Hello Tobias,
i am glad that somebody else got notice and i agree, suspecting
something nasty (or highly unusual) is going on. There was a discussion
about that in Berlin in July already
https://trac.torproject.org/projects/tor/wiki/org/meetings/BerlinRelayOperatorsMeetupJul18
but no public follow-up since then.
There seems to be a private person who is holding this family
https://metrics.torproject.org/rs.html#search/family:1084200B44021D308EA4253F256794671B1D099A
and ran between 10-15% exit probability in the last six months - which i
personally judge as far too high for a single person, or even an entity.
More information you can find here:https://apility.io/search/185.220.101.20
The person got invited to the second meeting in Berlin, but didn't show
up to explain.
Die Zeit bringt Rat. Erwartet's in Geduld!
-- Schiller
Regards
Paul
Tobias Westerhever:
> Hello,
>
> recently, I noticed some strange aspects related to networks
> of Torservers/Zwiebelfreunde. Since there was no way to get any
> further information on this topic so far, I am posting it here.
> Maybe someone can help.
>
> (a) Torservers relay family decreased?
> The organisation used to maintain much more relays than their
> family [1] currently contains. At the moment, only four relays
> located in NL belong to them, while the Metrics page indicates
> some orphaned family members.
>
> This coincidences with [2], but I am unaware of any announcements
> of Torservers/Zwiebelfreunde itself (i.e. tight financial
> situation). Does anybody have further details here?
>
> (b) Who is the operator behind family B771AA877687F88E6F1CA5354756DF6C8A7B6B24 ?
> There are some /24 IPv4 BGP allocations claiming to belong to the
> umbrella organisation "Zwiebelfreunde e.V.", which operate(d|s)
> the relay family mentioned above.
>
> I will ask further questions about this in (c) .
>
> However, there is a _huge_ relay family (27 members, with a
> total bandwith of ~ 1,245 MB) located in 185.220.101.0/24 ,
> which uses Zwiebelfreunde as a contact role and has not been
> changed since 2017-09-08.
>
> The relays itself, however, all use <abuse@xxxxxxxxxxxxxxxxxxxxxxx>
> as contact address (which does not seem to be related to
> Zwiebelfreunde at all) and use a description beginning with
> "nifty".
>
> Since most of them have both Guard and Exit flag assigned, I
> figure they are handling a huge consensus weight. Does anybody
> know the person/organisation behind them? Are they related to
> Zwiebelfreunde/Torservers? What is the physical location of the
> servers (BGP claims DE, but upstream AS200052 uses UK)?
>
> (c) Strange BGP allocations using Zwiebelfreunde as contact role
> At the moment, 9 IPv4 BGP prefixes with a length of /24 are
> known to use a contact role pointing to Zwiebelfreunde [4] .
>
> These are as follows:
> - 37.218.246.0/24 (Upstream AS47172 "Greenhost", claims EU, but is likely NL, 0 Tor relays found)
> - 193.235.207.0/24 (Upstream AS196689 "Digicube", claims EU, but is likely FR, 0 Tor relays found)
> - 192.36.61.0/24 (Upstream AS60781 "Leaseweb", claims EU, but is likely NL, 0 Tor relays found)
> - 192.36.41.0/24 (Upstream AS34305 "BaseIP", claims EU, but is likely NL, 0 Tor relays found)
> - 192.36.27.0/24 (Upstream AS60729 "Zwiebelfreunde" !, claims EU, physical location unknown, 0 Tor relays found)
> - 185.220.102.0/24 (Upstream AS60729 "Zwiebelfreunde" !, claims EU, physical location unknown, 0 Tor relays found)
> - 185.220.101.0/24 (Upstream AS200052 "Joshua Peter McQuistan", claims DE, physical location unknown, 27 Tor relays found)
>
> What puzzles me here is:
> 1. None of these networks has any Tor relays known (or Metrics
> does not show them), which is strange as Torservers/Zwiebelfreunde
> is more or less dedicated to operate relays.
>
> 2. The appearing relays solely belong to the strange and huge
> family mentioned in (b) , which cannot be exactly pinpointed to
> be run by Torservers/Zwiebelfreunde.
>
> 3. I suspected the mentioned IP ranges to be fakely allocated,
> but most of them were not changed for more than half a year. Further,
> I never observed any traffic from or to these networks. If anybody
> does, please drop me a line.
>
> 4. All for relays which do belong to Torservers are located in
> AS43350 ("NForce Entertainment") and do not have their own IPv4
> prefix.
>
> ***
>
> As of these coincidences, and the observations mentioned in (a)
> and (b), I suspect something nasty (or highly unusual) is going on,
> but I have no clue what this might be.
>
> It would be great if someone who is in Tor more deeply than I am
> could take a look at this. Also, if there is further information
> available, please tell me.
>
> "Mit dem Wissen wächst der Zweifel. / Doubt grows with knowledge."
> -- Goethe
>
> Best regards,
> T. Westerhever
>
> Links:
> [1] https://metrics.torproject.org/rs.html#search/family:0FF233C8D78A17B8DB7C8257D2E05CD5AA7C6B88
> [2] https://blog.torservers.net/20180704/coordinated-raids-of-zwiebelfreunde-at-various-locations-in-germany.html
> [3] https://metrics.torproject.org/rs.html#search/family:B771AA877687F88E6F1CA5354756DF6C8A7B6B24
> [4] https://bgp.he.net/
> _______________________________________________
> tor-relays mailing list
> tor-relays@xxxxxxxxxxxxxxxxxxxx
> https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
>
Attachment:
0xC8C330E7.asc
Description: application/pgp-keys
_______________________________________________ tor-relays mailing list tor-relays@xxxxxxxxxxxxxxxxxxxx https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays