[tor-talk] Analyzing the (little) spike in relays on 2015-04-01 (Family at Choopa LLC)

Sun Apr 5 02:10:08 UTC 2015

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Hi,

by looking at
https://metrics.torproject.org/platforms.html
https://metrics.torproject.org/versions.html
I noticed a little spike in relays at the beginning of the month
(actually I was visiting metrics to see if some ticket made progress ;)

On 2015-04-01 someone (it was likely a single entity) signed up 20
exits @ Choopa LLC. If you go back in time on that AS you find similar
events. So this potential entity might run 40 exits.
If you condense all properties and do not restrict your search to the
Choopa AS (AS20473) the potential operator likely runs 55 exits.

Fun part: Maxmind had no AS info on some IPs (4) that are also part of
AS20473, so they got filtered out in the first result set where I only
looked into AS20473 (40 relays), but these relays found there way back
into the result set (55 relays) on the next iteration due to other
similarities. So I'm pretty confident in the linkability of these exit
relays.

Details:
https://raw.githubusercontent.com/nusenu/misc-files/master/finding_the_hidden_choopa_family.txt

Common properties:
(ordered from more to less significant property)

- - *last_restarted*
- - first_seen (in groups)
- - DirPort (auto)
- - Nickname (not matching put similar naming style)
- - exit policy
- - no declared family
- - ORPort
- - two instances per IP
- - no contactInfo
- - tor version
- - os

Can someone make some sense out of these nicknames?