[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]
[tor-dev] Relays that change their fingerprints a lot
Inspired by Gareth's 31C3 talk [0], I taught sybilhunter [1] to
calculate the amount of unique fingerprints a Tor relay used over time.
Armed with that feature, I extracted the top 10 relay IP addresses that
had the most fingerprints for every month since 2007 [2]. While most IP
addresses show up only once in the monthly top 10, three IP addresses
showed up more than ten times.
Address Count Owner Total changes
----------------------------------------------------------------
193.19.77.145 11 times ISP in France (DDO) 163
71.57.5.24 11 times ISP in the US (Comcast) 430
141.70.22.69 12 times University in Germany 293
Note that being present in the monthly top 10 isn't necessarily
suspicious because it can be attributed to misconfiguration. For
example, if a Tor process' data directory is set to /tmp, you get a new
fingerprint every time you reboot.
A better metric is the amount of unique fingerprints, so I extracted the
IP addresses that changed their fingerprint the most [3]. One IP
address in Comcast's network, 98.212.74.104, changed its fingerprint
several hundred times. That happened from August to December 2010.
Below is one of the relay's descriptors. Note that the nickname
suggests that the relay was running on OpenWRT.
@type server-descriptor 1.0
router openwrt 98.212.74.104 9001 0 0
platform Tor 0.2.1.26 on Linux mips
opt protocols Link 1 2 Circuit 1
published 2010-09-10 01:42:42
opt fingerprint 90BD DDA6 D716 D36A D236 03A7 06A9 887E FFEE DFED
uptime 915
bandwidth 102400 102400 55670
Unfortunately, it's difficult to make meaningful conclusions from this
data. Relays that change their fingerprint a lot might still be honest
unless the distribution of their fingerprints clearly deviates from a
uniform distribution or correlates with Tor's DHT structure in some way.
I also uploaded the raw data [4].
[0] <http://media.ccc.de/browse/congress/2014/31c3_-_6112_-_en_-_saal_2_-_201412301715_-_tor_hidden_services_and_deanonymisation_-_dr_gareth_owen.html>
[1] <https://gitweb.torproject.org/user/phw/sybilhunter.git/>
[2] <http://www.nymity.ch/hunting_sybils/multiple_fingerprints/accumulated_top10_addresses.txt>
[3] <http://www.nymity.ch/hunting_sybils/multiple_fingerprints/accumulated_top10_changes.txt>
[4] <http://www.nymity.ch/hunting_sybils/multiple_fingerprints/monthly-statistics.tar.xz>
Cheers,
Philipp
_______________________________________________
tor-dev mailing list
tor-dev@xxxxxxxxxxxxxxxxxxxx
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-dev