Discovery of 26,483 Tor Bridges Located in China

I wrote a Python script that batch resolves Tor bridge IPs to ASN and country information.

Here is the code repository: GitHub - SexyOnion/tor_bridge_analyzer: Python script for bulk resolving ASN and country information of Tor bridge IPs

After running this script, I discovered 26,483 bridges located in China. Among them, I found IP addresses from the following organizations:

• Beijing Qihu Technology Company Limited (Qihoo 360 - Wikipedia)
• China Education and Research Network Center
• Computer Network Information Center of Chinese Academy of Sciences CNIC-CAS
• Chinese Academy of Social Sciences
• Beijing IQIYI Science & Technology Co., Ltd.
• Tsinghua University
• CERNET2 IX at University of Science and Technology of China
• CERNET2 IX at South China University of Technology
• CERNET2 IX at Zhejiang University
• CERNET2 IX at Xiamen University
• CERNET2 regional IX at Fuzhou University
• CERNET2 IX at Huazhong University of Science and Technology

JSON file: https://raw.githubusercontent.com/SexyOnion/tor_bridge_analyzer/refs/heads/main/example/china_tor_bridges.json

I believe that almost all of these 26,483 bridges are honeypots operated by the Chinese government.

(Same reply as Discovery of 26,483 Tor Bridges Located in China · Issue #478 · net4people/bbs · GitHub)

Thank you for your interest in Tor.
Upon reviewing the contents of the referenced sample files, it is evident that the majority of domestic proxies utilize the Snowflake protocol. Unlike other proxy protocols, Snowflake does not require an inbound TCP port to operate, allowing it to run on any network-connected device. As a result, individuals such as students or visitors can deploy these proxies without seeking approval from their institutions. Therefore, it is not reasonable to conclude that these proxies are operated by official entities based solely on their presence in institutional networks.
While proxies managed under institutional supervision may indeed carry a higher risk of being used as honeypots, the nature of a proxy cannot be accurately determined based solely on its IP address. Furthermore, should someone wish to operate a honeypot, they could just as easily do so using a foreign VPS. Consequently, relying exclusively on IP attribution to assess whether a proxy is a honeypot is of limited value.
Similarly, the fact that individuals who star related repositories on GitHub and those who operate Snowflake proxies may belong to the same academic institution simply suggests an interest in Tor and the operation of bridges. This, in itself, does not constitute conclusive evidence. Moreover, there is no indication in the user’s project list of any modified or custom versions of Snowflake.

(copied reply from: Discovery of 26,483 Tor Bridges Located in China · Issue #478 · net4people/bbs · GitHub)

Additionally, the dataset you’re referencing appears to be more of a historical archive rather than a real-time snapshot. It includes bridges and snowflake proxies that may no longer be active, so citing +26k running proxies is misleading. Check this paper’s Chapter 4.3 Proxy churn (which I am a author of). For snowflake, the proxies’ IP address will often changes from time to time. So it is very hard to say if the number listed will always be valid.

I agree that if Qihoo 360 does operate Snowflake proxy as an institution, it would look fishy. It should be noted that The IP address can change hand from time to time, so we might wants to align the time when the proxy was run, and the owner of IP at that time.

This topic was automatically closed 24 hours after the last reply. New replies are no longer allowed.