Delivery-Date: Sat, 04 Apr 2015 22:10:31 -0400
Return-Path: <tor-talk-bounces@lists.torproject.org>
X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on moria.seul.org
X-Spam-Level: 
X-Spam-Status: No, score=-3.3 required=5.0 tests=BAYES_00,DKIM_ADSP_ALL,
	DKIM_SIGNED,RCVD_IN_DNSWL_MED,T_DKIM_INVALID,T_RP_MATCHES_RCVD autolearn=ham
	version=3.3.1
X-Original-To: archiver@seul.org
Delivered-To: archiver@seul.org
Received: from eugeni.torproject.org (eugeni.torproject.org [38.229.72.13])
	(using TLSv1.2 with cipher ADH-AES256-GCM-SHA384 (256/256 bits))
	(No client certificate requested)
	by khazad-dum.seul.org (Postfix) with ESMTPS id C35D01E01AF
	for <archiver@seul.org>; Sat,  4 Apr 2015 22:10:29 -0400 (EDT)
Received: from eugeni.torproject.org (localhost [127.0.0.1])
	by eugeni.torproject.org (Postfix) with ESMTP id F130B346E7;
	Sun,  5 Apr 2015 02:10:25 +0000 (UTC)
Received: from localhost (localhost [127.0.0.1])
 by eugeni.torproject.org (Postfix) with ESMTP id 637AD344B1
 for <tor-talk@lists.torproject.org>; Sun,  5 Apr 2015 02:10:20 +0000 (UTC)
X-Virus-Scanned: Debian amavisd-new at 
Received: from eugeni.torproject.org ([127.0.0.1])
 by localhost (eugeni.torproject.org [127.0.0.1]) (amavisd-new, port 10024)
 with ESMTP id lDFZv21JVJJi for <tor-talk@lists.torproject.org>;
 Sun,  5 Apr 2015 02:10:20 +0000 (UTC)
Received: from mail.openmailbox.org (mail.openmailbox.org [62.4.1.34])
 (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
 (Client did not present a certificate)
 by eugeni.torproject.org (Postfix) with ESMTPS id 33D2E33E5E
 for <tor-talk@lists.torproject.org>; Sun,  5 Apr 2015 02:10:20 +0000 (UTC)
Received: from localhost (localhost [127.0.0.1])
 by mail.openmailbox.org (Postfix) with ESMTP id 3D7032E0698
 for <tor-talk@lists.torproject.org>; Sun,  5 Apr 2015 04:10:16 +0200 (CEST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=openmailbox.org;
 h=content-transfer-encoding:content-type:content-type:subject
 :subject:mime-version:from:from:date:date:message-id:received;
 s=openmailbox; t=1428199814; bh=i0LLLDvqbPcAgUFg5JZaLXLwxjZnb9S
 CKU/LgdmdJQw=; b=SdiWjxiyLplZJF7y/fRXdB/gLFT0XPgxI9aLn9hx5vCtr5c
 6EojzCDg+OcTODANgEzxBcKknrCMI7MbVPc5t1rZMs0d3WNiorOKTj/C/S/upbDX
 f51w5BqPljhFjEINtglqzq5vLuytibZp96jMdcdlvao39PLgiPDVv4xJ2EyU=
X-Virus-Scanned: amavisd-new at openmailbox.org
Received: from mail.openmailbox.org ([62.4.1.34])
 by localhost (mail.openmailbox.org [127.0.0.1]) (amavisd-new, port 10026)
 with ESMTP id mG-xuEDGL2kb for <tor-talk@lists.torproject.org>;
 Sun,  5 Apr 2015 04:10:14 +0200 (CEST)
Message-ID: <55209980.9060501@openmailbox.org>
Date: Sun, 05 Apr 2015 02:10:08 +0000
From: Nusenu <nusenu@openmailbox.org>
MIME-Version: 1.0
To: "tor-talk@lists.torproject.org" <tor-talk@lists.torproject.org>
Subject: [tor-talk] Analyzing the (little) spike in relays on 2015-04-01
 (Family@Choopa LLC)
X-BeenThere: tor-talk@lists.torproject.org
X-Mailman-Version: 2.1.15
Precedence: list
Reply-To: tor-talk@lists.torproject.org
List-Id: "all discussion about theory, design,
 and development of Onion Routing" <tor-talk.lists.torproject.org>
List-Unsubscribe: <https://lists.torproject.org/cgi-bin/mailman/options/tor-talk>, 
 <mailto:tor-talk-request@lists.torproject.org?subject=unsubscribe>
List-Archive: <http://lists.torproject.org/pipermail/tor-talk/>
List-Post: <mailto:tor-talk@lists.torproject.org>
List-Help: <mailto:tor-talk-request@lists.torproject.org?subject=help>
List-Subscribe: <https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk>, 
 <mailto:tor-talk-request@lists.torproject.org?subject=subscribe>
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: tor-talk-bounces@lists.torproject.org
Sender: "tor-talk" <tor-talk-bounces@lists.torproject.org>

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Hi,

by looking at
https://metrics.torproject.org/platforms.html
https://metrics.torproject.org/versions.html
I noticed a little spike in relays at the beginning of the month
(actually I was visiting metrics to see if some ticket made progress ;)

On 2015-04-01 someone (it was likely a single entity) signed up 20
exits @ Choopa LLC. If you go back in time on that AS you find similar
events. So this potential entity might run 40 exits.
If you condense all properties and do not restrict your search to the
Choopa AS (AS20473) the potential operator likely runs 55 exits.

Fun part: Maxmind had no AS info on some IPs (4) that are also part of
AS20473, so they got filtered out in the first result set where I only
looked into AS20473 (40 relays), but these relays found there way back
into the result set (55 relays) on the next iteration due to other
similarities. So I'm pretty confident in the linkability of these exit
relays.

Details:
https://raw.githubusercontent.com/nusenu/misc-files/master/finding_the_hidden_choopa_family.txt


Common properties:
(ordered from more to less significant property)

- - *last_restarted*
- - first_seen (in groups)
- - DirPort (auto)
- - Nickname (not matching put similar naming style)
- - exit policy
- - no declared family
- - ORPort
- - two instances per IP
- - no contactInfo
- - tor version
- - os

Can someone make some sense out of these nicknames?











-----BEGIN PGP SIGNATURE-----

iQIcBAEBCgAGBQJVIJmAAAoJEFv7XvVCELh0dXgQAIN5DkONb7MtCsYF6W/6fi2B
rdpBrAlhYJw11YuOqq4Z2VsFIBDqFs2Uwnq/r8Uat+bqjXkSE3VKKQJqnR2S2uf4
6LlTpLxNspf6ZshvQzhp7/jdiCPnPhIoIu3TRmp76sy8q8MDiHh8MzjWtDTYnWvu
XyeV++oPmlJYGsLwWEklIOKTAt6VqvLRjAXmMe6jpBhhCsthsO+NEQDZwXnCdDOe
toIGnprDP2otn8/D2TLDkAV4xeGXLUmbrOjyBij8DQEfGNSKnpExbBTbhLi0gLv6
ynlVRPhTM9QJzvlJ2q/U6IKwbBLJAstFAT7Xf8GbEtzF4ax+v0kKcsopyqNQpeUl
xf1+SkKk0wjNZ4BPB1sDFXQBbfN8yp/L0oyoSB+vzTVAHw8A5aqwJ/s2XtlkDNb+
zZJehL7FWgDeRypN6LsXN77onggy6Wfe+vkE/WybwWd9ITsw/EWYB9LAc3Dd4sat
W56DteamsdfS738N+j+jG+plJ6xBHF57zebdLi3OcH6SlDDkpKaRUJAV/bbWh/z9
Q7VDuYj7mjaCH8dPbWzQp1fZcWTBTrWn8pCi5DiwDyTzJC53w2lRCtwzMCPzTVAA
j1aDe95Io+FTNgczp3jQcyfMQskeclJJD6v26kDKrBbNPXjELUPy+/sLiHhMj3M2
xUlJ23mJhcG78HrIzcBV
=mVqg
-----END PGP SIGNATURE-----
-- 
tor-talk mailing list - tor-talk@lists.torproject.org
To unsubscribe or change other settings go to
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk

