Hello,
recently, I noticed some strange aspects related to networks of Torservers/Zwiebelfreunde. Since there was no way to get any further information on this topic so far, I am posting it here. Maybe someone can help.
(a) Torservers relay family decreased? The organisation used to maintain much more relays than their family [1] currently contains. At the moment, only four relays located in NL belong to them, while the Metrics page indicates some orphaned family members.
This coincidences with [2], but I am unaware of any announcements of Torservers/Zwiebelfreunde itself (i.e. tight financial situation). Does anybody have further details here?
(b) Who is the operator behind family B771AA877687F88E6F1CA5354756DF6C8A7B6B24 ? There are some /24 IPv4 BGP allocations claiming to belong to the umbrella organisation "Zwiebelfreunde e.V.", which operate(d|s) the relay family mentioned above.
I will ask further questions about this in (c) .
However, there is a _huge_ relay family (27 members, with a total bandwith of ~ 1,245 MB) located in 185.220.101.0/24 , which uses Zwiebelfreunde as a contact role and has not been changed since 2017-09-08.
The relays itself, however, all use abuse@to-surf-and-protect.net as contact address (which does not seem to be related to Zwiebelfreunde at all) and use a description beginning with "nifty".
Since most of them have both Guard and Exit flag assigned, I figure they are handling a huge consensus weight. Does anybody know the person/organisation behind them? Are they related to Zwiebelfreunde/Torservers? What is the physical location of the servers (BGP claims DE, but upstream AS200052 uses UK)?
(c) Strange BGP allocations using Zwiebelfreunde as contact role At the moment, 9 IPv4 BGP prefixes with a length of /24 are known to use a contact role pointing to Zwiebelfreunde [4] .
These are as follows: - 37.218.246.0/24 (Upstream AS47172 "Greenhost", claims EU, but is likely NL, 0 Tor relays found) - 193.235.207.0/24 (Upstream AS196689 "Digicube", claims EU, but is likely FR, 0 Tor relays found) - 192.36.61.0/24 (Upstream AS60781 "Leaseweb", claims EU, but is likely NL, 0 Tor relays found) - 192.36.41.0/24 (Upstream AS34305 "BaseIP", claims EU, but is likely NL, 0 Tor relays found) - 192.36.27.0/24 (Upstream AS60729 "Zwiebelfreunde" !, claims EU, physical location unknown, 0 Tor relays found) - 185.220.102.0/24 (Upstream AS60729 "Zwiebelfreunde" !, claims EU, physical location unknown, 0 Tor relays found) - 185.220.101.0/24 (Upstream AS200052 "Joshua Peter McQuistan", claims DE, physical location unknown, 27 Tor relays found)
What puzzles me here is: 1. None of these networks has any Tor relays known (or Metrics does not show them), which is strange as Torservers/Zwiebelfreunde is more or less dedicated to operate relays.
2. The appearing relays solely belong to the strange and huge family mentioned in (b) , which cannot be exactly pinpointed to be run by Torservers/Zwiebelfreunde.
3. I suspected the mentioned IP ranges to be fakely allocated, but most of them were not changed for more than half a year. Further, I never observed any traffic from or to these networks. If anybody does, please drop me a line.
4. All for relays which do belong to Torservers are located in AS43350 ("NForce Entertainment") and do not have their own IPv4 prefix.
***
As of these coincidences, and the observations mentioned in (a) and (b), I suspect something nasty (or highly unusual) is going on, but I have no clue what this might be.
It would be great if someone who is in Tor more deeply than I am could take a look at this. Also, if there is further information available, please tell me.
"Mit dem Wissen wächst der Zweifel. / Doubt grows with knowledge." -- Goethe
Best regards, T. Westerhever
Links: [1] https://metrics.torproject.org/rs.html#search/family:0FF233C8D78A17B8DB7C825... [2] https://blog.torservers.net/20180704/coordinated-raids-of-zwiebelfreunde-at-... [3] https://metrics.torproject.org/rs.html#search/family:B771AA877687F88E6F1CA53... [4] https://bgp.he.net/