› Hello, › › recently, I noticed some strange aspects related to networks › of Torservers/Zwiebelfreunde. Since there was no way to get any › further information on this topic so far, I am posting it here. › Maybe someone can help.
Lets recap this for a moment:
1. Every relay of my family has my e-mail. Write an e-mail and ask. Problem solved.
2. The e-mails are running on a domain, registered my me, make a whois lookup for the domain. Problem solved.
3. The /24 IP space is registered by me. Make a RIPE (or whoever provides IP lookup) and you also have my name. Problem solved.
4. Ask someone from Torservers about me. They gave me the /24 for hosting Tor exits. Problem solved.
5. Take a look at the Tor relay mailing list, I was active there. Problem solved.
6. I am an registered InterExchangeCarrier under German law. Ask the Bundesnetzagentur for my Information. Problem solved.
7. The RIPE entries are maintained by F3Netze/Zwiebelfreunde. Ask Tim about me. Problem solved.
8. Write a snail mail letter to my address. Problem solved.
9. Send me a facsimile to my official RIPE abuse records. Problem solved.
and the list goes on and on … Welcome to the Interwebs where people ask who you are ...
To perfect sum it up:
https://i.imgur.com/20wmhNT.jpg
› (b) Who is the operator behind family B771AA877687F88E6F1CA5354756DF6C8A7B6B24 ? › There are some /24 IPv4 BGP allocations claiming to belong to the › umbrella organisation "Zwiebelfreunde e.V.", which operate(d|s) › the relay family mentioned above.
There is still no family fingerprint. We did not ever claimed to belong to Zwiebelfreunde e.V. Stop making shit up.
› I will ask further questions about this in (c) . › › However, there is a _huge_ relay family (27 members, with a › total bandwith of ~ 1,245 MB) located in 185.220.101.0/24 , › which uses Zwiebelfreunde as a contact role and has not been › changed since 2017-09-08.
No, we do not.
We are the ADMIN-C and the TECH-C. Zwiebelfreunde is just the MNT-REF. Look it up for yourself:
https://apps.db.ripe.net/db-web-ui/#/query?bflag&searchtext=185.220.101....
It even has a fucking disclaimer on it:
netname: MK-TOR-EXIT remarks: ----------------------------------- remarks: This network is used for Tor Exits. remarks: We do not have any logs at all. remarks: For more information please visit: remarks: https://www.torproject.org remarks: ----------------------------------- remarks: Dieses Netz hostet nur Tor remarks: Exists. Wir haben keinerlei Logs. remarks: Mehr Informationen unter: remarks: https://www.torproject.org
The (current) owner of the IPs is: https://apps.db.ripe.net/db-web-ui/#/lookup?source=ripe&key=ORG-MK113-RI...
and the abuse contact:
https://apps.db.ripe.net/db-web-ui/#/lookup?source=RIPE&key=ACRO11287-RI...
› The relays itself, however, all use <abuse at to-surf-and-protect.net> › as contact address (which does not seem to be related to › Zwiebelfreunde at all) and use a description beginning with › "nifty".
Have you tried to send uns an e-mail and ask? No? They are not related to Zwiebelfreunde because we are not Zwiebelfreunde. And btw, its Nifty + name of a rodent. Yes, I know hedgehogs are no rodents. But they are cute too.
› Since most of them have both Guard and Exit flag assigned, I › figure they are handling a huge consensus weight.
No. Complete bullshit. Exit flag indicates thats an Exit and Guard indicates a longer uptime. I can make an relay on a wee DSL line with these flags. It indicates not a huge consensus weight at all. RTFM!
› Does anybody know the person/organisation behind them?
Yes.
› Are they related to Zwiebelfreunde/Torservers?
Besides the /24, no.
What is the physical location of the servers (BGP claims DE, but upstream AS200052 uses UK)?
NL
BGP claims DE? BGP is a routing protocol, it claims nothing. It doesnt give a flying shit about countries. It routes packets between different ASs. Show me the BGP routing table.
› (c) Strange BGP allocations using Zwiebelfreunde as contact role › At the moment, 9 IPv4 BGP prefixes with a length of /24 are › known to use a contact role pointing to Zwiebelfreunde [4] . › › These are as follows: › - 37.218.246.0/24 (Upstream AS47172 "Greenhost", claims EU, but is likely NL, 0 Tor relays found) › - 193.235.207.0/24 (Upstream AS196689 "Digicube", claims EU, but is likely FR, 0 Tor relays found) › - 192.36.61.0/24 (Upstream AS60781 "Leaseweb", claims EU, but is likely NL, 0 Tor relays found) › - 192.36.41.0/24 (Upstream AS34305 "BaseIP", claims EU, but is likely NL, 0 Tor relays found) › - 192.36.27.0/24 (Upstream AS60729 "Zwiebelfreunde" !, claims EU, physical location unknown, 0 Tor relays found) › - 185.220.102.0/24 (Upstream AS60729 "Zwiebelfreunde" !, claims EU, physical location unknown, 0 Tor relays found) › - 185.220.101.0/24 (Upstream AS200052 "Joshua Peter McQuistan", claims DE, physical location unknown, 27 Tor relays found)
BGP still claims shit. BGP is still a routing protocol. Look at a looking glas server and start reading RTFs.
› What puzzles me here is: › 1. None of these networks has any Tor relays known (or Metrics › does not show them), which is strange as Torservers/Zwiebelfreunde › is more or less dedicated to operate relays.
https://nusenu.github.io/OrNetStats/
https://metrics.torproject.org/rs.html
› 2. The appearing relays solely belong to the strange and huge › family mentioned in (b) , which cannot be exactly pinpointed to › be run by Torservers/Zwiebelfreunde.
Yeah, these strange and huge relays are here for over 3 years, growing.
Nusenu twitter page, https://twitter.com/nusenu_ , you should check it out.
› 3. I suspected the mentioned IP ranges to be fakely allocated, › but most of them were not changed for more than half a year. Further, › I never observed any traffic from or to these networks. If anybody › does, please drop me a line.
Yes! Complete right! You just destroyed our super secret FBI/NSA/BND/MI6 plan to take over the Tor network. Good job, Sherlock!
› As of these coincidences, and the observations mentioned in (a) › and (b), I suspect something nasty (or highly unusual) is going on, › but I have no clue what this might be.
100% perfect conclusion. Good job, Sherlock!
› It would be great if someone who is in Tor more deeply than I am › could take a look at this. Also, if there is further information › available, please tell me.
› "Mit dem Wissen wächst der Zweifel. / Doubt grows with knowledge." › -- Goethe
› Best regards, › T. Westerhever
Whatever,
niftybunny