Hello,

recently, I noticed some strange aspects related to networks
of Torservers/Zwiebelfreunde. Since there was no way to get any
further information on this topic so far, I am posting it here.
Maybe someone can help.

(a) Torservers relay family decreased?
The organisation used to maintain much more relays than their
family [1] currently contains. At the moment, only four relays
located in NL belong to them, while the Metrics page indicates
some orphaned family members.

This coincidences with [2], but I am unaware of any announcements
of Torservers/Zwiebelfreunde itself (i.e. tight financial
situation). Does anybody have further details here?

(b) Who is the operator behind family B771AA877687F88E6F1CA5354756DF6C8A7B6B24 ?
There are some /24 IPv4 BGP allocations claiming to belong to the
umbrella organisation "Zwiebelfreunde e.V.", which operate(d|s)
the relay family mentioned above.

I will ask further questions about this in (c) .

However, there is a _huge_ relay family (27 members, with a
total bandwith of ~ 1,245 MB) located in 185.220.101.0/24 ,
which uses Zwiebelfreunde as a contact role and has not been
changed since 2017-09-08.

The relays itself, however, all use <ab...@to-surf-and-protect.net>
as contact address (which does not seem to be related to
Zwiebelfreunde at all) and use a description beginning with
"nifty".

Since most of them have both Guard and Exit flag assigned, I
figure they are handling a huge consensus weight. Does anybody
know the person/organisation behind them? Are they related to
Zwiebelfreunde/Torservers? What is the physical location of the
servers (BGP claims DE, but upstream AS200052 uses UK)?

(c) Strange BGP allocations using Zwiebelfreunde as contact role
At the moment, 9 IPv4 BGP prefixes with a length of /24 are
known to use a contact role pointing to Zwiebelfreunde [4] .

These are as follows:
- 37.218.246.0/24       (Upstream AS47172 "Greenhost", claims EU, but is likely 
NL, 0 Tor relays found)
- 193.235.207.0/24      (Upstream AS196689 "Digicube", claims EU, but is likely 
FR, 0 Tor relays found)
- 192.36.61.0/24        (Upstream AS60781 "Leaseweb", claims EU, but is likely 
NL, 0 Tor relays found)
- 192.36.41.0/24        (Upstream AS34305 "BaseIP", claims EU, but is likely 
NL, 0 Tor relays found)
- 192.36.27.0/24        (Upstream AS60729 "Zwiebelfreunde" !, claims EU, 
physical location unknown, 0 Tor relays found)
- 185.220.102.0/24      (Upstream AS60729 "Zwiebelfreunde" !, claims EU, 
physical location unknown, 0 Tor relays found)
- 185.220.101.0/24      (Upstream AS200052 "Joshua Peter McQuistan", claims DE, 
physical location unknown, 27 Tor relays found)

What puzzles me here is:
1. None of these networks has any Tor relays known (or Metrics
does not show them), which is strange as Torservers/Zwiebelfreunde
is more or less dedicated to operate relays.

2. The appearing relays solely belong to the strange and huge
family mentioned in (b) , which cannot be exactly pinpointed to
be run by Torservers/Zwiebelfreunde.

3. I suspected the mentioned IP ranges to be fakely allocated,
but most of them were not changed for more than half a year. Further,
I never observed any traffic from or to these networks. If anybody
does, please drop me a line.

4. All for relays which do belong to Torservers are located in
AS43350 ("NForce Entertainment") and do not have their own IPv4
prefix.

***

As of these coincidences, and the observations mentioned in (a)
and (b), I suspect something nasty (or highly unusual) is going on,
but I have no clue what this might be.

It would be great if someone who is in Tor more deeply than I am
could take a look at this. Also, if there is further information
available, please tell me.

"Mit dem Wissen wächst der Zweifel. / Doubt grows with knowledge."
-- Goethe

Best regards,
T. Westerhever

Links:
[1] 
https://metrics.torproject.org/rs.html#search/family:0FF233C8D78A17B8DB7C8257D2E05CD5AA7C6B88
[2] 
https://blog.torservers.net/20180704/coordinated-raids-of-zwiebelfreunde-at-various-locations-in-germany.html
[3] 
https://metrics.torproject.org/rs.html#search/family:B771AA877687F88E6F1CA5354756DF6C8A7B6B24
[4] https://bgp.he.net/
_______________________________________________
tor-relays mailing list
tor-relays@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays

Reply via email to