[tor-relays] Torservers relay family decreased?

Paul pa011 at web.de
Sat Sep 8 20:19:00 UTC 2018 

Hello Tobias,

i am glad that somebody else got notice and i agree, suspecting
something nasty (or highly unusual) is going on. There was a discussion
about that in Berlin in July already
https://trac.torproject.org/projects/tor/wiki/org/meetings/BerlinRelayOperatorsMeetupJul18
but no public follow-up since then.

There seems to be a private person who is holding this family
https://metrics.torproject.org/rs.html#search/family:1084200B44021D308EA4253F256794671B1D099A
and ran between 10-15% exit probability in the last six months - which i
personally judge as far too high for a single person, or even an entity.
More information you can find here:https://apility.io/search/185.220.101.20

The person got invited to the second meeting in Berlin, but didn't show
up to explain.

Die Zeit bringt Rat. Erwartet's in Geduld!
-- Schiller

Regards
Paul


Tobias Westerhever:
> Hello,
> 
> recently, I noticed some strange aspects related to networks
> of Torservers/Zwiebelfreunde. Since there was no way to get any
> further information on this topic so far, I am posting it here.
> Maybe someone can help.
> 
> (a) Torservers relay family decreased?
> The organisation used to maintain much more relays than their
> family [1] currently contains. At the moment, only four relays
> located in NL belong to them, while the Metrics page indicates
> some orphaned family members.
> 
> This coincidences with [2], but I am unaware of any announcements
> of Torservers/Zwiebelfreunde itself (i.e. tight financial
> situation). Does anybody have further details here?
> 
> (b) Who is the operator behind family B771AA877687F88E6F1CA5354756DF6C8A7B6B24 ?
> There are some /24 IPv4 BGP allocations claiming to belong to the
> umbrella organisation "Zwiebelfreunde e.V.", which operate(d|s)
> the relay family mentioned above.
> 
> I will ask further questions about this in (c) .
> 
> However, there is a _huge_ relay family (27 members, with a
> total bandwith of ~ 1,245 MB) located in 185.220.101.0/24 ,
> which uses Zwiebelfreunde as a contact role and has not been
> changed since 2017-09-08.
> 
> The relays itself, however, all use <abuse at to-surf-and-protect.net>
> as contact address (which does not seem to be related to
> Zwiebelfreunde at all) and use a description beginning with
> "nifty".
> 
> Since most of them have both Guard and Exit flag assigned, I
> figure they are handling a huge consensus weight. Does anybody
> know the person/organisation behind them? Are they related to
> Zwiebelfreunde/Torservers? What is the physical location of the
> servers (BGP claims DE, but upstream AS200052 uses UK)?
> 
> (c) Strange BGP allocations using Zwiebelfreunde as contact role
> At the moment, 9 IPv4 BGP prefixes with a length of /24 are
> known to use a contact role pointing to Zwiebelfreunde [4] .
> 
> These are as follows:
> - 37.218.246.0/24	(Upstream AS47172 "Greenhost", claims EU, but is likely NL, 0 Tor relays found)
> - 193.235.207.0/24	(Upstream AS196689 "Digicube", claims EU, but is likely FR, 0 Tor relays found)
> - 192.36.61.0/24	(Upstream AS60781 "Leaseweb", claims EU, but is likely NL, 0 Tor relays found)
> - 192.36.41.0/24	(Upstream AS34305 "BaseIP", claims EU, but is likely NL, 0 Tor relays found)
> - 192.36.27.0/24	(Upstream AS60729 "Zwiebelfreunde" !, claims EU, physical location unknown, 0 Tor relays found)
> - 185.220.102.0/24	(Upstream AS60729 "Zwiebelfreunde" !, claims EU, physical location unknown, 0 Tor relays found)
> - 185.220.101.0/24	(Upstream AS200052 "Joshua Peter McQuistan", claims DE, physical location unknown, 27 Tor relays found)
> 
> What puzzles me here is:
> 1. None of these networks has any Tor relays known (or Metrics
> does not show them), which is strange as Torservers/Zwiebelfreunde
> is more or less dedicated to operate relays.
> 
> 2. The appearing relays solely belong to the strange and huge
> family mentioned in (b) , which cannot be exactly pinpointed to
> be run by Torservers/Zwiebelfreunde.
> 
> 3. I suspected the mentioned IP ranges to be fakely allocated,
> but most of them were not changed for more than half a year. Further,
> I never observed any traffic from or to these networks. If anybody
> does, please drop me a line.
> 
> 4. All for relays which do belong to Torservers are located in
> AS43350 ("NForce Entertainment") and do not have their own IPv4
> prefix.
> 
> ***
> 
> As of these coincidences, and the observations mentioned in (a)
> and (b), I suspect something nasty (or highly unusual) is going on,
> but I have no clue what this might be.
> 
> It would be great if someone who is in Tor more deeply than I am
> could take a look at this. Also, if there is further information
> available, please tell me.
> 
> "Mit dem Wissen wächst der Zweifel. / Doubt grows with knowledge."
> -- Goethe
> 
> Best regards,
> T. Westerhever
> 
> Links:
> [1] https://metrics.torproject.org/rs.html#search/family:0FF233C8D78A17B8DB7C8257D2E05CD5AA7C6B88
> [2] https://blog.torservers.net/20180704/coordinated-raids-of-zwiebelfreunde-at-various-locations-in-germany.html
> [3] https://metrics.torproject.org/rs.html#search/family:B771AA877687F88E6F1CA5354756DF6C8A7B6B24
> [4] https://bgp.he.net/
> _______________________________________________
> tor-relays mailing list
> tor-relays at lists.torproject.org
> https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
> 
-------------- next part --------------
A non-text attachment was scrubbed...
Name: 0xC8C330E7.asc
Type: application/pgp-keys
Size: 3069 bytes
Desc: not available
URL: <http://lists.torproject.org/pipermail/tor-relays/attachments/20180908/b8dc2c75/attachment.key>

More information about the tor-relays mailing list