[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

[tor-dev] Relays that change their fingerprints a lot

To: tor-dev@xxxxxxxxxxxxxxxxxxxx
Subject: [tor-dev] Relays that change their fingerprints a lot
From: Philipp Winter <phw@xxxxxxxxx>
Date: Mon, 2 Mar 2015 19:00:47 +0100
Delivered-to: archiver@xxxxxxxx
Delivery-date: Mon, 02 Mar 2015 13:01:06 -0500
List-archive: <http://lists.torproject.org/pipermail/tor-dev/>
List-help: <mailto:tor-dev-request@lists.torproject.org?subject=help>
List-id: discussion regarding Tor development <tor-dev.lists.torproject.org>
List-post: <mailto:tor-dev@lists.torproject.org>
List-subscribe: <https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-dev>, <mailto:tor-dev-request@lists.torproject.org?subject=subscribe>
List-unsubscribe: <https://lists.torproject.org/cgi-bin/mailman/options/tor-dev>, <mailto:tor-dev-request@lists.torproject.org?subject=unsubscribe>
Mail-followup-to: tor-dev@xxxxxxxxxxxxxxxxxxxx
Reply-to: tor-dev@xxxxxxxxxxxxxxxxxxxx
Sender: "tor-dev" <tor-dev-bounces@xxxxxxxxxxxxxxxxxxxx>

Inspired by Gareth's 31C3 talk [0], I taught sybilhunter [1] to
calculate the amount of unique fingerprints a Tor relay used over time.
Armed with that feature, I extracted the top 10 relay IP addresses that
had the most fingerprints for every month since 2007 [2].  While most IP
addresses show up only once in the monthly top 10, three IP addresses
showed up more than ten times.

    Address        Count     Owner                     Total changes
    ----------------------------------------------------------------
    193.19.77.145  11 times  ISP in France (DDO)       163
    71.57.5.24     11 times  ISP in the US (Comcast)   430
    141.70.22.69   12 times  University in Germany     293

Note that being present in the monthly top 10 isn't necessarily
suspicious because it can be attributed to misconfiguration.  For
example, if a Tor process' data directory is set to /tmp, you get a new
fingerprint every time you reboot.

A better metric is the amount of unique fingerprints, so I extracted the
IP addresses that changed their fingerprint the most [3].  One IP
address in Comcast's network, 98.212.74.104, changed its fingerprint
several hundred times.  That happened from August to December 2010.
Below is one of the relay's descriptors.  Note that the nickname
suggests that the relay was running on OpenWRT.

    @type server-descriptor 1.0
    router openwrt 98.212.74.104 9001 0 0
    platform Tor 0.2.1.26 on Linux mips
    opt protocols Link 1 2 Circuit 1
    published 2010-09-10 01:42:42
    opt fingerprint 90BD DDA6 D716 D36A D236 03A7 06A9 887E FFEE DFED
    uptime 915
    bandwidth 102400 102400 55670

Unfortunately, it's difficult to make meaningful conclusions from this
data.  Relays that change their fingerprint a lot might still be honest
unless the distribution of their fingerprints clearly deviates from a
uniform distribution or correlates with Tor's DHT structure in some way.

I also uploaded the raw data [4].

[0] <http://media.ccc.de/browse/congress/2014/31c3_-_6112_-_en_-_saal_2_-_201412301715_-_tor_hidden_services_and_deanonymisation_-_dr_gareth_owen.html>
[1] <https://gitweb.torproject.org/user/phw/sybilhunter.git/>
[2] <http://www.nymity.ch/hunting_sybils/multiple_fingerprints/accumulated_top10_addresses.txt>
[3] <http://www.nymity.ch/hunting_sybils/multiple_fingerprints/accumulated_top10_changes.txt>
[4] <http://www.nymity.ch/hunting_sybils/multiple_fingerprints/monthly-statistics.tar.xz>

Cheers,
Philipp
_______________________________________________
tor-dev mailing list
tor-dev@xxxxxxxxxxxxxxxxxxxx
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-dev

Prev by Author: Re: [tor-dev] Renaming arm
Next by Author: Re: [tor-dev] Questions for the torflow developers
Previous by thread: Re: [tor-dev] Suggestions for Hidden Services Statistics Project
Next by thread: Re: [tor-dev] Porting Tor Browser to the BSDs
Index(es):
- Author
- Thread