Hi friends,
I have been operating a webtunnel bridge for a little over a month. After a long time without any traffic at all, suddenly I see a spike in the average number of connected clients. Weirdly, the graph on Relay Search shows almost 3x as much data downloaded as received (see screenshot).
Looking at other WebTunnel bridges on Relay Search, this does not appear to be normal. What do you think is going on? Is this something I should be concerned about?
Other info:
OpenBSD 7.5 (current) running Tor 0.4.12
WebTunnel compiled from source
Interesting that this started the day after the OpenSSH vulnerability was reported. Coincidence? The exploit requires thousands of connection attempts over the course of hours or days to work (source). Could someone be trying this?
I do not keep firewall logs, to help users maintain anonymity in case of a security breach, so there are no logs to review. I thought about running tcpdump for perhaps a few minutes or hours to get an idea of what might be going on, but I haven’t had time yet (other stuff going on in my life).
Running Nyx, I can see the bridge has ~500 outgoing connections to other relays, which in my experience running Obfs4 bridges is normal when there are users connected. I can also clearly see in the live graphs that there is more being downloaded than uploaded, confirming this is a real thing and not an error on the part of the Relay Search. Heartbeat messages also show an increase in connected clients, consistent with the Relay Search graphs.
The only other time I have seen this phenomenon is when I connect to one of my own Obfs4 bridges from within my home network (they are on a dedicated VLAN on my home network).
I would love to hear if anyone else has seen something like this, or ideas about what could be happening, or steps I should take.
Thanks for your help!
T