[tor-relays] Torservers relay family decreased? (solved)

niftybunny abuse at to-surf-and-protect.net
Mon Sep 10 16:14:45 UTC 2018 

› Hello,
›
› recently, I noticed some strange aspects related to networks
› of Torservers/Zwiebelfreunde. Since there was no way to get any
› further information on this topic so far, I am posting it here.
› Maybe someone can help.

Lets recap this for a moment:

1. Every relay of my family has my e-mail. Write an e-mail and ask. Problem solved.

2. The e-mails are running on a domain, registered my me, make a whois lookup for the domain. Problem solved.

3. The /24 IP space is registered by me. Make a RIPE (or whoever provides IP lookup) and you also have my name. Problem solved.

4. Ask someone from Torservers about me. They gave me the /24 for hosting Tor exits. Problem solved.

5. Take a look at the Tor relay mailing list, I was active there. Problem solved.

6. I am an registered InterExchangeCarrier under German law. Ask the Bundesnetzagentur for my Information. Problem solved.

7. The RIPE entries are maintained by F3Netze/Zwiebelfreunde. Ask Tim about me. Problem solved.

8. Write a snail mail letter to my address. Problem solved.

9. Send me a facsimile to my official RIPE abuse records. Problem solved.

and the list goes on and on … Welcome to the Interwebs where people ask who you are ...

To perfect sum it up:

https://i.imgur.com/20wmhNT.jpg


› (b) Who is the operator behind family B771AA877687F88E6F1CA5354756DF6C8A7B6B24 ?
› There are some /24 IPv4 BGP allocations claiming to belong to the
› umbrella organisation "Zwiebelfreunde e.V.", which operate(d|s)
› the relay family mentioned above.

There is still no family fingerprint. We did not ever claimed to belong to Zwiebelfreunde e.V.
Stop making shit up. 


› I will ask further questions about this in (c) .
› 
› However, there is a _huge_ relay family (27 members, with a
› total bandwith of ~ 1,245 MB) located in 185.220.101.0/24 ,
› which uses Zwiebelfreunde as a contact role and has not been
› changed since 2017-09-08.

No, we do not. 

We are the ADMIN-C and the TECH-C. Zwiebelfreunde is just the MNT-REF.
Look it up for yourself:

https://apps.db.ripe.net/db-web-ui/#/query?bflag&searchtext=185.220.101.0&source=RIPE#resultsSection

It even has a fucking disclaimer on it:

netname:         MK-TOR-EXIT
remarks:         -----------------------------------
remarks:         This network is used for Tor Exits.
remarks:         We do not have any logs at all.
remarks:         For more information please visit:
remarks:         https://www.torproject.org
remarks:         -----------------------------------
remarks:         Dieses Netz hostet nur Tor
remarks:         Exists. Wir haben keinerlei Logs.
remarks:         Mehr Informationen unter:
remarks:         https://www.torproject.org

The (current) owner of the IPs is: https://apps.db.ripe.net/db-web-ui/#/lookup?source=ripe&key=ORG-MK113-RIPE&type=organisation

and the abuse contact:

https://apps.db.ripe.net/db-web-ui/#/lookup?source=RIPE&key=ACRO11287-RIPE&type=role

› The relays itself, however, all use <abuse at to-surf-and-protect.net>
› as contact address (which does not seem to be related to
› Zwiebelfreunde at all) and use a description beginning with
› "nifty".

Have you tried to send uns an e-mail and ask? No? They are not related to Zwiebelfreunde because we are not Zwiebelfreunde.
And btw, its Nifty + name of a rodent.
Yes, I know hedgehogs are no rodents. But they are cute too.


› Since most of them have both Guard and Exit flag assigned, I
› figure they are handling a huge consensus weight. 

No. Complete bullshit. Exit flag indicates thats an Exit and Guard indicates a longer uptime. 
I can make an relay on a wee DSL line with these flags. It indicates not a huge consensus weight at all.
RTFM!

› Does anybody know the person/organisation behind them?

Yes.

› Are they related to Zwiebelfreunde/Torservers?

Besides the /24, no.


What is the physical location of the servers (BGP claims DE, but upstream AS200052 uses UK)?

NL

BGP claims DE? BGP is a routing protocol, it claims nothing. It doesnt give a flying shit about countries. It routes packets between different ASs. 
Show me the BGP routing table.

› (c) Strange BGP allocations using Zwiebelfreunde as contact role
› At the moment, 9 IPv4 BGP prefixes with a length of /24 are
› known to use a contact role pointing to Zwiebelfreunde [4] .
›
› These are as follows:
› - 37.218.246.0/24	(Upstream AS47172 "Greenhost", claims EU, but is likely NL, 0 Tor relays found)
› - 193.235.207.0/24	(Upstream AS196689 "Digicube", claims EU, but is likely FR, 0 Tor relays found)
› - 192.36.61.0/24	(Upstream AS60781 "Leaseweb", claims EU, but is likely NL, 0 Tor relays found)
› - 192.36.41.0/24	(Upstream AS34305 "BaseIP", claims EU, but is likely NL, 0 Tor relays found)
› - 192.36.27.0/24	(Upstream AS60729 "Zwiebelfreunde" !, claims EU, physical location unknown, 0 Tor relays found)
› - 185.220.102.0/24	(Upstream AS60729 "Zwiebelfreunde" !, claims EU, physical location unknown, 0 Tor relays found)
› - 185.220.101.0/24	(Upstream AS200052 "Joshua Peter McQuistan", claims DE, physical location unknown, 27 Tor relays found)

BGP still claims shit. BGP is still a routing protocol. Look at a looking glas server and start reading RTFs.

› What puzzles me here is:
› 1. None of these networks has any Tor relays known (or Metrics
› does not show them), which is strange as Torservers/Zwiebelfreunde
› is more or less dedicated to operate relays.

https://nusenu.github.io/OrNetStats/

https://metrics.torproject.org/rs.html

› 2. The appearing relays solely belong to the strange and huge
› family mentioned in (b) , which cannot be exactly pinpointed to
› be run by Torservers/Zwiebelfreunde.

Yeah, these strange and huge relays are here for over 3 years, growing. 

https://imgur.com/1jwtxHX

Nusenu twitter page, https://twitter.com/nusenu_ , you should check it out.


› 3. I suspected the mentioned IP ranges to be fakely allocated,
› but most of them were not changed for more than half a year. Further,
› I never observed any traffic from or to these networks. If anybody
› does, please drop me a line.

Yes! Complete right! You just destroyed our super secret FBI/NSA/BND/MI6 plan to take over the Tor network. 
Good job, Sherlock! 


› As of these coincidences, and the observations mentioned in (a)
› and (b), I suspect something nasty (or highly unusual) is going on,
› but I have no clue what this might be.

100% perfect conclusion. Good job, Sherlock!


› It would be great if someone who is in Tor more deeply than I am
› could take a look at this. Also, if there is further information
› available, please tell me.

› "Mit dem Wissen wächst der Zweifel. / Doubt grows with knowledge."
› -- Goethe

https://imgur.com/JG514ja


› Best regards,
› T. Westerhever

Whatever,

niftybunny

More information about the tor-relays mailing list