理。
总之,您的报告具有启发性,但在数据时效性及相关推断方面还存在不足之处。期待在这些问题得到解决后了解您的进一步的发现。(同时感谢Gus对此回复的贡献。)
Thanks @SexyOnion for taking time to reply my comment.
However, considering that IP addresses from multiple domestic universities are running Snowflake bridges, I believe the possibility of being run by students is low.
I was unable to understand the logic behind this. There could be many students and visitors running proxies, in different universities without having any connection with each other. I understand this could also be interpreted as the task to run snowflake honeypots are assigned to different universities. However, unless proven otherwise, we might wants assume the snowflake proxy operators has good intentions.
Moreover, students with the technical knowledge to run Snowflake bridges cannot possibly be unaware of the legal risks of conducting such activities on campus networks.
I understand there are some risks for running snowflake proxies. However, running snowflake proxies are very easy comparing to running a Tor bridge, like installing an browser plugin. Bridges have distinct requirements, for example, they must be able to connect to Tor directory authorities and other Tor relays, which are blocked from China. Many non-technological users might also confuse running snowflake proxies with running a browser forwarder, and accidently running a snowflake proxies with the hope to bypass censorship.
Additionally, the dataset you're referencing appears to be more of a historical archive rather than a real-time snapshot. It includes bridges and snowflake proxies that may no longer be active, so citing +26k running proxies is misleading. Check this paper's Chapter 4.3 Proxy churn (which I am a author of). For snowflake, the proxies' IP address will often changes from time to time. So it is very hard to say if the number listed will always be valid.
Lastly, it’s highly unlikely that censors would run enumeration infrastructure directly from Chinese IP space. More plausibly, they use VPS or hosting providers outside of China, which is a far more discreet and effective method.
even include network security companies like 360.
I agree that if Qihoo 360 does operate Snowflake proxy as an institution, it would look fishy. It should be noted that The IP address can change hand from time to time, so we might wants to align the time when the proxy was run, and the owner of IP at that time.
In summary, your reports are interesting, but it does contains some flaw when it comes to outdated data and flawed assumptions. I am happy to learn what you have find out once these issue are resolved. (And thanks for Gus's for contributing to this reply.)
感谢 @xiaokangwang @gusgustavo 您提供的信息非常有用 ;-) 指出了我逻辑上的一些漏洞,的确没有确凿的证据表明中国政府在运行这些Snowflake代理。
我承认,26,000+活跃代理的说法的确存在误导,我已经修改了代码仓库的readme,移除了可能造成误导的部分。
再次感谢所有志愿者提供的信息,祝好。
Thanks to @xiaokangwang @gusgustavo, the information you provided is very useful ;-) You pointed out some logical flaws in my reasoning, and indeed there is no concrete evidence that the Chinese government is running these Snowflake proxies.
I acknowledge that the claim of 26,000+ active proxies is indeed misleading, and I have already modified the repository's readme to remove the potentially misleading parts.
Thanks again to all volunteers for the information provided. Best regards.
Awesome! This is nice work. Have you considered using the pyasn library instead of the MaxMind GeoIP database for IP to ASN mapping?
Tor Bridges Located in China
In Snowflake design, these IPs are not bridges, but proxies, the current two snowflake bridges, flakey and crusty included in Tor Browser, are operated by the Tor Project.
These volunteer-running proxies currently connect to,
- https://snowflake-broker.freehaven.net - the broker, for 'rendezvous' (clients and proxies to know each other).
- https://snowflake.freehaven.net - the bridge, with WebSocket for actual data relaying.
These two freehaven.net domains are CNAME to torproject.net, whose nameserver is ns1.torproject.org likewise, which is already blocked by nationwide DNS hijacking, thus, no recursive resolver inside China can resolve them.
So, these 26,483 users must have configured something to not use their ISP's default resolver.
BTW, @scriptzteam is just abusing the distribution system. Snowflake bridges (sic, actually proxies) are grabbed from the broker; the other bridges are manually requested from all public distributors, I suppose.