Delivery-Date: Thu, 23 Apr 2015 17:27:38 -0400
Return-Path: <tor-talk-bounces@lists.torproject.org>
X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on moria.seul.org
X-Spam-Level: 
X-Spam-Status: No, score=-3.3 required=5.0 tests=BAYES_00,DKIM_ADSP_ALL,
	DKIM_SIGNED,RCVD_IN_DNSWL_MED,T_DKIM_INVALID,T_RP_MATCHES_RCVD autolearn=ham
	version=3.3.1
X-Original-To: archiver@seul.org
Delivered-To: archiver@seul.org
Received: from eugeni.torproject.org (eugeni.torproject.org [38.229.72.13])
	(using TLSv1.2 with cipher ADH-AES256-GCM-SHA384 (256/256 bits))
	(No client certificate requested)
	by khazad-dum.seul.org (Postfix) with ESMTPS id AB8C11E0A4D
	for <archiver@seul.org>; Thu, 23 Apr 2015 17:27:36 -0400 (EDT)
Received: from eugeni.torproject.org (localhost [127.0.0.1])
	by eugeni.torproject.org (Postfix) with ESMTP id 2B45D35098;
	Thu, 23 Apr 2015 21:27:32 +0000 (UTC)
Received: from localhost (localhost [127.0.0.1])
 by eugeni.torproject.org (Postfix) with ESMTP id 5CAA634FED
 for <tor-talk@lists.torproject.org>; Thu, 23 Apr 2015 21:27:29 +0000 (UTC)
X-Virus-Scanned: Debian amavisd-new at 
Received: from eugeni.torproject.org ([127.0.0.1])
 by localhost (eugeni.torproject.org [127.0.0.1]) (amavisd-new, port 10024)
 with ESMTP id JsWfzkzUGZSm for <tor-talk@lists.torproject.org>;
 Thu, 23 Apr 2015 21:27:29 +0000 (UTC)
Received: from mail.openmailbox.org (mail.openmailbox.org [62.4.1.34])
 (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits))
 (Client did not present a certificate)
 by eugeni.torproject.org (Postfix) with ESMTPS id 30CB034D4B
 for <tor-talk@lists.torproject.org>; Thu, 23 Apr 2015 21:27:29 +0000 (UTC)
Received: from localhost (localhost [127.0.0.1])
 by mail.openmailbox.org (Postfix) with ESMTP id 4C7272E0957
 for <tor-talk@lists.torproject.org>; Thu, 23 Apr 2015 23:27:25 +0200 (CEST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=openmailbox.org;
 h=content-transfer-encoding:content-type:content-type
 :in-reply-to:references:subject:subject:mime-version:from:from
 :date:date:message-id:received; s=openmailbox; t=1429824441; bh=
 3bDufjZ8s8vdF4le35ZrsjB5BsqP3prSDZ28F94DTdQ=; b=uJB/nwSffPNKZi+8
 FvC2N1MgI7a0yPFDOcXDis2IO1jy//AL6dFLAAQZ9BxTRG4sR7/UW23OGnBI9WxU
 neDzwXVAa/v6A0EM1AzMDAWOa+dfQ3XLL/KqAMyoUM968RKnHcKgEuySnlkGMezK
 Kt1NzFPA80liSjwQis4mCnCIAAk=
X-Virus-Scanned: amavisd-new at openmailbox.org
Received: from mail.openmailbox.org ([62.4.1.34])
 by localhost (mail.openmailbox.org [127.0.0.1]) (amavisd-new, port 10026)
 with ESMTP id Wksfc0EHCqei for <tor-talk@lists.torproject.org>;
 Thu, 23 Apr 2015 23:27:21 +0200 (CEST)
Message-ID: <553963B2.7040000@openmailbox.org>
Date: Thu, 23 Apr 2015 21:27:14 +0000
From: nusenu <nusenu@openmailbox.org>
MIME-Version: 1.0
To: tor-talk@lists.torproject.org
References: <55209980.9060501@openmailbox.org>
In-Reply-To: <55209980.9060501@openmailbox.org>
Subject: Re: [tor-talk] Analyzing the (little) spike in relays on 2015-04-01
 (Family@Choopa LLC)
X-BeenThere: tor-talk@lists.torproject.org
X-Mailman-Version: 2.1.15
Precedence: list
Reply-To: tor-talk@lists.torproject.org
List-Id: "all discussion about theory, design,
 and development of Onion Routing" <tor-talk.lists.torproject.org>
List-Unsubscribe: <https://lists.torproject.org/cgi-bin/mailman/options/tor-talk>, 
 <mailto:tor-talk-request@lists.torproject.org?subject=unsubscribe>
List-Archive: <http://lists.torproject.org/pipermail/tor-talk/>
List-Post: <mailto:tor-talk@lists.torproject.org>
List-Help: <mailto:tor-talk-request@lists.torproject.org?subject=help>
List-Subscribe: <https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk>, 
 <mailto:tor-talk-request@lists.torproject.org?subject=subscribe>
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: tor-talk-bounces@lists.torproject.org
Sender: "tor-talk" <tor-talk-bounces@lists.torproject.org>

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

> by looking at https://metrics.torproject.org/platforms.html 
> https://metrics.torproject.org/versions.html I noticed a little
> spike in relays at the beginning of the month (actually I was
> visiting metrics to see if some ticket made progress ;)
> 
> On 2015-04-01 someone (it was likely a single entity) signed up 20 
> exits @ Choopa LLC. If you go back in time on that AS you find
> similar events. So this potential entity might run 40 exits. If you
> condense all properties and do not restrict your search to the 
> Choopa AS (AS20473) the potential operator likely runs 55 exits.
> 
> Fun part: Maxmind had no AS info on some IPs (4) that are also part
> of AS20473, so they got filtered out in the first result set where
> I only looked into AS20473 (40 relays), but these relays found
> there way back into the result set (55 relays) on the next
> iteration due to other similarities. So I'm pretty confident in the
> linkability of these exit relays.
> 
> Details: 
> https://raw.githubusercontent.com/nusenu/misc-files/master/finding_the
_hidden_choopa_family.txt
>
> 
> 
> Common properties: (ordered from more to less significant
> property)
> 
> - *last_restarted* - first_seen (in groups) - DirPort (auto) -
> Nickname (not matching put similar naming style) - exit policy - no
> declared family - ORPort - two instances per IP - no contactInfo -
> tor version

Four days after I send this email the dirport changed on almost all
the listed relays from auto (quite unique property) to 0
(probably after the operator read this email)


also relevant for this thread
https://lists.torproject.org/pipermail/tor-talk/2015-April/037549.html


-----BEGIN PGP SIGNATURE-----

iQIcBAEBCgAGBQJVOWOyAAoJEFv7XvVCELh03dQP/RjlF02hbz7K54LA2ZUjZukH
ktOhp6ff3IDk2kw4CyEsZ5CNYzxtEirobFkFwKOwnQ695s6yFePwhQPtOY6Yi754
5oU86Q/Y0vdM37HrM2kUlNtWn3B5Mtf0fmo1NFh5HvFhW6V3fDxTSUIbVm6LD3Vr
P1HCarQmfVa76JZSJ5ovkkHJ8mUA519MP07WWZdzpsna5nq2kPw5TTd22RE8yWvM
CznH2XxIdFwNRkVLWX6N7rkSZppYAA2iy2JiaeicT2OCpF9zWLSDUyuWWE/iruuz
ySdeF78yqBVSHr5VbeA7Gl+suAaYlmOFOmjhOuKxlrmeYwVz3O0tFGzWRTbY9iL7
E2htpWz2yMIz+CMctV7vN40c8lu4p3LIU8E2YqKynbZVOVgz68oKdivFdB5ak5KU
OSW4clENKYrZjkZ7HWY0sVdWyPKjQk7PLHH+YoxCMuFyDF/vyZHkEagx5O0pFX2Q
kMIMLtBJatMRmyzpKkmuuEIm8Eh2ZgP26Ue2DZ6fgrodZO2vreHzAtQtkZWyYrok
SOA3eBTzFNxnUaQtzaKOrkX5zx1rnaca/GliozyPtVcz696CW2q2w79J7xe1QG8p
AbLqTrluNb4NhFGsvKGUcC0tDHuRH5jSsGh/UH07O3vhwb9ra+0i4/oR1t9fZNeS
UH9ebMA+n1Yo9rieA2iC
=CkU3
-----END PGP SIGNATURE-----
-- 
tor-talk mailing list - tor-talk@lists.torproject.org
To unsubscribe or change other settings go to
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk

