Learn whether the botnet clients are doing v2 vs v3 link handshakes
We're not sure what version the two million new botnet clients are running. It might be Tor 0.2.2, in which case we can distinguish them by their link handshake version.
We have lines like
dirreq-v3-reqs us=56,fr=32,it=32,de=24,es=24,br=16,ru=16,ua=16,??=8,ar=8,at=8,au
=8,bd=8,be=8,bj=8,ca=8,ch=8,co=8,cz=8,dz=8,eg=8,gb=8,ge=8,hk=8,id=8,ie=8,il=8,in
=8,ir=8,is=8,jp=8,kr=8,lb=8,lt=8,lv=8,ma=8,md=8,mx=8,nl=8,no=8,ph=8,pl=8,ro=8,sa
=8,se=8,sg=8,sy=8,tr=8,tw=8,ve=8
dirreq-v2-reqs
in extra info descriptors. We could add new similar lines for link handshakes. I worry about a few edge cases though, where there's one client left in the world using the v1 handshake, and somehow the exit relay can recognize it too, and now the guard node tells everybody that it's the guard for that client.
In any case, step one is to write a quick hack to count them up, for overloaded relay operators to run.