Re: [tor-relays] Proposal: Restrict ContactInfo to Mandatory Email Address
On Sat, 21 Oct 2023 15:54:37 + Georg Koppen allegedly wrote: > Hello everyone! > > As indicated in our bug tracker a while ago[1] we have some strong > incentives to redo our ContactInfo field. I've collected all the > different use cases and combined them in a single proposal, > discussing some potential concerns and future work we could get built > upon it. [ some deletia ] > We intend to solve that problem by deploying an email verification > service: relays without a verified `ContactInfo` value won't be > allowed on the network. I assume that the verification system will allow for cases where operators use email aliases in the contact info field (i.e. mail addresses of the form "t...@domain.org" rather than the /real/ address "operator.n...@domain.org"). If this is not the case and replies must come from the advertised address then this proposal could be problematic for some. Mick ----- Mick Morgan gpg fingerprint: FC23 3338 F664 5E66 876B 72C0 0A1F E60B 5BAD D312 blog: baldric.net - ___ tor-relays mailing list tor-relays@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
Re: [tor-relays] Recent rejection of relays
On 11 November 2021 17:17:40 GMT, gus wrote: > >What exactly is stopping you to use this email address as your relay >contact_info? >This is a *public* mailing list. > >cheers, >Gus > +1 to the sentiment behind that query. Personally I have no requirement for anonymity about the fact that I run Tor relays, so that may colour my views, and may influence what others think about my views. But I do sometimes despair about the angst some people display over not wanting an email address associated with one or more relays. In my experience of close to a decade or more of running relays, with a clear email address in my config file, I have not experienced any spam which I could attribute to that fact. Nor have I seen much in the way of spam to /this/ address, which as Gus has pointed out, is visible on a public mailing list. Please just add a proper contact address to your relay(s). It will help the project, and will hardly hurt you at all. Best Mick -- Sent from a mobile device. Please excuse my brevity. ___ tor-relays mailing list tor-relays@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
Re: [tor-relays] let's make ContactInfo mandatory for exits (and warn others)
On Sat, 24 Apr 2021 12:11:46 +0200 nusenu allegedly wrote: > After looking at lots of malicious relay data of the past few months > I've come to the conclusion that exit relays without ContactInfo are > largely run by malicious actors. > > I propose to make torrc's ContactInfo mandatory for exit relays with > the following timeline: With respect nusenu, exactly what is your relationship to the Tor project? Are you even in a position to mandate anything? I recognise, and applaud, the (apparent) time and effort you put in to looking at the health of the network, and I am grateful for that, but I have never been at all clear what your role is and how it is connected to the core project. Regards Mick ----- Mick Morgan gpg fingerprint: FC23 3338 F664 5E66 876B 72C0 0A1F E60B 5BAD D312 https://baldric.net/about-trivia - ___ tor-relays mailing list tor-relays@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
Re: [tor-relays] Unsubscribing
On Sat, 27 Mar 2021 09:24:09 +0100 Sebastian Urbach allegedly wrote: > > The last days on this list were stunning, to say the least. I'm going > to unsubscribe today and i will decide tomorrow if i shut down all my > relays. -- > > Sincerely yours / M.f.G. / Sincères salutations > > Sebastian Urbach > Please don't do that Sebastian, The world needs Tor relays. I too have found the discussions of the past few days problematic. But please, please do not shut down your relays. That would hurt users who need them. Best Mick ----- Mick Morgan gpg fingerprint: FC23 3338 F664 5E66 876B 72C0 0A1F E60B 5BAD D312 https://baldric.net/about-trivia - ___ tor-relays mailing list tor-relays@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
Re: [tor-relays] Question: RAM requirement for an exit relay
On Mon, 21 Dec 2020 00:15:49 +0100 li...@for-privacy.net allegedly wrote: > On 18.12.2020 17:33, mick wrote: > > > So - you can get a twin core VPS with 2 Gig of RAM and 3500 gig of > > traffic allowance for less than $20.00 for a /year/. Spend a little > > more > > and you can get 8 gig of traffic. > > 3500 GB = 1750 GB for a Tor relay. Can be gone in 1-3 days. ;-) > Traffic is always counted sum in + out > You may have more fun on a bridge. If you run a relay first, don't > use the IP later for a bridge! > > 20-30 MiB/s Tor Relay consumes about 40-50 TB of traffic per month a > few weeks after the 14-day ramp-up phase.:-( > That is why I am suspicious of some of the 50-90 MiB/s unnamed relays > without contact. > https://metrics.torproject.org/rs.html#search/unnamed%20type:relay%20 > > > VPN or root server with 20-40 MiB/s unlimited traffic is available > for EUR 15-30,-/month. Sure you can get relays with higher traffic allowances, but those tend to be on ASs which /already/ have high concentrations of Tor relays. This is not good for diversity. For example, I can (and do) get 20TB of traffic allowance on my Hetzner relay (https://metrics.torproject.org/rs.html#details/AE4FAE2EB5DC5D078458F0FCBF2B37F5D73F0868) but Hetzner already has nearly 450 relays on AS24940 whereas the Racknerd relay is on Colocrossings's AS36352 which only has 21 relays. The OP was considering running a relay at the end of a domestic ADSL line which is not a good idea. Other respondents suggesting renting a cheap VPS - I agreed and simply pointed to a (currently very cheap) alternative. There is a danger that any new Tor relay operator will pick a supplier which is already over represented. We should attempt to avoid that if we can. Tor can be (and in my case is) throttled so that you do not exceed the ISP's allowance but still provide useable extra bandwidth. Mick - Mick Morgan gpg fingerprint: FC23 3338 F664 5E66 876B 72C0 0A1F E60B 5BAD D312 https://baldric.net/about-trivia - ___ tor-relays mailing list tor-relays@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
Re: [tor-relays] Question: RAM requirement for an exit relay
On Thu, 17 Dec 2020 05:36:36 + (UTC) BRBfGWMz allegedly wrote: > Olaf is right > > Get a $ 5 per month VPS > > On Wed, Dec 16, 2020 at 08:28 AM, Olaf Grimm > wrote: > > > Hello Amadeus! You don't even need to spend that much. Racknerd have been running promotional deals since black friday. Their current deals can be seen here https://my.racknerd.com/index.php?rp=/store/holiday-sales-2020 So - you can get a twin core VPS with 2 Gig of RAM and 3500 gig of traffic allowance for less than $20.00 for a /year/. Spend a little more and you can get 8 gig of traffic. I bouught two VPS from them about a month ago and they have confirmed that they are OK with Tor nodes, but probably NOT exits. (In their words to me "As long as we will not receive any abuse complaints, then there should be no problems.") Abuse complaints tend to come with exits. Mick - Mick Morgan gpg fingerprint: FC23 3338 F664 5E66 876B 72C0 0A1F E60B 5BAD D312 https://baldric.net/about-trivia - ___ tor-relays mailing list tor-relays@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
Re: [tor-relays] Log warning : possible (zlib) compression bomb on middle relays
On Mon, 2 Nov 2020 11:05:43 +0100 Guinness allegedly wrote: > I'm wondering if this is an attack or a new feature (haven't checked > yet) but I'd like to know how many users are impacted. > > The interesting informations are : > * Number of warnings > * What kind of relay it is (middle, exit, entry) > > After your answers, I'll complete the issue I have opened on the bug > tracker. Hi Guinness I have the following two entries in the log for my guard relay at https://metrics.torproject.org/rs.html#details/AE4FAE2EB5DC5D078458F0FCBF2B37F5D73F0868 Nov 02 04:30:00.000 [warn] Possible compression bomb; abandoning stream. Nov 02 04:30:01.000 [warn] Possible compression bomb; abandoning stream. Time is GMT. Cheers Mick - Mick Morgan gpg fingerprint: FC23 3338 F664 5E66 876B 72C0 0A1F E60B 5BAD D312 https://baldric.net/about-trivia - ___ tor-relays mailing list tor-relays@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
Re: [tor-relays] Shutdown of my digital ocean guard relay
On Thu, 15 Oct 2020 12:54:38 -0400 postmas...@coolcomputers.info allegedly wrote: > Do you plan on hosting else where mental note to not use DO for TOR. > Although i just use my own server for tor now. I also provide hosting > but it cost more then DO. Yes, I will look elewhere. DO are /very/ expensive in terms of bandwidth if you go over their 1TB limit. Mick ----- Mick Morgan gpg fingerprint: FC23 3338 F664 5E66 876B 72C0 0A1F E60B 5BAD D312 https://baldric.net/about-trivia - ___ tor-relays mailing list tor-relays@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
Re: [tor-relays] Shutdown of my digital ocean guard relay
On Thu, 15 Oct 2020 20:05:03 +0200 li...@for-privacy.net allegedly wrote: > > If you want to operate a stress-free exit, take a look at frantec. > A 4Gb KVM has unlimited bandwidth and if you stick to the AUP, > Francisco and staff will even take care of the abuse mails. > https://buyvm.net/acceptable-use-policy/ > Unfortunately, they are mostly sold out. At the beginning of the > month there is usually something free. They also have nice IRC > support. > > Servdiscount has a 15% discount this month¹. There I have the > Supermicro SD-SM-3365 with KVM Remote Management. But they don't > allow exit. https://servdiscount.com/ > > ¹15% discount is forever. > I haven't run an exit in over 8 years - I got too much aggravation, but I will look at setting up another relay. I'll check out your recommendations. Thanks. Mick ----- Mick Morgan gpg fingerprint: FC23 3338 F664 5E66 876B 72C0 0A1F E60B 5BAD D312 https://baldric.net/about-trivia - ___ tor-relays mailing list tor-relays@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
Re: [tor-relays] Shutdown of my digital ocean guard relay
On Thu, 15 Oct 2020 19:27:43 +0500 Roman Mamedov allegedly wrote: > > Could you point out which change you are referring to? The point 3.7 > saying that unmetered bandwidth accounts must not run "TOR" has been > there since the earliest the Wayback Machine has it, from May 8th, > 2018: > Hi Roman The new ToS says: "5.6 As a reward for being early adopters of the Services, some Users with older Accounts received free bandwidth promotions contingent on their Accounts remaining operative, in good standing, and in compliance with this TOS ("Free Bandwidth Accounts"). Free Bandwidth Accounts will no longer receive free bandwidth if: (a) such Accounts are transferred in ownership to third party; (b) such Free Bandwidth Accounts are used in violation of this TOS (including the AUP); or (c) such Free Bandwidth Accounts are used in connection with any of the following activities: (i) run Torrents for download or Seed Servers, TOR, or services that include content of an adult or pornographic nature; (ii) resell or otherwise offer as a service such free bandwidth to third parties; or (iii) otherwise circumvent or attempt to circumvent the intended use of Free Bandwidth Accounts by redistributing the benefits of free bandwidth to third parties." Several things there tell me that Grandfathered accounts will be dropped (or charged heavily) if they continue to run Tor. The use of the past tense in "Accounts received free bandwidth". The statement that such accounts will "no longer receive free bandwidth if:" and then there is an explicit reference to Tor as well as references to "offering free bandwidth to third parties" and "redistributing the benefits of free bandwidth to third parties". That looks like weasel legal wording to allow DO to charge heavily because I "offer free bandwidth to others" through Tor. All in all it looks as if DO no longer want Tor relays on their network. So I'll look elsewhere. I already have a relay at Hetzner, but I'm aware that they (along with OVH and currently DO) are overrepresented and it would be better to find alternatives. Best Mick - Mick Morgan gpg fingerprint: FC23 3338 F664 5E66 876B 72C0 0A1F E60B 5BAD D312 https://baldric.net/about-trivia - ___ tor-relays mailing list tor-relays@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
Re: [tor-relays] Shutdown of my digital ocean guard relay
On Thu, 15 Oct 2020 13:09:49 +0100 "Dr Gerard Bulger" allegedly wrote: > Why not run it until they spot it and shut it down?! > Because the last time they changed the rules (when they introduced charging for bandwidth) I got hit (automatically) with a big bandwidth charge despite having been told that I would have "free bandwidth for life". Back then I argued (successfully) that "for life" meant just that. This time they have explicitly said that people in my position will no longer get free bandwidth if we give it away (e.g. to Tor users). So I shut it down before the automated charge kicks in. Mick ----- Mick Morgan gpg fingerprint: FC23 3338 F664 5E66 876B 72C0 0A1F E60B 5BAD D312 https://baldric.net/about-trivia - ___ tor-relays mailing list tor-relays@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
[tor-relays] Shutdown of my digital ocean guard relay
Hi Guys I today received notification from DO that they have changed their Terms of Service and Acceptable Useage policies. Having read those changed notices it is clear to me that DO are no longer really Tor friendly. They do not allow exits and whilst my guard relay there (at roof.rlogin.net with fingerprint EA8637EA746451C0680559FDFF34ABA54DDAE831) has been running for nearly seven years I can no longer do that because of the likely bandwidth charges in future. My DO relay has been using around 12 TiB per month for some time now and I could afford to let it run because I was a "legacy" customer (i.e. early adopter of DO services who was given "free bandwidth forever"). It looks to me from their new ToS that I will no longer enjoy that status after 22 October. So I have shut it down. Any other relay operator using DO services should read their new ToS (1) and AUP (2) and decide for themselves whether they will be affected. My other guard relay at sink.rlogin.net on Hetzner's network will continue in operation. Mick (1) https://www.digitalocean.com/legal/terms-of-service-agreement/ (2) https://www.digitalocean.com/legal/acceptable-use-policy/ ----- Mick Morgan gpg fingerprint: FC23 3338 F664 5E66 876B 72C0 0A1F E60B 5BAD D312 https://baldric.net/about-trivia - ___ tor-relays mailing list tor-relays@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
Re: [tor-relays] AS: ColoCrossing + QuadraNet = 42 relays
On Tue, 11 Dec 2018 22:38:00 + nusenu allegedly wrote: > The first column shows the first 4 characters of the fingerprint, the > second how may relays have it and when and where (AS) they joined the > network. > > +--+---+-++ > | FP | # | > first_seen | > as_name| > +--+---+-++ > | 0324 | 3 | 2018-12-11 07:00:00,2018-12-11 08:00:00,2018-12-11 > 10:00:00 | ColoCrossing,QuadraNet Enterprises LLC | | 2D56 | 3 | > 2018-12-10 05:00:00 | > ColoCrossing | | 2EBF | 3 | 2018-12-10 > 06:00:00,2018-12-10 07:00:00,2018-12-10 08:00:00 | > ColoCrossing,QuadraNet Enterprises LLC | | 48A3 | 3 | 2018-12-10 > 06:00:00,2018-12-10 07:00:00,2018-12-10 08:00:00 | > ColoCrossing | | 5F46 | 3 | 2018-12-11 > 07:00:00,2018-12-11 09:00:00,2018-12-11 11:00:00 | > ColoCrossing | | 8788 | 3 | 2018-12-10 > 09:00:00,2018-12-10 10:00:00,2018-12-10 11:00:00 | > ColoCrossing | | A099 | 3 | 2018-12-10 > 16:00:00,2018-12-10 17:00:00 | > ColoCrossing | | A116 | 3 | 2018-12-11 > 07:00:00,2018-12-11 08:00:00,2018-12-11 10:00:00 | > ColoCrossing,QuadraNet Enterprises LLC | | A677 | 3 | 2018-12-09 > 13:00:00 | > ColoCrossing | | AA08 | 3 | 2018-12-10 > 09:00:00,2018-12-10 10:00:00,2018-12-10 11:00:00 | > ColoCrossing | | C00B | 3 | 2018-12-10 > 04:00:00 | > ColoCrossing | | C0D4 | 3 | 2018-12-11 > 07:00:00,2018-12-11 09:00:00,2018-12-11 11:00:00 | > ColoCrossing | | D021 | 3 | 2018-12-09 > 14:00:00,2018-12-09 15:00:00 | > ColoCrossing,QuadraNet Enterprises LLC | | FB34 | 3 | 2018-12-10 > 16:00:00,2018-12-10 17:00:00 | > ColoCrossing | > +--+---+-++ > 14 rows > > 14*3=42 > > This should become a new OrNetRadar detector. > And given ColoCrossings advertised prices, even using single servers that amounts to nearly $840 pcm or over $10.000 per annum. That doesn't looks like a hobbyist. - Mick Morgan gpg fingerprint: FC23 3338 F664 5E66 876B 72C0 0A1F E60B 5BAD D312 https://baldric.net/about-trivia - ___ tor-relays mailing list tor-relays@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
Re: [tor-relays] AS: "ColoCrossing" - 28 new relays
On Wed, 12 Dec 2018 19:17:56 +0100 (CET) Nathaniel Suchy allegedly wrote: > It's scary to think there are bad people out there actively trying to > harm our community :( I'd be astonished if there weren't. Tor is a thorn in the side for lots of different entities. I am just grateful that it exists and that there are people prepared to defend it. ----- Mick Morgan gpg fingerprint: FC23 3338 F664 5E66 876B 72C0 0A1F E60B 5BAD D312 https://baldric.net/about-trivia - ___ tor-relays mailing list tor-relays@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
Re: [tor-relays] Announcement: Relay operator meetings on IRC
On Thu, 30 Aug 2018 18:11:27 -0500 Colin Childs allegedly wrote: > Overseas was the wrong choice of words, anyone is welcome to attend > the meeting that works best for them (or both, if they choose to). > The Country-centric view shown brings to mind the (possibly apocryphal) early 20th century headline in the Times newspaper: "Fog in channel. Europe isolated." (Apologies) Mick - Mick Morgan gpg fingerprint: FC23 3338 F664 5E66 876B 72C0 0A1F E60B 5BAD D312 https://baldric.net/about-trivia - ___ tor-relays mailing list tor-relays@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
Re: [tor-relays] DigitalOcean bandwidth billing changes
On Wed, 25 Apr 2018 14:15:35 + Cody Logan allegedly wrote: > Regarding grandfathered accounts, section 3.7 of their terms of > service is worth a closer look: > > “Subscribers of Grandfathered Accounts must NOT: (i) run Torrents for > download or Seed Servers, TOR, or services that include content of an > adult or pornographic nature [...] or otherwise circumvent the > intended fair usage of free bandwidth by distributing it freely to > others. Failure of Subscribers of Grandfathered Accounts to follow > these terms will result in the revocation of their Accounts' > grandfathered status.” > > https://www.digitalocean.com/legal/terms/ > All Following this I went back to Rafael Rosa, the Product Manager at DigitalOcean who originally sent the email about the changes seeking clarification. I also pointed him to the discussion here on this list because I was unlikely to be the only one affected by the change. Following several emails Rafael kindly confirmed that so long as my droplet was not the source of any "abuse" reported to DO by third parties I could continue as is. By "abuse" RR meant hostile activity such as port scanning. I pointed out that since my droplet was a non-exit relay, then it would be unlikely to be the source of such activity. RR did say however, that non "grandfathered" accounts would in future automatically be billed for any over limit bandwidth usage. I should also note here that exit relays are, by their nature, likely to see activity which DO might categorise as abuse so any exit relay operators using DO should take care. Our correspondence is shown below. Rafael has kindly agreed that I may share this with the list and I am grateful to him for that agreement. I am also exceptionally grateful for the continued ability to provide my Tor node to the community at its current usage level without incurring the sort of financial penalty I could have expected. My thanks to all at DO and to Rafael in particular for this. Mick -- correspondence -- RR original email Hello, I’m Rafael Rosa, Product Manager at DigitalOcean. I want to share a heartfelt thank you for being such a valued, long-time customer. As you may know, we’ve made some updates to our bandwidth pricing plans <https://www.digitalocean.com/pricing/>. With gratitude for your loyalty, we want to assure you that your account has been grandfathered into your current pricing plan and you will not incur any charges for bandwidth usage as long as you comply with the guidelines outlined in section 3.7 of our Terms of Service <https://www.digitalocean.com/legal/terms/>. If you are interested in viewing your bandwidth usage, you can now track usage in the billing page <https://cloud.digitalocean.com/settings/billing> where Droplet data transfer is updated daily. And if you’re curious to learn more about the details of the bandwidth update, I encourage you to take a look at this FAQ page <https://www.digitalocean.com/community/tutorials/digitalocean-bandwidth-billing-faq>. Happy Coding, Rafael Rosa Product Manager, DigitalOcean Me Many thanks for this. However, I note that section 3.7 says, inter alia: "Notwithstanding the foregoing, Subscribers of Grandfathered Accounts must NOT: (i) run Torrents for download or Seed Servers, TOR, or services that include content of an adult or pornographic nature; (ii) resell services through their Account to provide free bandwidth to other individuals;" My droplet "roof.rlogin.net" is , and always has been, a Tor (not "TOR") relay node. Do I take it from section 3.7 that you will no longer permit that? If so, I will need to move to another provider. RR Sorry about the delay in replying. So, the current policy does have a restriction on tor nodes, but we are not enforcing it automatically. As long as we don't detect abuse it should be fine. I hope this helps. Me Many thanks for this, but with respect the answer is a little ambiguous. Your policy statement at 3.7 of your ToS implies that any bandwidth usage above that permitted wil be chargeable /regardless/ of grandfather status if that bandwidth is "given away" to third parties (such as through Tor). Yet you say here that you are "not enforcing that automatically". How will I know if/when you do decide to enforce that? And what do you define as "abuse"? I am sure that you will understand that I need clarification because I could potentially be hit with a severe financial penalty should you choose to enforce the policy without my noticing. I appreciate that as a $10.00 a month customer I am getting a phenomenally good deal and fully accept that I may have to pay more in future (regardless of your original offer back in 2013 of "free bandwidth forever" when I was grandfathered in). If I
Re: [tor-relays] DigitalOcean bandwidth billing changes
On Wed, 25 Apr 2018 14:33:16 +0200 Ralph Seichter allegedly wrote: > > Good on yer... DigitalOcean bills for outbound traffic, and with a > price of $0.01/GB (sadly not GiB) every TB in excess of a Droplet's > monthly allowance--a meager 1GB for their smallest model--will cost > an extra 10 USD. Who has that kind of money? > Not me. I think I'm immensely lucky to get the service I do. Mick ----- Mick Morgan gpg fingerprint: FC23 3338 F664 5E66 876B 72C0 0A1F E60B 5BAD D312 http://baldric.net/about-trivia - ___ tor-relays mailing list tor-relays@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
Re: [tor-relays] DigitalOcean bandwidth billing changes
On Wed, 25 Apr 2018 12:09:24 +0200 Ralph Seichter allegedly wrote: > Looks like DigitalOcean has just begun measuring bandwidth usage > "officially", starting yesterday: > > > https://www.digitalocean.com/community/tutorials/digitalocean-bandwidth-billing-faq > > "Based on our analysis of the historical usage patterns of our > customers, less than one percent of users will exceed their pooled > allowance." > > I had heard of the One Percent, but never thought I'd become a part of > that illustrious group... :-) I had an email from them saying that as one or the group "grandfathered in" back in 2013 I could carry on regardless. Good job really, take a look at my vnstats.. eth0 / monthly monthrx | tx |total| avg. rate +-+-+--- May '17 10.71 TiB | 10.74 TiB | 21.46 TiB | 68.81 Mbit/s Jun '17 10.20 TiB | 10.24 TiB | 20.44 TiB | 67.75 Mbit/s Jul '17 11.92 TiB | 11.94 TiB | 23.87 TiB | 76.55 Mbit/s Aug '17 14.01 TiB | 13.98 TiB | 27.99 TiB | 89.77 Mbit/s Sep '17 12.28 TiB | 12.29 TiB | 24.57 TiB | 81.43 Mbit/s Oct '17 15.04 TiB | 15.06 TiB | 30.10 TiB | 96.53 Mbit/s Nov '17 15.25 TiB | 15.24 TiB | 30.50 TiB | 101.06 Mbit/s Dec '17 12.79 TiB | 12.76 TiB | 25.54 TiB | 81.92 Mbit/s Jan '18 7.97 TiB |7.98 TiB | 15.96 TiB | 51.17 Mbit/s Feb '18 10.53 TiB | 10.80 TiB | 21.33 TiB | 75.75 Mbit/s Mar '18 10.83 TiB | 10.78 TiB | 21.60 TiB | 69.28 Mbit/s Apr '18 8.38 TiB |8.37 TiB | 16.76 TiB | 67.94 Mbit/s ----+-+-+--- estimated 10.26 TiB | 10.24 TiB | 20.50 TiB | Mick - Mick Morgan gpg fingerprint: FC23 3338 F664 5E66 876B 72C0 0A1F E60B 5BAD D312 http://baldric.net/about-trivia - ___ tor-relays mailing list tor-relays@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
Re: [tor-relays] Estimation of bridge traffic / Bridge or relay needed?
On Sat, 7 Apr 2018 09:54:46 -0400 "Grander Marizan" allegedly wrote: > How can I unsubscribe from this mailing list? > Read the email. Scroll to the bottom and you will see a link to list subscription instructions. Viz: https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays Mick ----- Mick Morgan gpg fingerprint: FC23 3338 F664 5E66 876B 72C0 0A1F E60B 5BAD D312 http://baldric.net/about-trivia - ___ tor-relays mailing list tor-relays@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
Re: [tor-relays] FreeBSD 11.1 ZFS Tor Image
On Tue, 27 Feb 2018 14:47:06 -0500 grarpamp allegedly wrote: > If ovh vps gives root, bypass the fee with: md(4) vnode > geli > > mount. > > Then again, if the iron isn't dipped in epoxy (not done), in your own > secure datacenter (not extant), on trusted #OpenHW (not AMD / Intel / > or any other to date), built in trusted #OpenFabs (non extant), > running validated #OpenSW (non extant), in a voluntarist libertarian > environment free from force, one's use case might be moot. > Gotta love you Grarpamp. :-) But in the real world we /have/ to trust someone, somewhere, somehow, sometime. What everyone has to decide for themselves is /how much/ trust to give, to whom, when, where and why. And that depends entirely on your threat model and your appetite for risk. Mick - Mick Morgan gpg fingerprint: FC23 3338 F664 5E66 876B 72C0 0A1F E60B 5BAD D312 http://baldric.net/about-trivia - ___ tor-relays mailing list tor-relays@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
Re: [tor-relays] tor 0.3.2.9 reached deb.torproject.org and FreeBSD repos
On Tue, 16 Jan 2018 20:18:00 + nusenu allegedly wrote: > Since this has been a common question in the last few days.. > > Excellent. Thanks. Installed and running. I still have problems, but I have added some ratelimit rules to my firewall (a la teor recommendations) and I'm getting fewer complaints in my log now. Mick - Mick Morgan gpg fingerprint: FC23 3338 F664 5E66 876B 72C0 0A1F E60B 5BAD D312 http://baldric.net/about-trivia - ___ tor-relays mailing list tor-relays@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
Re: [tor-relays] Recent wave of abuse on Tor guards
warn; host 51939625169E2C7E0DC83D38BAE628BDE67E9A22 at 109.236.90.209:443) Dec 21 16:35:32.000 [warn] 13 connections have failed: Dec 21 16:35:32.000 [warn] 13 connections died in state connect()ing with SSL state (No SSL object) Dec 21 16:35:32.000 [warn] Problem bootstrapping. Stuck at 85%: Finishing handshake with first hop. (Connection refused; CONNECTREFUSED; count 15; recommendation warn; host 500FE4D6B529855A2F95A0CB34F2A10D5889E8C1 at 134.19.177.109:443) Dec 21 16:35:32.000 [warn] 14 connections have failed: Dec 21 16:35:32.000 [warn] 14 connections died in state connect()ing with SSL state (No SSL object) Dec 21 16:35:32.000 [warn] Problem bootstrapping. Stuck at 85%: Finishing handshake with first hop. (Connection refused; CONNECTREFUSED; count 16; recommendation warn; host 03DC081E4409631006EFCD3AF13AFAAF2B553FFC at 185.32.221.201:443) Dec 21 16:35:32.000 [warn] 15 connections have failed: Dec 21 16:35:32.000 [warn] 15 connections died in state connect()ing with SSL state (No SSL object) Dec 21 16:35:32.000 [notice] Bootstrapped 90%: Establishing a Tor circuit Dec 21 16:35:33.000 [warn] Problem bootstrapping. Stuck at 90%: Establishing a Tor circuit. (Connection refused; CONNECTREFUSED; count 17; recommendation warn; host 1FA8F638298645BE58AC905276680889CB795A94 at 185.129.249.124:9001) Dec 21 16:35:33.000 [warn] 16 connections have failed: Dec 21 16:35:33.000 [warn] 16 connections died in state connect()ing with SSL state (No SSL object) Dec 21 16:35:33.000 [warn] Problem bootstrapping. Stuck at 90%: Establishing a Tor circuit. (Connection refused; CONNECTREFUSED; count 18; recommendation warn; host DAC825BBF05D678ABDEA1C3086E8D99CF0BBF112 at 185.73.220.8:443) Dec 21 16:35:33.000 [warn] 17 connections have failed: Dec 21 16:35:33.000 [warn] 17 connections died in state connect()ing with SSL state (No SSL object) Dec 21 16:35:33.000 [notice] Tor has successfully opened a circuit. Looks like client functionality is working. Dec 21 16:35:33.000 [notice] Bootstrapped 100%: Done So - I get loads of CONNECTREFUSED whilst coming up (presumably because of the attack) and then come fully back online. "netstat" then shows my connections rising rapidly to around the 10,000-11,000 "ESTABLISHED" mark before it all goes wrong again. As others have noted I see multiple connections from OVH (netblock 54.36.51/24 (around 1200, when I normally only see a max of 200 or so per /24, and a more normal dozen or so per /24). The next largest, at around 700-800 is 144.76.175/24 (Hetzner Online). I don't recall seeing that level of connections in the past. If anyone wants more info, let me know. Best Mick - Mick Morgan gpg fingerprint: FC23 3338 F664 5E66 876B 72C0 0A1F E60B 5BAD D312 http://baldric.net - ___ tor-relays mailing list tor-relays@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
Re: [tor-relays] Provider Suggestion, Scaleway -- Online SAS: not so good for diversity
On Fri, 24 Feb 2017 12:43:20 +0100 Michael Armbruster allegedly wrote: > On 2017-02-24 at 12:32, Mattia wrote: > > Hi, > > for the diversity where i can take one at nearly the same price? > > Well, you can search for small providers in small countries. I have a > Tor relay in Moldavia, for example (MivoCloud). > But note that Mivocloud's ToS specifically says: "2.11 The Services may be used only for lawful purposes. MivoCloud strictly prohibits: Tor Exit relays; SPAM; any kind of DoS; Scam, Malware, Botnet, Phishing;" So, no exits. Mick - Mick Morgan gpg fingerprint: FC23 3338 F664 5E66 876B 72C0 0A1F E60B 5BAD D312 http://baldric.net - ___ tor-relays mailing list tor-relays@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
Re: [tor-relays] Shutdown of TorLand1
On Wed, 15 Feb 2017 21:55:48 + tor-ad...@torland.is allegedly wrote: > > after 5 years of operation I will shutdown TorLand1 > (https://atlas.torproject.org/#details/E1E922A20AF608728824A620BADC6EFC8CB8C2B8) > > on February 17 2017. > Thanks for everything you have done. It is much appreciated. - Mick Morgan gpg fingerprint: FC23 3338 F664 5E66 876B 72C0 0A1F E60B 5BAD D312 http://baldric.net - ___ tor-relays mailing list tor-relays@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
Re: [tor-relays] Reminder: If you are on 0.2.9.x, make sure you are running 0.2.9.9
Sorry, I thought I had. I must have hit the wrong reply button. Now copied in. Apologies for the top post...On 9 Feb 2017 21:58, Roger Dingledine wrote: > > On Thu, Feb 09, 2017 at 09:57:03PM +, mick wrote: > > Done > > > > Now running 0.2.9.9. > > Thanks! Can you send this to the list too, for completeness? > > Or, do you mind if I do that? > > --Roger > ___ tor-relays mailing list tor-relays@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
Re: [tor-relays] Reminder: If you are on 0.2.9.x, make sure you are running 0.2.9.9
On Thu, 9 Feb 2017 13:36:56 -0500 Roger Dingledine allegedly wrote: > On Thu, Feb 09, 2017 at 01:04:30PM -0500, Nick Mathewson wrote: > > If you are on some earlier version of 0.2.9.x, it would be really > > great if you could update your relay some time soon > > And, if you're one of the many relays still on 0.2.9.8, and the reason > is something other than "oops, you're right I should upgrade", please > let us know! We're wondering in particular if there are major distros > out there that are still stuck on 0.2.9.8. > I am. (Debian Jessie 8.7 - using the tor repos). My log says: Feb 09 07:35:04.000 [notice] Tor 0.2.9.8 (git-a0df013ea241b026) opening new log file. Feb 09 07:35:05.000 [warn] Please upgrade! This version of Tor (0.2.9.8) is not recommended, according to the directory authorities. Recommended versions are: 0.2.4.27,0 .2.4.28,0.2.5.12,0.2.5.13,0.2.7.6,0.2.7.7,0.2.8.9,0.2.8.10,0.2.8.11,0.2.8.12,0.2.9.9,0.3.0.2-alpha,0.3.0.3-alpha Attempting an upgrade from 0.2.9.8 I get nothing. Mick - Mick Morgan gpg fingerprint: FC23 3338 F664 5E66 876B 72C0 0A1F E60B 5BAD D312 http://baldric.net - ___ tor-relays mailing list tor-relays@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
Re: [tor-relays] FW: What's a "useful" mailing list contributor?
On 11 January 2017 12:28:44 GMT+00:00, Ralph Seichter wrote: >On 11.01.2017 06:30, Roman Mamedov wrote: > >Roman, you nailed it. The "September that never ended" is now well into >its 24th year, Ralph You are showing your age... +1 to Roman BTW Mick -- Sent from an untrusted mobile device. Email not signed. ___ tor-relays mailing list tor-relays@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
Re: [tor-relays] Tor abuse complaints (per MBit/s)
On Wed, 28 Sep 2016 22:05:33 -0700 Sadia Afroz allegedly wrote: > We did not publish the report anywhere. > I put it up on my site just for the ease of sharing it in the mailing > list. Sadia With respect, those two statements are mutually contradictory. Placing the report on-line /anywhere/ constitutes publication. And since the report is widely reachable it will by now have been cached by search engines. Best Mick ----- Mick Morgan gpg fingerprint: FC23 3338 F664 5E66 876B 72C0 0A1F E60B 5BAD D312 http://baldric.net - ___ tor-relays mailing list tor-relays@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
Re: [tor-relays] relay on a vps not exclusively used for tor?
On Sun, 21 Aug 2016 20:06:31 +0200 jensm1 allegedly wrote: > > I'm planning to get myself a small VPS for simple things like > calendar-synching and backup of important data. Since these things are > very light on resource-usage, I thought about putting a tor relay > (non-exit) on the server, so it does something useful instead of > idling most of the time. > > Is this advisable, or are there reasons why I shouldn't put a relay > on a server that is used simultaneously by other things? I think the clue to the answer lies in your "backup of important data". Personally I run my tor node on a VPS I can afford to lose. I do not, and would not, use a server holding or hosting anything I care about (email, XMPP, web service etc.) as a tor node. Even if your relay is not an exit, there is always the possibility that its use as a Tor node will offend someone who is in a position to interfere with it. Consider the possibility that your ISP decides it does want Tor traffic on its network. That ISP might take your relay off line. If you use that server for anything else, you are borked. There is also the very real possibility that any other services you run on the Tor node actually weaken the security of that node. Every service you run on a server increases the attack surface. If your Tor node happens to be running an insecure (or badly configured, or both) FTP server, for example, then it could be compromised and used by "bad guys" (TM). Best Mick - Mick Morgan gpg fingerprint: FC23 3338 F664 5E66 876B 72C0 0A1F E60B 5BAD D312 http://baldric.net - ___ tor-relays mailing list tor-relays@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
Re: [tor-relays] 84 exits (growing..) (was: 68 new exits)
On Sun, 8 May 2016 02:46:42 +0500 Roman Mamedov allegedly wrote: > > (That said, yeah, as others have replied DO TOS only restricts > "grandfathered" accounts in this regard.) > Again, not so. I have a grandfathered account. DO have never had a problem with my Tor node (or my other high traffic VMs). Mick - Mick Morgan gpg fingerprint: FC23 3338 F664 5E66 876B 72C0 0A1F E60B 5BAD D312 http://baldric.net - signature.asc Description: PGP signature ___ tor-relays mailing list tor-relays@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
Re: [tor-relays] 84 exits (growing..) (was: 68 new exits)
On Sat, 7 May 2016 07:46:31 -0500 Tristan allegedly wrote: > Strange that some of the relays are running on Digital Ocean. Running > a Tor relay of any kind is against their AUP. Not so. I've been running a tor node on DO for three years now. They know it, they are happy, so am I. Mic - Mick Morgan gpg fingerprint: FC23 3338 F664 5E66 876B 72C0 0A1F E60B 5BAD D312 http://baldric.net - ___ tor-relays mailing list tor-relays@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
Re: [tor-relays] I would like to help.
On Wed, 30 Mar 2016 07:22:45 +0200 brightsidedarkside allegedly wrote: > Hey Genral G, An impressively helpful, generous, complete and patient response to a plea for help. Exactly the sort of response which shows how good the community can be abd which puts to shame the sort of unhelpful, snarky, smart ass responses we sometimes see on this list and elsewhere. Congratulations and thanks Christian. Mick - Mick Morgan gpg fingerprint: FC23 3338 F664 5E66 876B 72C0 0A1F E60B 5BAD D312 http://baldric.net - signature.asc Description: PGP signature ___ tor-relays mailing list tor-relays@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
Re: [tor-relays] intense DDOS of exit relay from China
On Tue, 22 Mar 2016 14:08:29 + Dhalgren Tor allegedly wrote: > All traffic originated from China. > But that does not necessarily mean that the attacker was in China, merely that he/she/it owns a botnet "in china". ----- Mick Morgan gpg fingerprint: FC23 3338 F664 5E66 876B 72C0 0A1F E60B 5BAD D312 http://baldric.net - signature.asc Description: PGP signature ___ tor-relays mailing list tor-relays@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
Re: [tor-relays] Unbelieveable
On Fri, 04 Dec 2015 09:29:58 -0800 AMuse allegedly wrote: > > > Looks like you got more than you paid for. > > On 2015-12-03 18:46, Kurt Besig wrote: > > > -BEGIN PGP SIGNED MESSAGE- > > Hash: SHA1 > > > > That I got two responses after posting to tor-relays regarding a > > fairly simple, I thought, CntrolPort question on a new VPS relay.. > > That's pathetic. Thanks for all your input. > +1 to that. People on this list are all volunteers - both as relay operators and as list participants. If any of those volunteers choose to help fellow list members, then good for them. However, if list posters whine and castigate others then they should not be surprised if no-one helps in future. Mick ----- Mick Morgan gpg fingerprint: FC23 3338 F664 5E66 876B 72C0 0A1F E60B 5BAD D312 http://baldric.net - signature.asc Description: PGP signature ___ tor-relays mailing list tor-relays@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
Re: [tor-relays] TorFlow
On Tue, 10 Nov 2015 11:30:53 +1100 Tim Wilson-Brown - teor allegedly wrote: > > > On 10 Nov 2015, at 11:05, I wrote: > > > > That is very nice and gives an idea of the need for more > > geographical diversity. > > > > Do you have an idea why there is almost no activity visible from > > Australia and none from New Zealand? > > International bandwidth is very expensive in the antipodes. > There are very few providers with unlimited or terabyte data plans. > Australia just brought in a mandatory data retention law in > April/October 2015. > Any idea where that concentration of 16 relays South of Ghana in the Gulf of Guinea is? The traffic there seems disproportionate to the size of the location. Mick (Beautiful and really cool visualisation BTW. Many thanks to the designer(s) and coder(s)). - Mick Morgan gpg fingerprint: FC23 3338 F664 5E66 876B 72C0 0A1F E60B 5BAD D312 http://baldric.net - signature.asc Description: PGP signature ___ tor-relays mailing list tor-relays@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
Re: [tor-relays] Tools for managing multiple relays
On Thu, 15 Oct 2015 17:11:23 -0400 starlight.201...@binnacle.cx allegedly wrote: > Choices are not simple. > Never have been. And they get tougher over time. Trust me. ----- Mick Morgan gpg fingerprint: FC23 3338 F664 5E66 876B 72C0 0A1F E60B 5BAD D312 http://baldric.net - signature.asc Description: PGP signature ___ tor-relays mailing list tor-relays@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
[tor-relays] Busted links on Tor Relay standard web page
My apologies if this has been discussed before and I have missed it. I have been reviewing the web page on my relay (which is based on the standard Tor explanation page) and have noticed that several links are now broken following update of the Tor site itself (e.g. https://www.torproject.org/torusers.html.en no longer exists) I also notice that https://tor-svn.freehaven.net/svn/tor/trunk/contrib/exitlist cannot be reached at all and the same page over http seems not to exist. If other operators are similarly using a page based on the old template, they may wish to update. Best Mick - Mick Morgan gpg fingerprint: FC23 3338 F664 5E66 876B 72C0 0A1F E60B 5BAD D312 http://baldric.net - signature.asc Description: PGP signature ___ tor-relays mailing list tor-relays@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
Re: [tor-relays] Spam
On Fri, 27 Jun 2014 09:41:53 +0100 kingqueen allegedly wrote: > > > Had a similar situation. My take is - it is never too late to > > obfuscate. It does matter. > > Thank you! I have done. Random Person > I think that is the first time I have seen ROT13 used as a form of email obfuscation. I have seen images (usually PNG) being used - but then I have also seen that ruined by the use of the mailto: tag around the image. Mick - Mick Morgan gpg fingerprint: FC23 3338 F664 5E66 876B 72C0 0A1F E60B 5BAD D312 http://baldric.net - signature.asc Description: PGP signature ___ tor-relays mailing list tor-relays@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
Re: [tor-relays] DigitalOcean starting Exit node crackdown
On Thu, 15 May 2014 14:59:05 -0400 Shawn Nock allegedly wrote: > Shawn Nock writes: > > Update: HOLY CRAP! > > > Hello > > > > Thanks for your well worded response. > > > > You have argued your case well and we have decided to allow your tor > > exit node. Congratulations on a good outcome. Your response to DO support was obviously good enough to be used as a model for others in a similar position in future. And congrats also to DO for seeing some sense and taking the right decision. Best Mick - Mick Morgan gpg fingerprint: FC23 3338 F664 5E66 876B 72C0 0A1F E60B 5BAD D312 http://baldric.net - signature.asc Description: PGP signature ___ tor-relays mailing list tor-relays@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
Re: [tor-relays] DigitalOcean starting Exit node crackdown
On Thu, 15 May 2014 13:44:36 -0400 Shawn Nock allegedly wrote: > > Hello friends, > > As I recall, there are several exits running on DigitalOcean's > infrastructure. This is presented FYI: > Hello Shawn Thanks for posting this. Please let us know how you get on. I run a middle node on DO (plus two tails/whonix mirrors) and would be concerned if their policy is hardening against Tor. Best Mick - Mick Morgan gpg fingerprint: FC23 3338 F664 5E66 876B 72C0 0A1F E60B 5BAD D312 http://baldric.net - signature.asc Description: PGP signature ___ tor-relays mailing list tor-relays@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
Re: [tor-relays] Relay down, "rejected", help
On Sun, 20 Apr 2014 15:19:57 +0200 Lunar allegedly wrote: > kbesig: > > Getting closer: > > I can run tor arm as root, but get this error as : > > ~$ sudo -u debian-tor arm > > [sudo] password for : > > Urg… please never do that. You should not run applications with the > same privileges as Tor. However... when run as an uprivileged user (with that user a member of the debian-tor group), arm reports "[ARM_NOTICE] We were unable to use any of your system's resolvers to get tor's connections. This is fine, but means that the connections page will be empty. This is usually permissions related so if you would like to fix this then run arm with the same user as tor (ie, "sudo -u arm"). " Mick ----- Mick Morgan gpg fingerprint: FC23 3338 F664 5E66 876B 72C0 0A1F E60B 5BAD D312 http://baldric.net - signature.asc Description: PGP signature ___ tor-relays mailing list tor-relays@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
Re: [tor-relays] NHS UK blocking Tor?
On Tue, 15 Apr 2014 21:24:00 +0200 no.thing_to-h...@cryptopathie.eu allegedly wrote: > > I run an internal relay in Austria > > https://torstatus.blutmagie.de/router_detail.php?FP=19eb1397aa60f3fb8bd0995b96dd8cc83abf0db3 > > and checked > > http://www.nhs.uk > > from my original IP. It worked, I accessed the site. > That's interesting. From the DNS responses I get from various places it looks as if the NHS site is run on the Akamai CDN. So it may be that (some of) the Akamai servers are blocking Tor. Mick ----- Mick Morgan gpg fingerprint: FC23 3338 F664 5E66 876B 72C0 0A1F E60B 5BAD D312 http://baldric.net - signature.asc Description: PGP signature ___ tor-relays mailing list tor-relays@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
Re: [tor-relays] NHS UK blocking Tor?
On Mon, 14 Apr 2014 23:37:35 +0100 Chris Whittleston allegedly wrote: > Can someone else running a relay from their home connection confirm > that they get an 'Access denied' error from http://www.nhs.uk? I've > checked with someone using the same ISP in the flat above me and they > seem able to access the site just fine, as can I via mobile internet > so I'm down to suspecting that they are blocking all Tor relay IPs. > This is the exact error I get: > Access DeniedYou don't have permission to access "http://www.nhs.uk/"; > on this server. > > Reference #18.1f7f1002.1397514736.1fe2170c > The reference seems to change each time I visit. If this does turn > out to be them blocking Tor - advice on how to approach contacting > them to resolve this would be appreciated. > Confirmed. My (non-exit) relay in Amsterdam is blocked. Another (non-tor) server in Amsterdam is not blocked, nor are my non-tor servers in the UK, SanFrancisco or NYC blocked. As for getting this changed, that may be difficult. You could try contacting the site through the page at: http://www.nhs.uk/aboutNHSChoices/Pages/ContactUs.aspx and selecting the "I have experienced a problem accessing or using the website or some part of it" radio button and then commenting. You could contact the NHS at the (postal) address below. You could contact the DoH (Charles Massey) https://www.gov.uk/government/people/charlie-massey As evidence in favour of Tor's value, you could point to the "who uses Tor" page at https://www.torproject.org/about/torusers.html.en. You could usefully explain the obvious value of anonymity in browsing health related sites. And, since you appear to be in Cambridge, you could look for some support (and possible advice) from Ross Anderson (http://www.cl.cam.ac.uk/~rja14/). You can bet that Ross uses Tor, and he almost certainly has experience in dealing with awkward parts of HMG. Best Mick - NHS address NHS Connecting for Health Informatics Directorate Department of Health Princes Exchange Princes Square Leeds West Yorkshire LS1 4HY - Mick Morgan gpg fingerprint: FC23 3338 F664 5E66 876B 72C0 0A1F E60B 5BAD D312 http://baldric.net - signature.asc Description: PGP signature ___ tor-relays mailing list tor-relays@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
Re: [tor-relays] Relays vulnerable to OpenSSL bug: Please upgrade
On Tue, 08 Apr 2014 19:04:08 +0200 Lukas Erlacher allegedly wrote: > On Debian or Ubuntu: > > service tor stop && rm /var/lib/tor/keys/* && apt-get update && > apt-get -y upgrade > You might want to restart tor after that. - Mick Morgan gpg fingerprint: FC23 3338 F664 5E66 876B 72C0 0A1F E60B 5BAD D312 http://baldric.net - signature.asc Description: PGP signature ___ tor-relays mailing list tor-relays@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
Re: [tor-relays] Relays vulnerable to OpenSSL bug: Please upgrade
On Tue, 08 Apr 2014 17:01:18 +0200 Moritz Bartl allegedly wrote: > On 04/08/2014 04:58 PM, ecart...@riseup.net wrote: > > Greetings all. I follwed the above instructions on my relay. Upon > > restarting Tor I have lost all of my flags and I have a new > > fingerprint. Previously I had the Fast, Guard, Named, Running, > > Stable, and Valid flags. Is this expected? Did I miss a step > > somewhere? Thanks for any help. > > Yes. You made it generate new keys, so it is a "new relay" as far as > Tor is concerned. This is why not everybody should generate new keys > immediately, especially larger relays. But don't worry too much, > you'll get your flags back eventually. :) > But Roger's blog post makes no mention of the advisability (or otherwise) of a mass re-generation of keys. All it says is that best practice states this would be a good idea. (I have regenerated mine and restarted so I too now have a shiny a new relay). Mick - Mick Morgan gpg fingerprint: FC23 3338 F664 5E66 876B 72C0 0A1F E60B 5BAD D312 http://baldric.net - signature.asc Description: PGP signature ___ tor-relays mailing list tor-relays@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
Re: [tor-relays] Tor relay setup
On Sun, 23 Mar 2014 03:12:47 -0800 I allegedly wrote: > > I suggested the port change because that is what the VPS operators > have told me was the first thing to do to avoid being constantly > 'hacked' which has happened over and over to me. Actually I agree that moving ssh from the standard port can be a good idea. Whilst offering no more than security through obscurity against a determined adversary it does at least provide some protection against the mindless robots which constantly probe port 22. Every little helps. Mick ----- Mick Morgan gpg fingerprint: FC23 3338 F664 5E66 876B 72C0 0A1F E60B 5BAD D312 http://baldric.net - signature.asc Description: PGP signature ___ tor-relays mailing list tor-relays@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
Re: [tor-relays] Exit node re-writing PKI certificates?
On Wed, 19 Mar 2014 23:55:53 -0400 Iggy allegedly wrote: > I am assuming there is no way to tell this now, after the fact? > > -iggy > > On 03/19/2014 11:08 PM, Zack Weinberg wrote: > > Really useful to know at this point would be the complete suspicious > > certificate (which would e.g. tell us who signed it) and the exit > > node in use. > > > > On Wed, Mar 19, 2014 at 11:00 PM, Iggy wrote: > >> Hey all, > >> > >> I use an email account from riseup.net, which I usually access via > >> Thunderbird, running on a linux machine. According to torstatus.blutmagie.de, cab.cabinethardwareparts.com is on 192.254.168.26. (See https://torstatus.blutmagie.de/router_detail.php?FP=0cc9b8aa649881c39e948e70b662772d8695c2e9 It has fast, exit, guard and stable flags set. The node is apparently unnamed, but there is a whois record. See https://torstatus.blutmagie.de/cgi-bin/whois.pl?ip=192.254.168.26 Mick - Mick Morgan gpg fingerprint: FC23 3338 F664 5E66 876B 72C0 0A1F E60B 5BAD D312 http://baldric.net - signature.asc Description: PGP signature ___ tor-relays mailing list tor-relays@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
Re: [tor-relays] Phishy
On Mon, 03 Feb 2014 22:33:05 +0100 phrag allegedly wrote: > FYI: Just got this to my Tor relay mail address, with a zip file > attached extracting to a '.scr' win exe. Curiously routed via > a .gov.uk mail relay... > > GB03022014.scr: PE32 executable (GUI) Intel 80386, for MS Windows > I don't think there is anything sinister about this. Yesterday, an old friend of mine sent me the same details relating to an attack he had seen (completely unrelated to Tor). The attachments he sent me were confirmed by virustotal as containing the zeus trojan - usually used in theft of banking credentials. The fact that the attack appears to come from UK GSI email servers is odd, but since the NHS website was compromised yesterday (1), I speculate it may be related - i.e. somebody may be taking a swipe at UK Gov services for reasons which escape me (1) http://www.theregister.co.uk/2014/02/03/nhs_choices_website_serves_up_100s_of_pages_of_malware/ Mick ----- Mick Morgan gpg fingerprint: FC23 3338 F664 5E66 876B 72C0 0A1F E60B 5BAD D312 http://baldric.net - signature.asc Description: PGP signature ___ tor-relays mailing list tor-relays@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
Re: [tor-relays] Problems with domestic ISP blocking publicly listed relays
On Tue, 28 Jan 2014 19:02:32 + Paul Blakeman allegedly wrote: > > SO… > Can using a Tor relay result in your IP getting a “bad” flag? Yes. Running a Tor node on an IP address you share with your domestic usage can result in you being unable to reach sites which blacklist Tor nodes. This sometimes only happens with exit nodes, but some site operators are even more draconian than others and just block all Tor IPs. This can be particularly unfortunate if the site in question is your bank. > Is there anyway of running a relay where you “hide” your IP? No. Tor relay IP addresses have to be visible to be reachable. Mick - Mick Morgan gpg fingerprint: FC23 3338 F664 5E66 876B 72C0 0A1F E60B 5BAD D312 http://baldric.net - signature.asc Description: PGP signature ___ tor-relays mailing list tor-relays@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
Re: [tor-relays] Scoreboard enhancements / Trying Trusted Tor Traceroutes
On Sun, 26 Jan 2014 16:04:01 +0100 Sebastian Urbach allegedly wrote: > > My system, as an example, took about 2 days and 23 hours to complete > the run. I use scamper with the default settings. You can also turn > up the pps value and finish even faster. > > How long will this take?: > > http://web.engr.illinois.edu/~das17/tor-traceroute_v1.html#q-howlong > > How much bandwidth, disk space, RAM, and CPU will this consume?: > > http://web.engr.illinois.edu/~das17/tor-traceroute_v1.html#q-howmanyresources > Fo info, my relay (512MB RAM, 1 core VPS) finshed the scamper run (with default settings) in just over 3.5 days. I've just kicked off a second run. Mick - Mick Morgan gpg fingerprint: FC23 3338 F664 5E66 876B 72C0 0A1F E60B 5BAD D312 http://baldric.net - signature.asc Description: PGP signature ___ tor-relays mailing list tor-relays@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
Re: [tor-relays] Trying Trusted Tor Traceroutes
On Sun, 19 Jan 2014 20:57:07 -0600 Anupam Das allegedly wrote: > Dear Tor relay operators, > We have recently received a good > rate of participation by relay operators to our measurement project. > To give everyone an idea of the current participation rate we have > hosted a live scoreboard of all our participants, available at > http://128.174.241.211:443/relay_scoreboard > > The live scoreboard highlights all the IPs from which we received > traceroute results along with the current status of the script > running in their machine. The live scorebaord also summarizes the > participation by the top Tor Families and the top guard and exit > relays. > > We thank all the relay operators who have participated and hope more > relay operators will participate soon. > All Before starting this (given the Hetzner experiences), I checked with my VPS provider (DigitalOcean) that they were happy. They have said that they see no problem, and even if they do later spot an issue they will take no precipitate action because of my prior alert to them. So. guard relay 0xbaddad now has the script running. Mick - Mick Morgan gpg fingerprint: FC23 3338 F664 5E66 876B 72C0 0A1F E60B 5BAD D312 http://baldric.net - signature.asc Description: PGP signature ___ tor-relays mailing list tor-relays@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
Re: [tor-relays] System Time
On Thu, 16 Jan 2014 00:19:13 +1100 nano allegedly wrote: > On 15/01/2014 10:29 PM, Sebastian Urbach wrote: > > Good Morning, > > > > I really tried very hard to stay calm but at least someone has to > > say it. I think operating relays / bridges can be described as a > > cutting edge job or experience. [ deletia ] > > I expect a bit of resistance and a bit of a shitstorm right now. > > Please feel free to direct this straight to me and not to the list. > > I also would like a discussion regarding the facts of the matter to > > take place on this list very much. No shitstorm yet. nano says: > Sebastian, > > I respect your opinion and appreciate your frustration borne from the > inabilities of less skilled correspondents and their submissions. [ deletia ] > In the interest of full disclosure, I > consider myself one of these "new relay operators" [0] so my opinions > are most likely affected by bias. We have all been "noobs" at something at some time. Personally I have benefited immensely over the course of my life from the the knowledge and experience of others who were generous enough to share with me. In return, I like to think that others may be able to benefit from whatever small ability I may have by sharing on /my/ experience. I am a firm believer in the maxim that the only dumb question is the one you didn't ask. Best Mick - Mick Morgan gpg fingerprint: FC23 3338 F664 5E66 876B 72C0 0A1F E60B 5BAD D312 http://baldric.net - signature.asc Description: PGP signature ___ tor-relays mailing list tor-relays@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
Re: [tor-relays] Torservers awarded $250,000 by Digital Defenders
On Sat, 14 Dec 2013 13:28:52 +0100 Christian allegedly wrote: > -BEGIN PGP SIGNED MESSAGE- > Hash: SHA1 > > Hej! > > Torservers.net has been awarded $250,000 over two years by the Digital > Defenders Partnership to strengthen and improve the Tor network, the > anonymity system crucial to journalists and human rights defenders > using the Internet. > > <https://blog.torservers.net/20131213/torservers-awarded-25-by-digital-defenders.html> > That is good news. Congratulations to all involved in gaining this support, and many thanks to the donors for their generosity. ----- Mick Morgan gpg fingerprint: FC23 3338 F664 5E66 876B 72C0 0A1F E60B 5BAD D312 http://baldric.net - signature.asc Description: PGP signature ___ tor-relays mailing list tor-relays@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
Re: [tor-relays] Proper bandwidth units [was: Exit nodes on Gandi]
On Mon, 25 Nov 2013 15:46:02 -0500 grarpamp allegedly wrote: > > No. This kind of lazy acceptance is exactly why rockets crash, > and rockets crashing are why one must use proper terms. > 'gib, kib' are not cased correctly, thus people have no idea what > you explicitly mean. They might presume your lazy casing means > 'Gib, KiB' but then your rocket might crash. Reference and > enforcement is the proper cure. > This argument (Mbit/s versus GiB/month) reminds me of the old saw about the most useless unit of velocity (furlongs/fortnight instead of m/sec). Mick - Mick Morgan gpg fingerprint: FC23 3338 F664 5E66 876B 72C0 0A1F E60B 5BAD D312 http://baldric.net - signature.asc Description: PGP signature ___ tor-relays mailing list tor-relays@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
Re: [tor-relays] OT :Self-signed SSL certs - was - Re: Watching the attacks on my relay
On Sat, 9 Nov 2013 21:30:13 +0600 Roman Mamedov allegedly wrote: > On Sat, 9 Nov 2013 12:50:18 + > mick wrote: > > > I don't see any problem per se with a self-signed certificate on a > > site which does not purport to protect anything sensitive (such as > > financial transactions). The problem with this particular > > certificate is that the common name identifier is both wrong (www) > > and badly formattted (http://) But both of those errors can be > > corrected very quickly. > > > > Why pay a CA if you don't trust the CA model? > > If your primary objection is the need to pay for certificates (and > not e.g. the possibility of CA itself being backdoored etc), then I'd > suggest considering CACert[1]. It provides free wildcard certificates > which are already trusted out of the box by some[2] FOSS operating > systems such as Debian. > > I'd say it is better than trusting individual self-signed certs, and > somewhat better than using your own root CA cert, since it saves the > effort required to install your own CA on all machines you need to > use it on. > > [1] http://www.cacert.org/ > [2] http://wiki.cacert.org/InclusionStatus > Roman Paying for certificates is not my objection. My objection is to the model which says that "if I give money to a commercial entity in exchange for a certificate, that means that the trust chain is valid." I've actually bought certificates for websites I managed in the past and I am deeply unimpressed with the process. And, as you say, the cert could be backdoored. There are a huge number of CAs from all over the place in the default set shipped in ca-certificates - who do I trust? I have looked at CA-Cert in the past. They have the problem of very limited acceptability (https://en.wikipedia.org/wiki/Comparison_of_SSL_certificates_for_web_servers) But as I said, in my particular case, my certs are there to protect my credentials in transit. I don't have to care about whether others trust me. So I don't need a CA. (Though if I did want others to trust me, I'd probably use CAcert). Best Mick - Mick Morgan gpg fingerprint: FC23 3338 F664 5E66 876B 72C0 0A1F E60B 5BAD D312 http://baldric.net - signature.asc Description: PGP signature ___ tor-relays mailing list tor-relays@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
[tor-relays] OT :Self-signed SSL certs - was - Re: Watching the attacks on my relay
On Sat, 9 Nov 2013 09:22:12 -0500 Paul Syverson allegedly wrote: > On Sat, Nov 09, 2013 at 12:50:18PM +0000, mick wrote: > > > > > I don't see any problem per se with a self-signed certificate on a > > site which does not purport to protect anything sensitive (such as > > financial transactions). The problem with this particular > > certificate is that the common name identifier is both wrong (www) > > and badly formattted (http://) But both of those errors can be > > corrected very quickly. > > > > Why pay a CA if you don't trust the CA model? > > > > You may want to take a look at > https://blog.torproject.org/blog/life-without-ca > Paul Thanks for the pointer - nice post. I tend to agree, though I am not personally that fanatical about deleting all CAs in my browser. I /am/ deeply sceptical about what any particular SSL cert may, or may not, be telling me. I use self signed certs on my email server and on my website. But they are are there to protect my authentication. I do not expect anyone else to trust them. Mick - Mick Morgan gpg fingerprint: FC23 3338 F664 5E66 876B 72C0 0A1F E60B 5BAD D312 http://baldric.net - signature.asc Description: PGP signature ___ tor-relays mailing list tor-relays@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
Re: [tor-relays] Watching the attacks on my relay
On Fri, 08 Nov 2013 20:15:51 +0100 elrippo allegedly wrote: > Jope. I tend to have some issues with some CA's. > But yes you are right, i should get me a decent certificate. > I will do that, promise. > > You self signed your site certificate...? > > > I don't see any problem per se with a self-signed certificate on a site which does not purport to protect anything sensitive (such as financial transactions). The problem with this particular certificate is that the common name identifier is both wrong (www) and badly formattted (http://) But both of those errors can be corrected very quickly. Why pay a CA if you don't trust the CA model? Mick - Mick Morgan gpg fingerprint: FC23 3338 F664 5E66 876B 72C0 0A1F E60B 5BAD D312 http://baldric.net - signature.asc Description: PGP signature ___ tor-relays mailing list tor-relays@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
Re: [tor-relays] Traffic in port 9050 in a relay (denial of service attack?)
On Wed, 06 Nov 2013 14:00:15 +0100 Jeroen Massar allegedly wrote: > On 2013-11-06 13:47 , mick wrote: > > On Wed, 06 Nov 2013 14:00:09 +0200 > > Lars Noodén allegedly wrote: > > > >> On 11/06/2013 01:26 PM, mick wrote: > >>> I disagree. Dropping all traffic other than that which is > >>> explicitly required is IMHO a better practice. (And how do you > >>> know in advance which ports get attacked?) > >> > >> Using reject instead of drop simplifies troubleshooting. > >> > >> http://www.chiark.greenend.org.uk/~peterb/network/drop-vs-reject > >> > >> Drop tends to get in the way. > > > > Again, I disagree. But I recognise that this can be a religious > > decision. My default policy is to drop rather than reject. I know > > that strict adherence to standards implies we should “REJECT” with a > > helpful ICMP error message. > > Configure your host with DROP, do an nmap, then configure it with > REJECT thus for Linux: > > IPv4: -j REJECT --reject-with icmp-port-unreachable" > IPv6: -j REJECT --reject-with icmp6-port-unreachable" > > Now repeat that nmap; indeed, for the DROP it is shown that these > ports are filtered, for REJECT the ports are just 'closed'. > > Hence, the adversary did not learn anything in the REJECT case > (services apparently are not there), but in the DROP case they > learned that you have a firewall configured and that those services > are likely there... Not true. Since my default is to drop for ALL ports not expicitly open and receiving traffic, the adversary has learned nothing about what other services may or may not be there. I have no need to say politely to anyone connecting to any random port on my server, "Sorry, nothing here, you can close your connection". The only legitimate connections inbound to my server are those for which I advertise a service. > > As you say it is one of those 'religious' decisions, but in this, the > facts show what should be preferred for multiple reasons ;) I also prefer vi to emacs :-) > > But, doing that can mean that > > incoming packets with a spoofed source address can get replies sent > > back to that (innocent) source address. DDOS bots exploit this > > behaviour. > > As there is no amplification (only a portion of the incoming packet is > included) this is not used; there are much better sources of attack. > I agree. DNS amplification is much more dangerous and useful to an adversary. But that does not mean that no adversary will attempt to use ICMP replies in an attack. Mick - Mick Morgan gpg fingerprint: FC23 3338 F664 5E66 876B 72C0 0A1F E60B 5BAD D312 http://baldric.net - signature.asc Description: PGP signature ___ tor-relays mailing list tor-relays@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
Re: [tor-relays] Traffic in port 9050 in a relay (denial of service attack?)
On Wed, 06 Nov 2013 14:00:09 +0200 Lars Noodén allegedly wrote: > On 11/06/2013 01:26 PM, mick wrote: > > I disagree. Dropping all traffic other than that which is > > explicitly required is IMHO a better practice. (And how do you know > > in advance which ports get attacked?) > > Using reject instead of drop simplifies troubleshooting. > > http://www.chiark.greenend.org.uk/~peterb/network/drop-vs-reject > > Drop tends to get in the way. Again, I disagree. But I recognise that this can be a religious decision. My default policy is to drop rather than reject. I know that strict adherence to standards implies we should “REJECT” with a helpful ICMP error message. But, doing that can mean that incoming packets with a spoofed source address can get replies sent back to that (innocent) source address. DDOS bots exploit this behaviour. I’d rather break standards than help a DDOS bot. :-) Mick - Mick Morgan gpg fingerprint: FC23 3338 F664 5E66 876B 72C0 0A1F E60B 5BAD D312 http://baldric.net - signature.asc Description: PGP signature ___ tor-relays mailing list tor-relays@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
Re: [tor-relays] Traffic in port 9050 in a relay (denial of service attack?)
On Tue, 5 Nov 2013 13:39:50 -0800 I allegedly wrote: > Ip tables are a mystery to me. > Can someone either explain them or point to a complete explanation, > please? > > Robert > > "Also, use iptables! If it is a dedicated VPS then drop anything you > dont recognize, "leaving only Tor ports (9001,9030 default) and maybe > a service port like 22 for SSH for "something. Port 9050 should not > be visible from outside..." Robert The linux kernel ships with a default network packet processing subsystem called netfilter (see http://www.netfilter.org/ for a description of the system). iptables is the mechanism by which you can define rules to apply to packet filtering in that system. Most people use iptables to set up default firewall rulesets allowing inbound traffic only to certain services and denying all others. For example, on a webserver you might wish to allow in only traffic aimed at ports 80 and, if you are running SSL/TLS, 443. (Of course if that webserver is running remotely you almost certainly need to allow in traffic to the ssh port to permit remote administration). This is not strictly on-topic for the tor list so you might care to spend some time perusing the netfilter web page and its related resources (FAQs, lists etc). Short term and if it helps you, I wrote some recommended iptables configuration scripts a while ago. See https://baldric.net/2012/09/09/iptables-firewall-for-servers/ Note, however, that whilst /I/ believe those configurations to be safe and useful, I would not recommend that you blindly trust my scripts without first understanding what they do. Netfilter is complex, and trusting some unknown third party (me) with your firewall configuration may not be the best idea in the world. :-) Best Mick ----- Mick Morgan gpg fingerprint: FC23 3338 F664 5E66 876B 72C0 0A1F E60B 5BAD D312 http://baldric.net - signature.asc Description: PGP signature ___ tor-relays mailing list tor-relays@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
Re: [tor-relays] Traffic in port 9050 in a relay (denial of service attack?)
On Wed, 06 Nov 2013 10:30:30 + Kevin Steen allegedly wrote: > On 06/11/13 06:09, Andreas Krey wrote: > > On Tue, 05 Nov 2013 14:09:40 +, Thomas Hand wrote: > > ... > >> Also, use iptables! If it is a dedicated VPS then drop anything > >> you dont recognize, > > > > What for? The ports that you want to block are rejected by the > > kernel anyway, as there is no one listening. (The minor added > > protection that malware needs to be root to disable iptables and > > effectively listen - is that worth the work?) > > Dropping bad requests will reduce your bandwidth usage through not > having to send TCP RST responses, and will also increase the workload > of the attacker as they'll have to wait for a timeout on each > connection. It is also good practice to whitelist traffic inbound. The fact that there is no service currently listening on port "N" does not mean that there will /never/ be a service listening on port "N". Blocking by default can protect you from that WTF moment when you find that some system upgrade or reconfiguration has fired up a service you didn't expect or thought you had removed. I've been there. I also believe in belt and braces. > I wouldn't recommend dropping everything, though, as it makes > troubleshooting very difficult - just drop connections to ports which > get attacked. I disagree. Dropping all traffic other than that which is explicitly required is IMHO a better practice. (And how do you know in advance which ports get attacked?) Best Mick - Mick Morgan gpg fingerprint: FC23 3338 F664 5E66 876B 72C0 0A1F E60B 5BAD D312 http://baldric.net - signature.asc Description: PGP signature ___ tor-relays mailing list tor-relays@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
Re: [tor-relays] Is there any reason to keep the default exit policy?
On Mon, 4 Nov 2013 13:43:29 + Thomas Hand allegedly wrote: > Running as exit relay should be a consensual and informed decision of > the operator. > Agreed. I'll add my voice to those voting in favour of the default policy for a relay being non-exit. As Tom said, those competent enough to run tor in a VPS can be trusted to be competent enough to edit torrc to allow exit (and apply an appropriate policy). A naive, or new, tor user should not be bitten by a default exit. As I believe Gordon M said earlier, that is a serious "WTF?" Mick - Mick Morgan gpg fingerprint: FC23 3338 F664 5E66 876B 72C0 0A1F E60B 5BAD D312 http://baldric.net - signature.asc Description: PGP signature ___ tor-relays mailing list tor-relays@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
Re: [tor-relays] VPS
On Sun, 20 Oct 2013 12:40:52 -0800 I allegedly wrote: > Mick, > > Is Serverstack.nl particularly pro-tor exit nodes? > By the front page it would seem so. > > Robert Heh! I hadn't seen that before. (Though take a look at serverstack.com for a more, erm, normally corporate front page). Honestly, I do not know serverstack's position. I rent that particular VPS from digitalocean, it just happens to be in Amsterdam on AS46652. digitalocean's own position appears to be supportive of non-exit relays only. Mick ----- Mick Morgan gpg fingerprint: FC23 3338 F664 5E66 876B 72C0 0A1F E60B 5BAD D312 http://baldric.net - signature.asc Description: PGP signature ___ tor-relays mailing list tor-relays@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
Re: [tor-relays] VPS
On Sun, 20 Oct 2013 10:58:20 -0700 Gordon Morehouse allegedly wrote: > > If you're on a 10Mbps port and set your limits to about 5Mbps > RelayBandwidthRate, you're going to need more than 256MB - probably > more like 768MB and a cron job to restart Tor if it chews up all RAM > and gets itself killed. I run tor perfectly happily on a VPS with 512MB of RAM. That node is on a Gig backbone, advertises 2.1 MB/s (2100 KB) and shovels data at anywhere between 24 and 32 Mbit/s all day every day for a monthly total of anywhere from 9.5 to 10.5 TiB per month. See https://atlas.torproject.org/#details/C332113DF99E367E4190424CE825057D91337ADD last rebooted when I upgraded to Tor 0.2.4.17-rc about three weeks ago. The limiting factor on a pi is not just memory. It is CPU. Mick ----- Mick Morgan gpg fingerprint: FC23 3338 F664 5E66 876B 72C0 0A1F E60B 5BAD D312 http://baldric.net - signature.asc Description: PGP signature ___ tor-relays mailing list tor-relays@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
[tor-relays] BBG and Tor funding
See http://www.theguardian.com/world/2013/oct/04/nsa-gchq-attack-tor-network-encryption Note the new addition at the end of this article, presumably added at the request of BBG "• This article was amended on 4 October after the Broadcasting Board of Governors pointed out that its support of Tor ended in October 2012." So. How does this square with BBG's alleged support for financing new fast exit relays? https://lists.torproject.org/pipermail/tor-relays/2013-September/002824.html Best Mick - Mick Morgan gpg fingerprint: FC23 3338 F664 5E66 876B 72C0 0A1F E60B 5BAD D312 http://baldric.net - signature.asc Description: PGP signature ___ tor-relays mailing list tor-relays@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
Re: [tor-relays] relays "in the cloud"
On Wed, 2 Oct 2013 02:21:13 -0400 grarpamp allegedly wrote: > > The community should make node placement more of a > process under some metrics to avoid placement collisions. > 'myfamily' is a concept that spans more than just the operator. An interesting, and very valid point. One drawback of the advertisement of "tor friendly" ISPs (either on the list or on the wiki) could be a tendency to cluster nodes to the detriment of the network. Mick - Mick Morgan gpg fingerprint: FC23 3338 F664 5E66 876B 72C0 0A1F E60B 5BAD D312 http://baldric.net - signature.asc Description: PGP signature ___ tor-relays mailing list tor-relays@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
Re: [tor-relays] Too little traffic on my #2 non-exit relay
On Wed, 18 Sep 2013 20:41:17 +0200 Christian Dietrich allegedly wrote: > Thanks, but both relays have been started at the same time. > Due to the fact that they also have the same configuration, > both should offer up to 1 gigabit/s bandwidth. > > "RelayBandwidthRate 125 MBytes > RelayBandwidthBurst 125 MBytes" > > Both relays are exactly the same, except for the IPv4 adress. > Neither relay shows any family members. That /may/ cause a problem since they are obviously related. Mick ----- Mick Morgan gpg fingerprint: FC23 3338 F664 5E66 876B 72C0 0A1F E60B 5BAD D312 http://baldric.net - signature.asc Description: PGP signature ___ tor-relays mailing list tor-relays@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
Re: [tor-relays] Overload data for Exit vs Non-Exit (and Guard vs Middle)?
On Sat, 31 Aug 2013 18:30:41 +0100 mick allegedly wrote: > Here you go: > > https://pipe.rlogin.net/munin/network-month.html > etc U. I've just had a (paranoid?) thought after reading the recent post from Gordon Morehouse about DDOS. I don't normally expose those stats to the world. Indeed I'd guess a few other people who collect such stats don't either. Now, whilst these stats (along with those from others who respond) might help investigations of the impact of whatever is causing the recent uptick, we may also be giving valuable data to whoever is behind the attack (if we assume it is an attack). As I said, probably paranoid, but if there /is/ a single actor behind this phenomenon then he or she might be delighted to be given such a collection of data points from the network. Oh well. Mick - Mick Morgan gpg fingerprint: FC23 3338 F664 5E66 876B 72C0 0A1F E60B 5BAD D312 http://baldric.net - signature.asc Description: PGP signature ___ tor-relays mailing list tor-relays@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
Re: [tor-relays] Overload data for Exit vs Non-Exit (and Guard vs Middle)?
On Fri, 30 Aug 2013 18:25:54 -0700 Mike Perry allegedly wrote: > To try to get to the bottom of the recent influx of clients to the Tor > network, it might be useful to compare load characteristics since 8/19 > for nodes with different types of flags. > > People with Munin setups: it would be especially useful if you could > post links/graph images for connection counts, bandwidth, and CPU load > since 8/19. Here you go: https://pipe.rlogin.net/munin/network-month.html https://atlas.torproject.org/#details/C332113DF99E367E4190424CE825057D91337ADD Tor is running on bin.rlogin.net. I am currently seeing close to 6000 established connections (or three times normal mean) but actual traffic is only running slightly higher than normal. My vnstats for the last month are at https://baldric.net/2013/08/31/vnstat-on-my-tor-node/ Mick ----- Mick Morgan gpg fingerprint: FC23 3338 F664 5E66 876B 72C0 0A1F E60B 5BAD D312 http://baldric.net - signature.asc Description: PGP signature ___ tor-relays mailing list tor-relays@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
[tor-relays] huge increase in relay traffic
I'm currently seeing more than a doubling of connections (from a mean of c. 2000 established connections to just over 5000) on my relay at 0xbaddad. The log is full of the (expected) messages: "Your computer is too slow to handle this many circuit creation requests!" I guess this is related to the massive jump in connected clients in the past few days and I assume that everyone else is seeing something similar. Mick - Mick Morgan gpg fingerprint: FC23 3338 F664 5E66 876B 72C0 0A1F E60B 5BAD D312 http://baldric.net - signature.asc Description: PGP signature ___ tor-relays mailing list tor-relays@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
Re: [tor-relays] Hello List
On Wed, 28 Aug 2013 10:37:34 -0400 "Kevin C. Krinke" allegedly wrote: > What services (other than Tor) can I host? > What else is needed in the general community? > Kevin Congratulations and welcome. You could consider a tails mirror https://tails.boum.org/contribute/index.en.html But I'd recommend against running it on your relay. If you have free capacity elsewhere then I'm sure the guys at tails would be happy to hear from you. Mick ----- Mick Morgan gpg fingerprint: FC23 3338 F664 5E66 876B 72C0 0A1F E60B 5BAD D312 http://baldric.net - signature.asc Description: PGP signature ___ tor-relays mailing list tor-relays@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
Re: [tor-relays] new relays
On Tue, 27 Aug 2013 19:34:13 -0700 Andy Isaacson allegedly wrote: > > If only there were a separate TCP port for HTTP-with-Porn and all the > pornographers used it, then an exit policy for "HTTP-without-porn" > would be possible. But alas, we don't even have vague agreement on > what constitutes porn, much less a social contract requiring all > pornographers to segregate their traffic for our convenience. > > RFC6969, Pornographic HTTP. #ideasforapril1 Wonderful! Love it. (I have often pondered the possibility of a DPI "porn filter" which rejects traffic based on the "proportion of flesh coloured packets to the total" or some such nonsense. Second order problem - define "flesh coloured".) Best Mick ----- Mick Morgan gpg fingerprint: FC23 3338 F664 5E66 876B 72C0 0A1F E60B 5BAD D312 http://baldric.net - signature.asc Description: PGP signature ___ tor-relays mailing list tor-relays@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
Re: [tor-relays] new relays
On Wed, 28 Aug 2013 07:22:16 +0200 Andreas Krey allegedly wrote: > On Tue, 27 Aug 2013 23:12:01 +, Tor Exit wrote: > >GET /index.php?file=../../../../../../../etc/passwd > > > > Why not employ similar techniques on a Tor exit? We can be 100% > > sure about the malicious intent. > > No, you can't be sure. That request could quite well be totally > legitimate; you are not in a position to judge for the site owner. > Absolutely true. I could be using tor to test my own website's security mechanisms. In fact, I /have/ used tor to test my own websites.. Best Mick ----- Mick Morgan gpg fingerprint: FC23 3338 F664 5E66 876B 72C0 0A1F E60B 5BAD D312 http://baldric.net - signature.asc Description: PGP signature ___ tor-relays mailing list tor-relays@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
Re: [tor-relays] new relays
On Tue, 27 Aug 2013 11:08:34 -0500 Jon Gardner allegedly wrote: > On Aug 22, 2013, at 11:56 AM, mick wrote: > > > Tor is neutral. You and I may agree that certain usage is unwelcome, > > even abhorrent, but we cannot dictate how others may use an > > anonymising service we agree to provide. If you have a problem with > > that, you probably should not be running a tor node. > > Then why have exit policies? Exit nodes regularly block "unwelcome" > traffic like bittorrent, and there's only a slight functional > difference between that and using a filter in front of the node to > block things like porn (which, come to think of it, also tends to be > a bandwidth hog like bittorrent--so it doesn't have to be just a > moral question). If someone has a problem with exit nodes blocking > things like porn (or bittorrent, or...), then they probably should > not be using Tor. > > The very idea of Tor is based on moral convictions (e.g., that > personal privacy is a good thing, that human rights violations and > abuse of power are bad things, etc.). Nope. Not in my view. Tor's USP is anonymity of access to any and all network resources. I say again, tor is neutral. It cares not about what those resources are - it just shovels bits. And as a relay operator I cannot say that bits of type A are OK to retrieve but not bits of type B. I do not even know what type of bits are transferred. As someone else here said "censorship implies surveillance". > The Tor devs go to great lengths to try to keep "evil" governments > from using Tor against itself. Why not devote some effort toward > keeping "evil" traffic off of Tor? Define "evil" (or its converse "good"). I'd bet that given any random selection of people in a room you'd get a broad spectrum of views. The only way you can safely meet /all/ those views is not to take a position at all and remain neutral. I repeat tor is neutral. > > It's worth discussion. > I agree. Best Mick - Mick Morgan gpg fingerprint: FC23 3338 F664 5E66 876B 72C0 0A1F E60B 5BAD D312 http://baldric.net - signature.asc Description: PGP signature ___ tor-relays mailing list tor-relays@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
Re: [tor-relays] new relays
On Thu, 22 Aug 2013 08:45:33 -0500 a432511 allegedly wrote: > > I just spun up 2 relays (1 exit, 1 non-exit) in Amsterdam using > DigitalOcean as the VPS provider. It's been up for about 8 hours now. > Here was the message I sent to them regarding the servers: > I have three DigitalOcean VMs. One in Amsterdam is a (non-exit) relay (https://baldric.net/2013/01/13/what-a-difference-a-gig-makes/), the other two, in SanFrancisco and NYC, are tails mirrors. /Before/ starting the tor relay I specifically asked DO if they had any problems with tor. They told me much what they have apparently told you. Certainly I gained the impression that they would not be happy if their IP addresses appeared in abuse complaints. (https://www.digitalocean.com/community/questions/tor) I followed up that conversation in a support ticket and they have been fine with me running a relay ever since. > > The other thing that I am weighing is just a moral question regarding > misuse of the Tor network for despicable things like child porn. I > understand that of all the traffic it is a small percentage and that > ISPs essentially face the same dilemma, but I wonder if more can be > done to make Tor resistant to evil usage. > Tor is neutral. You and I may agree that certain usage is unwelcome, even abhorrent, but we cannot dictate how others may use an anonymising service we agree to provide. If you have a problem with that, you probably should not be running a tor node. Best Mick ----- Mick Morgan gpg fingerprint: FC23 3338 F664 5E66 876B 72C0 0A1F E60B 5BAD D312 http://baldric.net - signature.asc Description: PGP signature ___ tor-relays mailing list tor-relays@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
Re: [tor-relays] VPS Hardware Specification & Advice
On Tue, 06 Aug 2013 20:40:11 +0200 Tor Pids allegedly wrote: > > The VPS specs you posted should be more than enough - but the price > is too expensive! > > Seconded. You could easily get 1TiB pcm for < 5 UKP (i.e. around 5 euros or 5 USD. 7-10 euros should buy you 2 TiB. I can recommend digitalocean.com at 5 USD. They have offerings in Amsterdam, SanFrancisco and NYC. They are happy to allow relays, less happy with exits. HTH Mick ----- Mick Morgan gpg fingerprint: FC23 3338 F664 5E66 876B 72C0 0A1F E60B 5BAD D312 http://baldric.net - signature.asc Description: PGP signature ___ tor-relays mailing list tor-relays@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
Re: [tor-relays] VPS
On Sat, 3 Aug 2013 16:54:20 -0400 George Herndon allegedly wrote: > i'm happy with digitalocean > > George Herndon > ghern...@eyeontech.com And so am I - for a relay. DO are not very keen on exits. See https://www.digitalocean.com/community/questions/tor Mick ----- Mick Morgan gpg fingerprint: FC23 3338 F664 5E66 876B 72C0 0A1F E60B 5BAD D312 http://baldric.net - signature.asc Description: PGP signature ___ tor-relays mailing list tor-relays@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
Re: [tor-relays] What to do about port scans?
On Wed, 31 Jul 2013 14:48:05 -0400 Steve Snyder allegedly wrote: > I wouldn't have thought that the Tor network was fast enough for port > scanning, but apparently it is. I have recently seen a rash of SSH > port scanning (or so my ISP reports). What can/should I do about > this? I'm not sure exactly what you are saying here. 1. Do you mean that the scans (directed at you) all came from tor exit nodes? 2. Or do you mean that your tor node was scanned from elsewhere? 3. Or do you mean that your tor exit node was used in port scanning someone else? > I know I can limit the rate of connections using iptables. What's > the consensus on this? Is this considered advisable, or a breach of > expected exit node behavior? If you are an exit node and you allow connection to port 22, and you are being used to scan others (3 above) then I would say it would be inadvisable to interfere with that connection. Better to be explict in your exit policy by denying exit to port 22. Of course that simply moves the problem to some other exit node, but your ISP will stop complaining (which may be what you need). > > Do I have any options other than iptables to restrict the rate of > port 22 connection attempts? I find that there is a huge drop in ssh scanning activity if the daemon is simply moved to a non-standard port. So if the problem is 1 or 2 above, a simple sshd reconfig may help. HTH Mick ----- Mick Morgan gpg fingerprint: FC23 3338 F664 5E66 876B 72C0 0A1F E60B 5BAD D312 http://baldric.net - signature.asc Description: PGP signature ___ tor-relays mailing list tor-relays@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
Re: [tor-relays] Sitevalley is no longer Tor-friendly
On Thu, 18 Jul 2013 12:02:29 -0400 krishna e bera allegedly wrote: > On 13-07-18 11:51 AM, mick wrote: > > > > I wonder if we are going to see more of this sort of thing now. I > > think the tor network needs greater geographic diversity. > > Makes me wonder if there is some kind of legal pressure being applied > to American ISPs to disallow Tor and similar services and > infrastructure. Or perhaps owners of some ISPs are polarizing toward > the PATRIOT act side especially after the Snowden thing. > I'd like to think it may simply be a form of "self censorship" i.e. the ISP is wary of some future, unspecified, action and simply seeks a quiet life. I can't see legal pressure working - tor violates no laws. Mick - Mick Morgan gpg fingerprint: FC23 3338 F664 5E66 876B 72C0 0A1F E60B 5BAD D312 http://baldric.net - signature.asc Description: PGP signature ___ tor-relays mailing list tor-relays@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
Re: [tor-relays] Sitevalley is no longer Tor-friendly
On Thu, 18 Jul 2013 10:49:46 -0400 Tom Ritter allegedly wrote: > Sending this out, as I suspect I am not the only person running a node > on SiteValley, as they have pretty good bandwidth for pretty cheap. > > I had inquired in the beginning if they allowed Tor, and they said > yes, but if we get too many abuse complaints we'll shut it down. So > maybe 4 or 5 abuse complaints later they did indeed give me the > ultimatum to shut it down or get shut down. So I made them give me a > new IP address, and made it into a middle node. (The new IP was > because I was thinking of making it a bridge.) Hmm. Pretty crummy AUP. And /very/ crummy treatment of a customer. I wonder if we are going to see more of this sort of thing now. I think the tor network needs greater geographic diversity. Mick - Mick Morgan gpg fingerprint: FC23 3338 F664 5E66 876B 72C0 0A1F E60B 5BAD D312 http://baldric.net - signature.asc Description: PGP signature ___ tor-relays mailing list tor-relays@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
Re: [tor-relays] Home broadband - worth running a relay?
On Sat, 13 Jul 2013 10:03:11 -0700 Gordon Morehouse allegedly wrote: > mick: > > Gordon > > > > Thanks - useful to know. Any information on the openVZ offering? > > > They told me it was rebooted much less often, but they didn't offer it > in Iceland, which is where I was interested in having my data > physically located. They also said the Iceland KVM nodes tended to > get rebooted a lot less than where I was at the time (continental > Europe at one of their many locations). So, YMMV. > > But I would say, the Edis OpenVZ offerings are probably pretty good > for Tor relays. Gordon Again, thanks for the info. Mick - Mick Morgan gpg fingerprint: FC23 3338 F664 5E66 876B 72C0 0A1F E60B 5BAD D312 http://baldric.net - signature.asc Description: PGP signature ___ tor-relays mailing list tor-relays@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
Re: [tor-relays] Home broadband - worth running a relay?
On Fri, 12 Jul 2013 19:04:22 -0700 Gordon Morehouse allegedly wrote: > mick: > > Forgot to add - take a look at http://www.edis.at/en/home for > > example. They have reasonable offerings (but limited on the KVM > > option) in a variety of countries and I have already established > > that they would be comfortable with non-exit tor relays. > > Be aware that depending on the data center, the KVM nodes at Edis get > rebooted fairly often ... if you want to run a larger relay and be > flagged stable, maybe not the best choice. > > -Gordon Gordon Thanks - useful to know. Any information on the openVZ offering? Best Mick ----- Mick Morgan gpg fingerprint: FC23 3338 F664 5E66 876B 72C0 0A1F E60B 5BAD D312 http://baldric.net - signature.asc Description: PGP signature ___ tor-relays mailing list tor-relays@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
Re: [tor-relays] Home broadband - worth running a relay?
On Fri, 12 Jul 2013 14:22:44 +0100 mick allegedly wrote: > On Thu, 11 Jul 2013 21:43:00 +0100 > Nick allegedly wrote: > > > Hi there, > > > > I have a reasonable ADSL connection, and a little always-on > > server. The bandwidth is in the region of 2Mib/s down, something > > less up (maybe 256Kib/s). Is it useful for me to run a tor relay > > with this bandwidth? I'd like to run one which isn't an exit, at > > least for now. > Nowadays you can get a useful amount of bandwidth (1-2 TiB pcm) on a > reasonably specced VM (512 Mb RAM, 1 core, 20-40 GB disk) very cheaply > (on the order of 5-10 UKP pcm, or much less if you shop around). Take > a look at lowendbox.com for some ideas of offers on cheap VPS. Then do > some research on the suppliers, contact those you shortlist and be > open about what you intend to do. Forgot to add - take a look at http://www.edis.at/en/home for example. They have reasonable offerings (but limited on the KVM option) in a variety of countries and I have already established that they would be comfortable with non-exit tor relays. Mick - Mick Morgan gpg fingerprint: FC23 3338 F664 5E66 876B 72C0 0A1F E60B 5BAD D312 http://baldric.net - signature.asc Description: PGP signature ___ tor-relays mailing list tor-relays@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
Re: [tor-relays] Home broadband - worth running a relay?
On Thu, 11 Jul 2013 21:43:00 +0100 Nick allegedly wrote: > Hi there, > > I have a reasonable ADSL connection, and a little always-on server. > The bandwidth is in the region of 2Mib/s down, something less up > (maybe 256Kib/s). Is it useful for me to run a tor relay with this > bandwidth? I'd like to run one which isn't an exit, at least for > now. > > If not, am I correct in thinking that a bridge is an appropriate > help? That's what I'm doing currently, but if a relay would be more > useful I'd be very happy to do that. > > One other unrelated(ish) question: I'm in the UK, where the idea of > censorship isn't resisted as strongly as it ought to be, and as a > result my internet connection is subject to a smallish amount of > censorship: whatever is on the secret IWF blacklist plus the pirate > bay. Does this mean that running an exit node from a home connection > here at some point in the future would not be helpful? Or only if > all HTTP(S) was blocked (as the IWF blacklist is secret there's > presumably no way to tell the tor network what is inaccessible from > this node). Nick I too am in the uk. In my view, running tor on your home broadband connection is probably a bad idea. As you have already noted, the connection is not completely unfiltered and you may find other problems arise as soon as you try to run a relay. I think you might find it almost impossible to successfully run an exit relay without a lot of hassle from your ISP which might end up in your disconnection. Besides that, the amount of bandwidth available on a domestic ADSL is low and you will find that tor impacts heavily on usage unless it is heavily throttled. For several years now I have sucessfully run relays (both exit and non-exit) on fairly cheap VPSs. This has the dual advantage of separating your own connection from tor and of providing dedicated bandwidth to the relay. You will need to check with the VPS provider that they are happy to allow tor. Some are, most aren't and of those most are not happy with exit relays because they end up getting (often robotic) abuse complaints. Of course your VPS does not have to be in the UK. I have run relays with bytemark.co.uk (non-exit), daily.co.uk (exit and non-exit) thrustvps.com (ditto) rapidswitch.com (ditto). I currently use digitalocean.com (in the Netherlands, but a US company) and thrust - though for a variety of reasons I will probably drop thrust at the end of my contract with them and move that one elsewhere. Always/always check the ISP's AUP in advance and then email them telling them what you intend to do before signing up. In my experience, those which are content to allow tor sometimes change their mind after the first few abuse complaints. You then have the option of switching to non-exit, or simply taking your custom elsewhere. It depends on how you want to play things and what you are getting for your money. Nowadays you can get a useful amount of bandwidth (1-2 TiB pcm) on a reasonably specced VM (512 Mb RAM, 1 core, 20-40 GB disk) very cheaply (on the order of 5-10 UKP pcm, or much less if you shop around). Take a look at lowendbox.com for some ideas of offers on cheap VPS. Then do some research on the suppliers, contact those you shortlist and be open about what you intend to do. HTH Mick - Mick Morgan gpg fingerprint: FC23 3338 F664 5E66 876B 72C0 0A1F E60B 5BAD D312 http://baldric.net - signature.asc Description: PGP signature ___ tor-relays mailing list tor-relays@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
Re: [tor-relays] How does CERT-FI know my SOCKS4 port?
On Wed, 10 Jul 2013 17:04:12 +0200 Logforme allegedly wrote: > I assume the ISP did a port scan. Do you have port 9050 open in your > firewall? Unlikely. I think it would be very unusual for an ISP in any country to portscan anyone without prior authority (such as would appear in a contract). Such action is illegal in may jurisdictions. And in any case, Steve has already said that his socks port is bound only to localhost (127.0.0.1). The report from CERT-FI must simply record the fact that they have seen (or had reported) apparent open proxy relaying from Steve's IP address with source port 9050. Without a lot more detail about configuration, and the exact details of the reporting from CERT-FI it is difficult to make any assumptions. If I were Steve, I would contact CERT-FI directly for more information. They are likely to be very helpful. Mick > On 2013-07-10 15:57, Steve Snyder wrote: > > My ISP recently sent to me a CERT-FI auto-report on > > malware-infected servers in my ISP's address space. I was send > > this report because my IP address was among those flagged. My > > entry looks like this: - Mick Morgan gpg fingerprint: FC23 3338 F664 5E66 876B 72C0 0A1F E60B 5BAD D312 http://baldric.net - signature.asc Description: PGP signature ___ tor-relays mailing list tor-relays@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
Re: [tor-relays] Tor node monitoring
On Wed, 17 Apr 2013 01:19:34 +0200 Lunar allegedly wrote: > Alex Beal: > > I was wondering what, if any, software you use for monitoring your > > relays. It would be nice if I could get an email when the Tor > > daemon crashes, and maybe another every night telling me about > > bandwidth used, average speed, etc. > > For external monitoring, I wrote a Nagios check using Stem. It is > available at: > > http://anonscm.debian.org/gitweb/?p=users/lunar/check_tor.git > and there are munin plugins by Ge van Geldorp (tor_connections and tor_traffic) at http://munin-monitoring.org/wiki/PluginCat beware that the old munin exchange site has disappeared. Mick - blog: baldric.net gpg fingerprint: FC23 3338 F664 5E66 876B 72C0 0A1F E60B 5BAD D312 - signature.asc Description: PGP signature ___ tor-relays mailing list tor-relays@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
Re: [tor-relays] BitTorrent complaint
On Tue, 9 Apr 2013 18:01:40 +0100 mick allegedly wrote: > > Though personally I'm with Romanov here. Correction. "Roman" (forgive me Roman). Mick - blog: baldric.net gpg fingerprint: FC23 3338 F664 5E66 876B 72C0 0A1F E60B 5BAD D312 - signature.asc Description: PGP signature ___ tor-relays mailing list tor-relays@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
Re: [tor-relays] BitTorrent complaint
On Tue, 09 Apr 2013 18:33:26 +0200 bartels allegedly wrote: > On 04/09/2013 06:24 PM, Steve Snyder wrote: > > Just make life easy for yourself and use the Reduced Exit Policy: > > > >https://trac.torproject.org/projects/tor/wiki/doc/ReducedExitPolicy > Good advice. Had not seen that. > > Must say it is a pretty loose list. I do not see the point in > accessing a squid proxy server over tor. It sort of defeats the > purpose. Or if you really feel you /must/ run an exit at this stage, try limiting yourself to just http and https. ExitPolicy accept *:80 ExitPolicy accept *:443 ExitPolicy reject *.* Though personally I'm with Romanov here. Just relay with no exit until you have a better feel for tor. Mick - blog: baldric.net gpg fingerprint: FC23 3338 F664 5E66 876B 72C0 0A1F E60B 5BAD D312 - signature.asc Description: PGP signature ___ tor-relays mailing list tor-relays@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
Re: [tor-relays] big spike in cpu usage
On Sun, 07 Apr 2013 21:35:36 +0200 Miłosz Gaczkowski allegedly wrote: > On 07/04/2013 20:25, Andreas Krey wrote: > > No, its not 'per second'. [...] > Oh, wow, looks like I completely misunderstood what > RelayBandwidthBurst does. I assumed it's a burst rate that would be > occasionally allowed in peak times, not a "credit limit". If you're > sure your description is correct, I may need to reconfigure my node. Errr. Me too. My RelayBandwidthBurst limit is set on the assumtion that that is the max I will ever see (and allow). Confused. Mick - blog: baldric.net gpg fingerprint: FC23 3338 F664 5E66 876B 72C0 0A1F E60B 5BAD D312 - signature.asc Description: PGP signature ___ tor-relays mailing list tor-relays@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
Re: [tor-relays] big spike in cpu usage
On Fri, 5 Apr 2013 13:50:29 -0400 Owen Gunden allegedly wrote: > I have been running a non-exit tor relay for a few months now. It's > on a metered VPS, so after some experimenting I found that I can > afford about this much bandwidth: > > RelayBandwidthRate 250 KB > RelayBandwidthBurst 500 KB Owen You don't give details of your VPS, so comparisons may be difficult. But I have the following config options on my main (non-exit) relay: -- NumCPU 1 MaxOnionsPending 300 # rate limit - anything above about 2500 KB seems to cause tor # to invoke oom-killer BandwidthRate 2100 KB BandwidthBurst 2200 KB --- That relay is on a VM with 512Mb RAM, one CPU slice and 1Gig network connectivity (with unlimited traffic allowance). Stats can be seen at: https://atlas.torproject.org/#details/C332113DF99E367E4190424CE825057D91337ADD I had the same problems you are seeing until I set the rate limits above and increased MaxOnionsPending to 300. My CPU usage now hovers around 65-85% for about 2000 established tor connections. Mick - blog: baldric.net gpg fingerprint: FC23 3338 F664 5E66 876B 72C0 0A1F E60B 5BAD D312 - signature.asc Description: PGP signature ___ tor-relays mailing list tor-relays@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
Re: [tor-relays] Recommended specifications for 1Gbps exit
On Mon, 04 Mar 2013 18:37:01 + Matt Joyce allegedly wrote: > Of course being a server any contention is more likely going to be on > the other side, but while I can find gigabit capable servers to try > pulling from finding one to try pulling from me is entirely another > story. I did make a test file if anyone has the connection and 1GB of > bw to try please let me know what you get > http://torexit2.mttjocy.co.uk/1GBtest.bin > Matt A thought. You could try for yourself using the same service I used at https://www.digitalocean.com/features if you wanted to run some more tests. Digital Ocean sell their "droplets" by the hour. So you could easily fire up a test VM for less than the cost of a coffee and doughnuts... Mick - blog: baldric.net gpg fingerprint: FC23 3338 F664 5E66 876B 72C0 0A1F E60B 5BAD D312 - signature.asc Description: PGP signature ___ tor-relays mailing list tor-relays@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
Re: [tor-relays] Recommended specifications for 1Gbps exit
On Mon, 04 Mar 2013 18:37:01 + Matt Joyce allegedly wrote: > > Of course being a server any contention is more likely going to be on > the other side, but while I can find gigabit capable servers to try > pulling from finding one to try pulling from me is entirely another > story. I did make a test file if anyone has the connection and 1GB of > bw to try please let me know what you get > http://torexit2.mttjocy.co.uk/1GBtest.bin > Here you go: http://rlogin.net/tor/torexit2.txt Deeply unscientific, but real world. Mick - blog: baldric.net gpg fingerprint: FC23 3338 F664 5E66 876B 72C0 0A1F E60B 5BAD D312 - signature.asc Description: PGP signature ___ tor-relays mailing list tor-relays@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
Re: [tor-relays] US Investigators seem to learn
On Mon, 18 Feb 2013 06:32:55 -0800 Andrea Shepard allegedly wrote: > On Mon, Feb 18, 2013 at 01:26:26PM +0000, mick wrote: > > Whilst not quite a 1:1 ratio, it is close enough I think to show > > that this is simply an agnostic relay. However, would not an exit > > node show unbalanced traffic? Most net activity these days is web > > browsing which is decidedly asymmetric - small outbound requests > > result in much larger inbound responses. Won't an exit relay > > reflect that as it is the last hop before the actual target site? > > It'd be balanced by the encrypted traffic to the middle node. Ah yes, of course! Thanks Mick - blog: baldric.net gpg fingerprint: FC23 3338 F664 5E66 876B 72C0 0A1F E60B 5BAD D312 - signature.asc Description: PGP signature ___ tor-relays mailing list tor-relays@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
Re: [tor-relays] US Investigators seem to learn
On Mon, 18 Feb 2013 02:05:40 -0800 Andrea Shepard allegedly wrote: > On Mon, Feb 18, 2013 at 04:59:09AM -0500, grarpamp wrote: > > > I thought I would let you know: Our US hoster is regularly > > > contacted by law enforcement about our exits there. Some agents > > > ask if the traffic pattern is balanced, ie. if the same amount of > > > traffic enters and leaves the box. > > > > > > I always argue that this is a good indicator for Tor traffic, and > > > that it is bad to mix Tor traffic with other traffic for that > > > exact reason. > > > > Due to encryption and compression it might only be balanced to > > within some typical ratio. I'm sure you have a handle on that > > number. But that any non 1:1 ratio could make it appear to be > > serving (or receiving) continual amounts of data. Which in the eye > > of agents could raise question. Another question is whether these > > US hosts are just volunteering this data to whoever comes asking, > > with or without your instruction, or complying with formal legal > > orders? > > > > On the plus side, hopefully everyone is coming away with the > > fact that it's just an uninteresting, agnostic, relay service and > > time is better spent elsewhere. > > Interesting; I'm pretty sure we do not use TLS compression. Nick M., > that's true, yeah? > > On the other hand, it could also be unbalanced because of: > > * Using that Tor process as a client > * Running a hidden service on that Tor process > * Running a directory mirror > For anyone who is interested I have posted the vnstat stats for my newest relay (0xbaddad) at http://rlogin.net/tor/bin-vnstats.txt Whilst not quite a 1:1 ratio, it is close enough I think to show that this is simply an agnostic relay. However, would not an exit node show unbalanced traffic? Most net activity these days is web browsing which is decidedly asymmetric - small outbound requests result in much larger inbound responses. Won't an exit relay reflect that as it is the last hop before the actual target site? Mick - blog: baldric.net gpg fingerprint: FC23 3338 F664 5E66 876B 72C0 0A1F E60B 5BAD D312 - signature.asc Description: PGP signature ___ tor-relays mailing list tor-relays@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
Re: [tor-relays] ServerAstra from hungary allows exit relays
On Sun, 13 Jan 2013 05:37:44 +0600 Roman Mamedov allegedly wrote: > > My history with DigitalOcean ($5/month), in/out/total: > > Dec '12 4.99 TiB |5.32 TiB | 10.31 TiB | 44.00 > Mbit/s Nov '12 6.35 TiB |6.84 TiB | 13.19 TiB | 43.70 > Mbit/s Oct '12 2.10 TiB |2.26 TiB |4.36 TiB | 13.97 > Mbit/s A caveat on digitalocean. I signed up for a trial (and am happy) but I couldn't believe that my current traffic level was sustainable long term at that price point. So I specifically asked the question "what can I realistically use?" They replied: "We are currently offering free bandwidth and we certainly appreciate you reaching out to us because you are pushing a substantial amount and we do have backend processes running that constantly run consistency and health checks and bandwidth usage is something that we monitor. Mainly for detecting abuse or otherwise suspicious traffic. Your current traffic level of 32-40Mbps is fine. In the future we will eventually switch away from a free bandwidth model. Initially we roll out features to make everything simpler and to gauge our customers usage and to understand how to best cater the service to their needs." So - prices /will/ go up and/or bandwidth allowance /will/ go down. Best Mick - blog: baldric.net gpg fingerprint: FC23 3338 F664 5E66 876B 72C0 0A1F E60B 5BAD D312 - signature.asc Description: PGP signature ___ tor-relays mailing list tor-relays@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
Re: [tor-relays] DigitalOcean, cheap VPS that's ok with middle relays
On Tue, 08 Jan 2013 10:47:40 -0800 Micah Lee allegedly wrote: > FYI, I just discovered a VPS provider DigitalOcean, and they seem fine > with people running non-exit nodes: > > https://www.digitalocean.com/community/questions/tor Yep - that "mick" was me. I contacted them through their forum foillowing a recommendation from Roman Mamedov on this list (see my post of 4 January). > The cheapest plan is $5/month (256mb ram, 1 core, 20gb drive) with > unlimited bandwidth. They give you New York and Amsterdam IP > addresses. I haven't tried running a relay on it so I don't know how > much bandwidth you can practically use, but it looks promising. > As I mentioned in an earlier post, I signed up for their cheapest plan (on 31/12/12) to test it. The VM has debian installed. I initially fired up tor with no restrictions whatever to see what happened. I quickly ran out CPU cycles. Tor log complained "Your computer is too slow to handle this many circuit creation requests! Please consider using the MaxAdvertisedBandwidth config option or choosing a more restricted exit policy." At one point (after a couple of days) tor just stopped and did not restart. No setting for MaxAdvertisedBandwidth I tried seemed to make any difference so I started experimenting with various throttle limits on the relay. I also set NumCPU to 1 and MaxOnionsPending 250 after reading a post recommending that. I currently have BandwidthRate 2500 KB and BandwidthBurst 2800 KB set and have a stable node that is running at circa 34 Mbit/s with just over 1000 tor circuits. Top reports cpu usage at around 30% and my vnstat stats (see below) predict 8.62 TiB traffic for the month. Now that I have a baseline, I will start to slowly ramp up the bandwidth allowance again to see what happens. Frankly, compared to my previous experience with some UK providers (see my posts about thrustvps in particular) this level of traffic for this price is astounding. If it keeps up, I'll likely pay for extra servers. Mick vnstat snapshot this morning - Database updated: Wed Jan 9 09:02:29 2013 eth0 since 12/31/12 rx: 1.15 TiB tx: 1.18 TiB total: 2.33 TiB monthly rx | tx |total| avg. rate +-+-+--- Dec '12 75.50 MiB |2.35 MiB | 77.85 MiB |0.24 kbit/s Jan '13 1.15 TiB |1.18 TiB |2.33 TiB | 27.63 Mbit/s --+-+-+--- estimated4.25 TiB |4.36 TiB |8.62 TiB | daily rx | tx |total| avg. rate -+-+-+--- yesterday 213.13 GiB | 217.74 GiB | 430.87 GiB | 41.83 Mbit/s today 64.71 GiB | 66.44 GiB | 131.16 GiB | 33.80 Mbit/s +-+-+--- estimated 171.93 GiB | 176.52 GiB | 348.46 GiB | - blog: baldric.net gpg fingerprint: FC23 3338 F664 5E66 876B 72C0 0A1F E60B 5BAD D312 - signature.asc Description: PGP signature ___ tor-relays mailing list tor-relays@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
Re: [tor-relays] Disappointing AUP - (was Re: DDOS?)
On Sat, 05 Jan 2013 11:40:42 +0100 Moritz Bartl allegedly wrote: > If we did not run too many exits already, I would go for a Hong Kong > server with Limehost: > http://www.limehost.ro/servere/dedicated-models.html > > We have one of their older offers, dedi Gbit for 110 Euro in Romania. > I am not sure if they allow Tor exits in Hong Kong, but it does not > hurt to ask. > Thanks Moritz. I'm currently trialling a VPS at digitalocean.com in Amsterdam. So far it is looking very good - I'm not accustomed to unmetered traffic allowance on a Gig network so it I'm having to play with the configuration to prevent tor outpacing the VPS. Cheers Mick - blog: baldric.net gpg fingerprint: FC23 3338 F664 5E66 876B 72C0 0A1F E60B 5BAD D312 - signature.asc Description: PGP signature ___ tor-relays mailing list tor-relays@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
Re: [tor-relays] Disappointing AUP - (was Re: DDOS?)
On Tue, 01 Jan 2013 20:24:36 -0700 j...@duskro.net allegedly wrote: > Are you only seeking providers outside of the U.S.? > > I've been using PhoenixNAP for the last two years and am very happy > with their services. It's a dedicated server provider located in the > United States, but they are still very affordable. I've contacted > them in the past about running a TOR exit relay, and they said they > had no problems with it. Josh Thanks for the pointer - but yes, I'd prefer to stay away from the US. I think the US is probably already well served with tor nodes. Cheers Mick - blog: baldric.net gpg fingerprint: FC23 3338 F664 5E66 876B 72C0 0A1F E60B 5BAD D312 - signature.asc Description: PGP signature ___ tor-relays mailing list tor-relays@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
[tor-relays] MaxAdvertisedBandwidth advice please
Hi all Following a couple of my earlier messages to the list (about alleged DDOS on my node) I started up a new relay only node with digitalocean (thanks to Roman Mamedov for the pointer). In order to test their service I signed up for the minimal sized "droplet" (VPS) - 256Mb RAM, 1 core, 20Gb disk. Very quickly the VPS ramped up to over 1000 tor connections and a throughput of 25Mbit/s with a daily total traffic of 230 GiB. Absolutely astonishing when compared to the appalling service I was getting from my node at thrustvps. (After my complaints I was told "This is standard procedure for our clients, all nodes are on a 100mBits network, the node you are currently on shares that connection with 59 other virtual servers".) So no wonder the service was crap. But this morning I noticed that the new server had stopped and tor says in it's log "Your computer is too slow to handle this many circuit creation requests! Please consider using the MaxAdvertisedBandwidth config option or choosing a m ore restricted exit policy." I've never had the luxury of encountering this problem before, But clearly the network connectivity at digitalocean is not a limiting factor, and the resource of the VPS is. I monitored usage for the first day or so and top never showed any CPU bottleneck of high load averages, but memory was almost maxed out. The manual entry for "MaxAdvertisedBandwidth" is not particularly clear because it does not specify whether the bytes|KB|MB|GB is per second or a maximum for some other period. And I do not have the experience to know what rate would best be set on a node with limited memory (though I will buy larger nodes iof this test works out over a longer period) but apparently unlimited network capacity. So my question is, what can colleages recommend as a suitable maximum rate which will allow my node to provide maximum utility to the tor network without falling over? Many thanks in advance. Mick - blog: baldric.net gpg fingerprint: FC23 3338 F664 5E66 876B 72C0 0A1F E60B 5BAD D312 - signature.asc Description: PGP signature ___ tor-relays mailing list tor-relays@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
Re: [tor-relays] Disappointing AUP - (was Re: DDOS?)
On Mon, 31 Dec 2012 15:03:46 + Daniel Case allegedly wrote: > This might be a bit of a shameless plug, but I used to use bitfolk ( > bitfolk.com) - they have a generous allowance of bandwidth and allow > tor as long as you set it up correctly. Daniel I looked at bitfolk a while ago. They don't offer nearly enough transfer for a tor node or for my tails mirror (I want at least 1TB per month for each of them). For my own domestic usage (email/web server) I need a good solid stable provider and have been with bytemark for several years (most latterly on bigv.io). They are rock solid (and I have run a tor node with them in the past) but they don't offer the bandwidth I need at the price I am prepared to pay either. (Two reasonably high bandwidth VPS at bytemark prices would come to around 100 UKP per month (say 160 USD per month). Call me cheap, but I do this for free. Mick - blog: baldric.net gpg fingerprint: FC23 3338 F664 5E66 876B 72C0 0A1F E60B 5BAD D312 - signature.asc Description: PGP signature ___ tor-relays mailing list tor-relays@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays