[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]
[tor-relays] Torservers relay family decreased? (solved)
› Hello,
›
› recently, I noticed some strange aspects related to networks
› of Torservers/Zwiebelfreunde. Since there was no way to get any
› further information on this topic so far, I am posting it here.
› Maybe someone can help.
Lets recap this for a moment:
1. Every relay of my family has my e-mail. Write an e-mail and ask. Problem solved.
2. The e-mails are running on a domain, registered my me, make a whois lookup for the domain. Problem solved.
3. The /24 IP space is registered by me. Make a RIPE (or whoever provides IP lookup) and you also have my name. Problem solved.
4. Ask someone from Torservers about me. They gave me the /24 for hosting Tor exits. Problem solved.
5. Take a look at the Tor relay mailing list, I was active there. Problem solved.
6. I am an registered InterExchangeCarrier under German law. Ask the Bundesnetzagentur for my Information. Problem solved.
7. The RIPE entries are maintained by F3Netze/Zwiebelfreunde. Ask Tim about me. Problem solved.
8. Write a snail mail letter to my address. Problem solved.
9. Send me a facsimile to my official RIPE abuse records. Problem solved.
and the list goes on and on … Welcome to the Interwebs where people ask who you are ...
To perfect sum it up:
https://i.imgur.com/20wmhNT.jpg
› (b) Who is the operator behind family B771AA877687F88E6F1CA5354756DF6C8A7B6B24 ?
› There are some /24 IPv4 BGP allocations claiming to belong to the
› umbrella organisation "Zwiebelfreunde e.V.", which operate(d|s)
› the relay family mentioned above.
There is still no family fingerprint. We did not ever claimed to belong to Zwiebelfreunde e.V.
Stop making shit up.
› I will ask further questions about this in (c) .
›
› However, there is a _huge_ relay family (27 members, with a
› total bandwith of ~ 1,245 MB) located in 185.220.101.0/24 ,
› which uses Zwiebelfreunde as a contact role and has not been
› changed since 2017-09-08.
No, we do not.
We are the ADMIN-C and the TECH-C. Zwiebelfreunde is just the MNT-REF.
Look it up for yourself:
https://apps.db.ripe.net/db-web-ui/#/query?bflag&searchtext=185.220.101.0&source=RIPE#resultsSection
It even has a fucking disclaimer on it:
netname: MK-TOR-EXIT
remarks: -----------------------------------
remarks: This network is used for Tor Exits.
remarks: We do not have any logs at all.
remarks: For more information please visit:
remarks: https://www.torproject.org
remarks: -----------------------------------
remarks: Dieses Netz hostet nur Tor
remarks: Exists. Wir haben keinerlei Logs.
remarks: Mehr Informationen unter:
remarks: https://www.torproject.org
The (current) owner of the IPs is: https://apps.db.ripe.net/db-web-ui/#/lookup?source=ripe&key=ORG-MK113-RIPE&type=organisation
and the abuse contact:
https://apps.db.ripe.net/db-web-ui/#/lookup?source=RIPE&key=ACRO11287-RIPE&type=role
› The relays itself, however, all use <abuse at to-surf-and-protect.net>
› as contact address (which does not seem to be related to
› Zwiebelfreunde at all) and use a description beginning with
› "nifty".
Have you tried to send uns an e-mail and ask? No? They are not related to Zwiebelfreunde because we are not Zwiebelfreunde.
And btw, its Nifty + name of a rodent.
Yes, I know hedgehogs are no rodents. But they are cute too.
› Since most of them have both Guard and Exit flag assigned, I
› figure they are handling a huge consensus weight.
No. Complete bullshit. Exit flag indicates thats an Exit and Guard indicates a longer uptime.
I can make an relay on a wee DSL line with these flags. It indicates not a huge consensus weight at all.
RTFM!
› Does anybody know the person/organisation behind them?
Yes.
› Are they related to Zwiebelfreunde/Torservers?
Besides the /24, no.
What is the physical location of the servers (BGP claims DE, but upstream AS200052 uses UK)?
NL
BGP claims DE? BGP is a routing protocol, it claims nothing. It doesnt give a flying shit about countries. It routes packets between different ASs.
Show me the BGP routing table.
› (c) Strange BGP allocations using Zwiebelfreunde as contact role
› At the moment, 9 IPv4 BGP prefixes with a length of /24 are
› known to use a contact role pointing to Zwiebelfreunde [4] .
›
› These are as follows:
› - 37.218.246.0/24 (Upstream AS47172 "Greenhost", claims EU, but is likely NL, 0 Tor relays found)
› - 193.235.207.0/24 (Upstream AS196689 "Digicube", claims EU, but is likely FR, 0 Tor relays found)
› - 192.36.61.0/24 (Upstream AS60781 "Leaseweb", claims EU, but is likely NL, 0 Tor relays found)
› - 192.36.41.0/24 (Upstream AS34305 "BaseIP", claims EU, but is likely NL, 0 Tor relays found)
› - 192.36.27.0/24 (Upstream AS60729 "Zwiebelfreunde" !, claims EU, physical location unknown, 0 Tor relays found)
› - 185.220.102.0/24 (Upstream AS60729 "Zwiebelfreunde" !, claims EU, physical location unknown, 0 Tor relays found)
› - 185.220.101.0/24 (Upstream AS200052 "Joshua Peter McQuistan", claims DE, physical location unknown, 27 Tor relays found)
BGP still claims shit. BGP is still a routing protocol. Look at a looking glas server and start reading RTFs.
› What puzzles me here is:
› 1. None of these networks has any Tor relays known (or Metrics
› does not show them), which is strange as Torservers/Zwiebelfreunde
› is more or less dedicated to operate relays.
https://nusenu.github.io/OrNetStats/
https://metrics.torproject.org/rs.html
› 2. The appearing relays solely belong to the strange and huge
› family mentioned in (b) , which cannot be exactly pinpointed to
› be run by Torservers/Zwiebelfreunde.
Yeah, these strange and huge relays are here for over 3 years, growing.
https://imgur.com/1jwtxHX
Nusenu twitter page, https://twitter.com/nusenu_ , you should check it out.
› 3. I suspected the mentioned IP ranges to be fakely allocated,
› but most of them were not changed for more than half a year. Further,
› I never observed any traffic from or to these networks. If anybody
› does, please drop me a line.
Yes! Complete right! You just destroyed our super secret FBI/NSA/BND/MI6 plan to take over the Tor network.
Good job, Sherlock!
› As of these coincidences, and the observations mentioned in (a)
› and (b), I suspect something nasty (or highly unusual) is going on,
› but I have no clue what this might be.
100% perfect conclusion. Good job, Sherlock!
› It would be great if someone who is in Tor more deeply than I am
› could take a look at this. Also, if there is further information
› available, please tell me.
› "Mit dem Wissen wächst der Zweifel. / Doubt grows with knowledge."
› -- Goethe
https://imgur.com/JG514ja
› Best regards,
› T. Westerhever
Whatever,
niftybunny
_______________________________________________
tor-relays mailing list
tor-relays@xxxxxxxxxxxxxxxxxxxx
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays