Relays that change their fingerprints a lot - tor-dev

2 Mar 2015


      Inspired by Gareth's 31C3 talk [0], I taught sybilhunter [1] to
calculate the amount of unique fingerprints a Tor relay used over time.
Armed with that feature, I extracted the top 10 relay IP addresses that
had the most fingerprints for every month since 2007 [2].  While most IP
addresses show up only once in the monthly top 10, three IP addresses
showed up more than ten times.
Address        Count     Owner                     Total changes
    ----------------------------------------------------------------
    193.19.77.145  11 times  ISP in France (DDO)       163
    71.57.5.24     11 times  ISP in the US (Comcast)   430
    141.70.22.69   12 times  University in Germany     293
Note that being present in the monthly top 10 isn't necessarily
suspicious because it can be attributed to misconfiguration.  For
example, if a Tor process' data directory is set to /tmp, you get a new
fingerprint every time you reboot.
A better metric is the amount of unique fingerprints, so I extracted the
IP addresses that changed their fingerprint the most [3].  One IP
address in Comcast's network, 98.212.74.104, changed its fingerprint
several hundred times.  That happened from August to December 2010.
Below is one of the relay's descriptors.  Note that the nickname
suggests that the relay was running on OpenWRT.
@type server-descriptor 1.0
    router openwrt 98.212.74.104 9001 0 0
    platform Tor 0.2.1.26 on Linux mips
    opt protocols Link 1 2 Circuit 1
    published 2010-09-10 01:42:42
    opt fingerprint 90BD DDA6 D716 D36A D236 03A7 06A9 887E FFEE DFED
    uptime 915
    bandwidth 102400 102400 55670
Unfortunately, it's difficult to make meaningful conclusions from this
data.  Relays that change their fingerprint a lot might still be honest
unless the distribution of their fingerprints clearly deviates from a
uniform distribution or correlates with Tor's DHT structure in some way.
I also uploaded the raw data [4].
[0] http://media.ccc.de/browse/congress/2014/31c3_-_6112_-_en_-_saal_2_-_201412301715_-_tor_hidden_services_and_deanonymisation_-_dr_gareth_owen.html
[1] https://gitweb.torproject.org/user/phw/sybilhunter.git/
[2] http://www.nymity.ch/hunting_sybils/multiple_fingerprints/accumulated_top10_addresses.txt
[3] http://www.nymity.ch/hunting_sybils/multiple_fingerprints/accumulated_top10_changes.txt
[4] http://www.nymity.ch/hunting_sybils/multiple_fingerprints/monthly-statistics.tar.xz
Cheers,
Philipp