[tor-talk] Analyzing the (little) spike in relays on 2015-04-01 (Family at Choopa LLC)

nusenu nusenu at openmailbox.org
Thu Apr 23 21:27:14 UTC 2015


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

> by looking at https://metrics.torproject.org/platforms.html 
> https://metrics.torproject.org/versions.html I noticed a little
> spike in relays at the beginning of the month (actually I was
> visiting metrics to see if some ticket made progress ;)
> 
> On 2015-04-01 someone (it was likely a single entity) signed up 20 
> exits @ Choopa LLC. If you go back in time on that AS you find
> similar events. So this potential entity might run 40 exits. If you
> condense all properties and do not restrict your search to the 
> Choopa AS (AS20473) the potential operator likely runs 55 exits.
> 
> Fun part: Maxmind had no AS info on some IPs (4) that are also part
> of AS20473, so they got filtered out in the first result set where
> I only looked into AS20473 (40 relays), but these relays found
> there way back into the result set (55 relays) on the next
> iteration due to other similarities. So I'm pretty confident in the
> linkability of these exit relays.
> 
> Details: 
> https://raw.githubusercontent.com/nusenu/misc-files/master/finding_the
_hidden_choopa_family.txt
>
> 
> 
> Common properties: (ordered from more to less significant
> property)
> 
> - *last_restarted* - first_seen (in groups) - DirPort (auto) -
> Nickname (not matching put similar naming style) - exit policy - no
> declared family - ORPort - two instances per IP - no contactInfo -
> tor version

Four days after I send this email the dirport changed on almost all
the listed relays from auto (quite unique property) to 0
(probably after the operator read this email)


also relevant for this thread
https://lists.torproject.org/pipermail/tor-talk/2015-April/037549.html


-----BEGIN PGP SIGNATURE-----

iQIcBAEBCgAGBQJVOWOyAAoJEFv7XvVCELh03dQP/RjlF02hbz7K54LA2ZUjZukH
ktOhp6ff3IDk2kw4CyEsZ5CNYzxtEirobFkFwKOwnQ695s6yFePwhQPtOY6Yi754
5oU86Q/Y0vdM37HrM2kUlNtWn3B5Mtf0fmo1NFh5HvFhW6V3fDxTSUIbVm6LD3Vr
P1HCarQmfVa76JZSJ5ovkkHJ8mUA519MP07WWZdzpsna5nq2kPw5TTd22RE8yWvM
CznH2XxIdFwNRkVLWX6N7rkSZppYAA2iy2JiaeicT2OCpF9zWLSDUyuWWE/iruuz
ySdeF78yqBVSHr5VbeA7Gl+suAaYlmOFOmjhOuKxlrmeYwVz3O0tFGzWRTbY9iL7
E2htpWz2yMIz+CMctV7vN40c8lu4p3LIU8E2YqKynbZVOVgz68oKdivFdB5ak5KU
OSW4clENKYrZjkZ7HWY0sVdWyPKjQk7PLHH+YoxCMuFyDF/vyZHkEagx5O0pFX2Q
kMIMLtBJatMRmyzpKkmuuEIm8Eh2ZgP26Ue2DZ6fgrodZO2vreHzAtQtkZWyYrok
SOA3eBTzFNxnUaQtzaKOrkX5zx1rnaca/GliozyPtVcz696CW2q2w79J7xe1QG8p
AbLqTrluNb4NhFGsvKGUcC0tDHuRH5jSsGh/UH07O3vhwb9ra+0i4/oR1t9fZNeS
UH9ebMA+n1Yo9rieA2iC
=CkU3
-----END PGP SIGNATURE-----


More information about the tor-talk mailing list