Hello Tobias,
i am glad that somebody else got notice and i agree, suspecting something nasty (or highly unusual) is going on. There was a discussion about that in Berlin in July already https://trac.torproject.org/projects/tor/wiki/org/meetings/BerlinRelayOperat... but no public follow-up since then.
There seems to be a private person who is holding this family https://metrics.torproject.org/rs.html#search/family:1084200B44021D308EA4253... and ran between 10-15% exit probability in the last six months - which i personally judge as far too high for a single person, or even an entity. More information you can find here:https://apility.io/search/185.220.101.20
The person got invited to the second meeting in Berlin, but didn't show up to explain.
Die Zeit bringt Rat. Erwartet's in Geduld! -- Schiller
Regards Paul
Tobias Westerhever:
Hello,
recently, I noticed some strange aspects related to networks of Torservers/Zwiebelfreunde. Since there was no way to get any further information on this topic so far, I am posting it here. Maybe someone can help.
(a) Torservers relay family decreased? The organisation used to maintain much more relays than their family [1] currently contains. At the moment, only four relays located in NL belong to them, while the Metrics page indicates some orphaned family members.
This coincidences with [2], but I am unaware of any announcements of Torservers/Zwiebelfreunde itself (i.e. tight financial situation). Does anybody have further details here?
(b) Who is the operator behind family B771AA877687F88E6F1CA5354756DF6C8A7B6B24 ? There are some /24 IPv4 BGP allocations claiming to belong to the umbrella organisation "Zwiebelfreunde e.V.", which operate(d|s) the relay family mentioned above.
I will ask further questions about this in (c) .
However, there is a _huge_ relay family (27 members, with a total bandwith of ~ 1,245 MB) located in 185.220.101.0/24 , which uses Zwiebelfreunde as a contact role and has not been changed since 2017-09-08.
The relays itself, however, all use abuse@to-surf-and-protect.net as contact address (which does not seem to be related to Zwiebelfreunde at all) and use a description beginning with "nifty".
Since most of them have both Guard and Exit flag assigned, I figure they are handling a huge consensus weight. Does anybody know the person/organisation behind them? Are they related to Zwiebelfreunde/Torservers? What is the physical location of the servers (BGP claims DE, but upstream AS200052 uses UK)?
(c) Strange BGP allocations using Zwiebelfreunde as contact role At the moment, 9 IPv4 BGP prefixes with a length of /24 are known to use a contact role pointing to Zwiebelfreunde [4] .
These are as follows:
- 37.218.246.0/24 (Upstream AS47172 "Greenhost", claims EU, but is likely NL, 0 Tor relays found)
- 193.235.207.0/24 (Upstream AS196689 "Digicube", claims EU, but is likely FR, 0 Tor relays found)
- 192.36.61.0/24 (Upstream AS60781 "Leaseweb", claims EU, but is likely NL, 0 Tor relays found)
- 192.36.41.0/24 (Upstream AS34305 "BaseIP", claims EU, but is likely NL, 0 Tor relays found)
- 192.36.27.0/24 (Upstream AS60729 "Zwiebelfreunde" !, claims EU, physical location unknown, 0 Tor relays found)
- 185.220.102.0/24 (Upstream AS60729 "Zwiebelfreunde" !, claims EU, physical location unknown, 0 Tor relays found)
- 185.220.101.0/24 (Upstream AS200052 "Joshua Peter McQuistan", claims DE, physical location unknown, 27 Tor relays found)
What puzzles me here is:
- None of these networks has any Tor relays known (or Metrics
does not show them), which is strange as Torservers/Zwiebelfreunde is more or less dedicated to operate relays.
- The appearing relays solely belong to the strange and huge
family mentioned in (b) , which cannot be exactly pinpointed to be run by Torservers/Zwiebelfreunde.
- I suspected the mentioned IP ranges to be fakely allocated,
but most of them were not changed for more than half a year. Further, I never observed any traffic from or to these networks. If anybody does, please drop me a line.
- All for relays which do belong to Torservers are located in
AS43350 ("NForce Entertainment") and do not have their own IPv4 prefix.
As of these coincidences, and the observations mentioned in (a) and (b), I suspect something nasty (or highly unusual) is going on, but I have no clue what this might be.
It would be great if someone who is in Tor more deeply than I am could take a look at this. Also, if there is further information available, please tell me.
"Mit dem Wissen wächst der Zweifel. / Doubt grows with knowledge." -- Goethe
Best regards, T. Westerhever
Links: [1] https://metrics.torproject.org/rs.html#search/family:0FF233C8D78A17B8DB7C825... [2] https://blog.torservers.net/20180704/coordinated-raids-of-zwiebelfreunde-at-... [3] https://metrics.torproject.org/rs.html#search/family:B771AA877687F88E6F1CA53... [4] https://bgp.he.net/ _______________________________________________ tor-relays mailing list tor-relays@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays