Re: [tor-relays] relay on a vps not exclusively used for tor?
On Sun, 21 Aug 2016 20:06:31 +0200 jensm1 allegedly wrote: > > I'm planning to get myself a small VPS for simple things like > calendar-synching and backup of important data. Since these things are > very light on resource-usage, I thought about putting a tor relay > (non-exit) on the server, so it does something useful instead of > idling most of the time. > > Is this advisable, or are there reasons why I shouldn't put a relay > on a server that is used simultaneously by other things? I think the clue to the answer lies in your "backup of important data". Personally I run my tor node on a VPS I can afford to lose. I do not, and would not, use a server holding or hosting anything I care about (email, XMPP, web service etc.) as a tor node. Even if your relay is not an exit, there is always the possibility that its use as a Tor node will offend someone who is in a position to interfere with it. Consider the possibility that your ISP decides it does want Tor traffic on its network. That ISP might take your relay off line. If you use that server for anything else, you are borked. There is also the very real possibility that any other services you run on the Tor node actually weaken the security of that node. Every service you run on a server increases the attack surface. If your Tor node happens to be running an insecure (or badly configured, or both) FTP server, for example, then it could be compromised and used by "bad guys" (TM). Best Mick - Mick Morgan gpg fingerprint: FC23 3338 F664 5E66 876B 72C0 0A1F E60B 5BAD D312 http://baldric.net - ___ tor-relays mailing list tor-relays@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
Re: [tor-relays] Tor abuse complaints (per MBit/s)
On Wed, 28 Sep 2016 22:05:33 -0700 Sadia Afroz allegedly wrote: > We did not publish the report anywhere. > I put it up on my site just for the ease of sharing it in the mailing > list. Sadia With respect, those two statements are mutually contradictory. Placing the report on-line /anywhere/ constitutes publication. And since the report is widely reachable it will by now have been cached by search engines. Best Mick ----- Mick Morgan gpg fingerprint: FC23 3338 F664 5E66 876B 72C0 0A1F E60B 5BAD D312 http://baldric.net - ___ tor-relays mailing list tor-relays@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
Re: [tor-relays] FW: What's a "useful" mailing list contributor?
On 11 January 2017 12:28:44 GMT+00:00, Ralph Seichter wrote: >On 11.01.2017 06:30, Roman Mamedov wrote: > >Roman, you nailed it. The "September that never ended" is now well into >its 24th year, Ralph You are showing your age... +1 to Roman BTW Mick -- Sent from an untrusted mobile device. Email not signed. ___ tor-relays mailing list tor-relays@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
Re: [tor-relays] Reminder: If you are on 0.2.9.x, make sure you are running 0.2.9.9
On Thu, 9 Feb 2017 13:36:56 -0500 Roger Dingledine allegedly wrote: > On Thu, Feb 09, 2017 at 01:04:30PM -0500, Nick Mathewson wrote: > > If you are on some earlier version of 0.2.9.x, it would be really > > great if you could update your relay some time soon > > And, if you're one of the many relays still on 0.2.9.8, and the reason > is something other than "oops, you're right I should upgrade", please > let us know! We're wondering in particular if there are major distros > out there that are still stuck on 0.2.9.8. > I am. (Debian Jessie 8.7 - using the tor repos). My log says: Feb 09 07:35:04.000 [notice] Tor 0.2.9.8 (git-a0df013ea241b026) opening new log file. Feb 09 07:35:05.000 [warn] Please upgrade! This version of Tor (0.2.9.8) is not recommended, according to the directory authorities. Recommended versions are: 0.2.4.27,0 .2.4.28,0.2.5.12,0.2.5.13,0.2.7.6,0.2.7.7,0.2.8.9,0.2.8.10,0.2.8.11,0.2.8.12,0.2.9.9,0.3.0.2-alpha,0.3.0.3-alpha Attempting an upgrade from 0.2.9.8 I get nothing. Mick - Mick Morgan gpg fingerprint: FC23 3338 F664 5E66 876B 72C0 0A1F E60B 5BAD D312 http://baldric.net - ___ tor-relays mailing list tor-relays@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
Re: [tor-relays] Reminder: If you are on 0.2.9.x, make sure you are running 0.2.9.9
Sorry, I thought I had. I must have hit the wrong reply button. Now copied in. Apologies for the top post...On 9 Feb 2017 21:58, Roger Dingledine wrote: > > On Thu, Feb 09, 2017 at 09:57:03PM +, mick wrote: > > Done > > > > Now running 0.2.9.9. > > Thanks! Can you send this to the list too, for completeness? > > Or, do you mind if I do that? > > --Roger > ___ tor-relays mailing list tor-relays@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
Re: [tor-relays] Shutdown of TorLand1
On Wed, 15 Feb 2017 21:55:48 + tor-ad...@torland.is allegedly wrote: > > after 5 years of operation I will shutdown TorLand1 > (https://atlas.torproject.org/#details/E1E922A20AF608728824A620BADC6EFC8CB8C2B8) > > on February 17 2017. > Thanks for everything you have done. It is much appreciated. - Mick Morgan gpg fingerprint: FC23 3338 F664 5E66 876B 72C0 0A1F E60B 5BAD D312 http://baldric.net - ___ tor-relays mailing list tor-relays@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
Re: [tor-relays] Provider Suggestion, Scaleway -- Online SAS: not so good for diversity
On Fri, 24 Feb 2017 12:43:20 +0100 Michael Armbruster allegedly wrote: > On 2017-02-24 at 12:32, Mattia wrote: > > Hi, > > for the diversity where i can take one at nearly the same price? > > Well, you can search for small providers in small countries. I have a > Tor relay in Moldavia, for example (MivoCloud). > But note that Mivocloud's ToS specifically says: "2.11 The Services may be used only for lawful purposes. MivoCloud strictly prohibits: Tor Exit relays; SPAM; any kind of DoS; Scam, Malware, Botnet, Phishing;" So, no exits. Mick - Mick Morgan gpg fingerprint: FC23 3338 F664 5E66 876B 72C0 0A1F E60B 5BAD D312 http://baldric.net - ___ tor-relays mailing list tor-relays@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
Re: [tor-relays] Recent wave of abuse on Tor guards
warn; host 51939625169E2C7E0DC83D38BAE628BDE67E9A22 at 109.236.90.209:443) Dec 21 16:35:32.000 [warn] 13 connections have failed: Dec 21 16:35:32.000 [warn] 13 connections died in state connect()ing with SSL state (No SSL object) Dec 21 16:35:32.000 [warn] Problem bootstrapping. Stuck at 85%: Finishing handshake with first hop. (Connection refused; CONNECTREFUSED; count 15; recommendation warn; host 500FE4D6B529855A2F95A0CB34F2A10D5889E8C1 at 134.19.177.109:443) Dec 21 16:35:32.000 [warn] 14 connections have failed: Dec 21 16:35:32.000 [warn] 14 connections died in state connect()ing with SSL state (No SSL object) Dec 21 16:35:32.000 [warn] Problem bootstrapping. Stuck at 85%: Finishing handshake with first hop. (Connection refused; CONNECTREFUSED; count 16; recommendation warn; host 03DC081E4409631006EFCD3AF13AFAAF2B553FFC at 185.32.221.201:443) Dec 21 16:35:32.000 [warn] 15 connections have failed: Dec 21 16:35:32.000 [warn] 15 connections died in state connect()ing with SSL state (No SSL object) Dec 21 16:35:32.000 [notice] Bootstrapped 90%: Establishing a Tor circuit Dec 21 16:35:33.000 [warn] Problem bootstrapping. Stuck at 90%: Establishing a Tor circuit. (Connection refused; CONNECTREFUSED; count 17; recommendation warn; host 1FA8F638298645BE58AC905276680889CB795A94 at 185.129.249.124:9001) Dec 21 16:35:33.000 [warn] 16 connections have failed: Dec 21 16:35:33.000 [warn] 16 connections died in state connect()ing with SSL state (No SSL object) Dec 21 16:35:33.000 [warn] Problem bootstrapping. Stuck at 90%: Establishing a Tor circuit. (Connection refused; CONNECTREFUSED; count 18; recommendation warn; host DAC825BBF05D678ABDEA1C3086E8D99CF0BBF112 at 185.73.220.8:443) Dec 21 16:35:33.000 [warn] 17 connections have failed: Dec 21 16:35:33.000 [warn] 17 connections died in state connect()ing with SSL state (No SSL object) Dec 21 16:35:33.000 [notice] Tor has successfully opened a circuit. Looks like client functionality is working. Dec 21 16:35:33.000 [notice] Bootstrapped 100%: Done So - I get loads of CONNECTREFUSED whilst coming up (presumably because of the attack) and then come fully back online. "netstat" then shows my connections rising rapidly to around the 10,000-11,000 "ESTABLISHED" mark before it all goes wrong again. As others have noted I see multiple connections from OVH (netblock 54.36.51/24 (around 1200, when I normally only see a max of 200 or so per /24, and a more normal dozen or so per /24). The next largest, at around 700-800 is 144.76.175/24 (Hetzner Online). I don't recall seeing that level of connections in the past. If anyone wants more info, let me know. Best Mick - Mick Morgan gpg fingerprint: FC23 3338 F664 5E66 876B 72C0 0A1F E60B 5BAD D312 http://baldric.net - ___ tor-relays mailing list tor-relays@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
Re: [tor-relays] tor 0.3.2.9 reached deb.torproject.org and FreeBSD repos
On Tue, 16 Jan 2018 20:18:00 + nusenu allegedly wrote: > Since this has been a common question in the last few days.. > > Excellent. Thanks. Installed and running. I still have problems, but I have added some ratelimit rules to my firewall (a la teor recommendations) and I'm getting fewer complaints in my log now. Mick - Mick Morgan gpg fingerprint: FC23 3338 F664 5E66 876B 72C0 0A1F E60B 5BAD D312 http://baldric.net/about-trivia - ___ tor-relays mailing list tor-relays@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
Re: [tor-relays] FreeBSD 11.1 ZFS Tor Image
On Tue, 27 Feb 2018 14:47:06 -0500 grarpamp allegedly wrote: > If ovh vps gives root, bypass the fee with: md(4) vnode > geli > > mount. > > Then again, if the iron isn't dipped in epoxy (not done), in your own > secure datacenter (not extant), on trusted #OpenHW (not AMD / Intel / > or any other to date), built in trusted #OpenFabs (non extant), > running validated #OpenSW (non extant), in a voluntarist libertarian > environment free from force, one's use case might be moot. > Gotta love you Grarpamp. :-) But in the real world we /have/ to trust someone, somewhere, somehow, sometime. What everyone has to decide for themselves is /how much/ trust to give, to whom, when, where and why. And that depends entirely on your threat model and your appetite for risk. Mick - Mick Morgan gpg fingerprint: FC23 3338 F664 5E66 876B 72C0 0A1F E60B 5BAD D312 http://baldric.net/about-trivia - ___ tor-relays mailing list tor-relays@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
Re: [tor-relays] Estimation of bridge traffic / Bridge or relay needed?
On Sat, 7 Apr 2018 09:54:46 -0400 "Grander Marizan" allegedly wrote: > How can I unsubscribe from this mailing list? > Read the email. Scroll to the bottom and you will see a link to list subscription instructions. Viz: https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays Mick ----- Mick Morgan gpg fingerprint: FC23 3338 F664 5E66 876B 72C0 0A1F E60B 5BAD D312 http://baldric.net/about-trivia - ___ tor-relays mailing list tor-relays@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
Re: [tor-relays] DigitalOcean bandwidth billing changes
On Wed, 25 Apr 2018 12:09:24 +0200
Ralph Seichter allegedly wrote:
> Looks like DigitalOcean has just begun measuring bandwidth usage
> "officially", starting yesterday:
>
>
> https://www.digitalocean.com/community/tutorials/digitalocean-bandwidth-billing-faq
>
> "Based on our analysis of the historical usage patterns of our
> customers, less than one percent of users will exceed their pooled
> allowance."
>
> I had heard of the One Percent, but never thought I'd become a part of
> that illustrious group... :-)
I had an email from them saying that as one or the group "grandfathered
in" back in 2013 I could carry on regardless.
Good job really, take a look at my vnstats..
eth0 / monthly
monthrx | tx |total| avg. rate
+-+-+---
May '17 10.71 TiB | 10.74 TiB | 21.46 TiB | 68.81 Mbit/s
Jun '17 10.20 TiB | 10.24 TiB | 20.44 TiB | 67.75 Mbit/s
Jul '17 11.92 TiB | 11.94 TiB | 23.87 TiB | 76.55 Mbit/s
Aug '17 14.01 TiB | 13.98 TiB | 27.99 TiB | 89.77 Mbit/s
Sep '17 12.28 TiB | 12.29 TiB | 24.57 TiB | 81.43 Mbit/s
Oct '17 15.04 TiB | 15.06 TiB | 30.10 TiB | 96.53 Mbit/s
Nov '17 15.25 TiB | 15.24 TiB | 30.50 TiB | 101.06 Mbit/s
Dec '17 12.79 TiB | 12.76 TiB | 25.54 TiB | 81.92 Mbit/s
Jan '18 7.97 TiB |7.98 TiB | 15.96 TiB | 51.17 Mbit/s
Feb '18 10.53 TiB | 10.80 TiB | 21.33 TiB | 75.75 Mbit/s
Mar '18 10.83 TiB | 10.78 TiB | 21.60 TiB | 69.28 Mbit/s
Apr '18 8.38 TiB |8.37 TiB | 16.76 TiB | 67.94 Mbit/s
----+-+-+---
estimated 10.26 TiB | 10.24 TiB | 20.50 TiB |
Mick
-
Mick Morgan
gpg fingerprint: FC23 3338 F664 5E66 876B 72C0 0A1F E60B 5BAD D312
http://baldric.net/about-trivia
-
___
tor-relays mailing list
tor-relays@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
Re: [tor-relays] DigitalOcean bandwidth billing changes
On Wed, 25 Apr 2018 14:33:16 +0200 Ralph Seichter allegedly wrote: > > Good on yer... DigitalOcean bills for outbound traffic, and with a > price of $0.01/GB (sadly not GiB) every TB in excess of a Droplet's > monthly allowance--a meager 1GB for their smallest model--will cost > an extra 10 USD. Who has that kind of money? > Not me. I think I'm immensely lucky to get the service I do. Mick ----- Mick Morgan gpg fingerprint: FC23 3338 F664 5E66 876B 72C0 0A1F E60B 5BAD D312 http://baldric.net/about-trivia - ___ tor-relays mailing list tor-relays@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
Re: [tor-relays] DigitalOcean bandwidth billing changes
On Wed, 25 Apr 2018 14:15:35 + Cody Logan allegedly wrote: > Regarding grandfathered accounts, section 3.7 of their terms of > service is worth a closer look: > > “Subscribers of Grandfathered Accounts must NOT: (i) run Torrents for > download or Seed Servers, TOR, or services that include content of an > adult or pornographic nature [...] or otherwise circumvent the > intended fair usage of free bandwidth by distributing it freely to > others. Failure of Subscribers of Grandfathered Accounts to follow > these terms will result in the revocation of their Accounts' > grandfathered status.” > > https://www.digitalocean.com/legal/terms/ > All Following this I went back to Rafael Rosa, the Product Manager at DigitalOcean who originally sent the email about the changes seeking clarification. I also pointed him to the discussion here on this list because I was unlikely to be the only one affected by the change. Following several emails Rafael kindly confirmed that so long as my droplet was not the source of any "abuse" reported to DO by third parties I could continue as is. By "abuse" RR meant hostile activity such as port scanning. I pointed out that since my droplet was a non-exit relay, then it would be unlikely to be the source of such activity. RR did say however, that non "grandfathered" accounts would in future automatically be billed for any over limit bandwidth usage. I should also note here that exit relays are, by their nature, likely to see activity which DO might categorise as abuse so any exit relay operators using DO should take care. Our correspondence is shown below. Rafael has kindly agreed that I may share this with the list and I am grateful to him for that agreement. I am also exceptionally grateful for the continued ability to provide my Tor node to the community at its current usage level without incurring the sort of financial penalty I could have expected. My thanks to all at DO and to Rafael in particular for this. Mick -- correspondence -- RR original email Hello, I’m Rafael Rosa, Product Manager at DigitalOcean. I want to share a heartfelt thank you for being such a valued, long-time customer. As you may know, we’ve made some updates to our bandwidth pricing plans <https://www.digitalocean.com/pricing/>. With gratitude for your loyalty, we want to assure you that your account has been grandfathered into your current pricing plan and you will not incur any charges for bandwidth usage as long as you comply with the guidelines outlined in section 3.7 of our Terms of Service <https://www.digitalocean.com/legal/terms/>. If you are interested in viewing your bandwidth usage, you can now track usage in the billing page <https://cloud.digitalocean.com/settings/billing> where Droplet data transfer is updated daily. And if you’re curious to learn more about the details of the bandwidth update, I encourage you to take a look at this FAQ page <https://www.digitalocean.com/community/tutorials/digitalocean-bandwidth-billing-faq>. Happy Coding, Rafael Rosa Product Manager, DigitalOcean Me Many thanks for this. However, I note that section 3.7 says, inter alia: "Notwithstanding the foregoing, Subscribers of Grandfathered Accounts must NOT: (i) run Torrents for download or Seed Servers, TOR, or services that include content of an adult or pornographic nature; (ii) resell services through their Account to provide free bandwidth to other individuals;" My droplet "roof.rlogin.net" is , and always has been, a Tor (not "TOR") relay node. Do I take it from section 3.7 that you will no longer permit that? If so, I will need to move to another provider. RR Sorry about the delay in replying. So, the current policy does have a restriction on tor nodes, but we are not enforcing it automatically. As long as we don't detect abuse it should be fine. I hope this helps. Me Many thanks for this, but with respect the answer is a little ambiguous. Your policy statement at 3.7 of your ToS implies that any bandwidth usage above that permitted wil be chargeable /regardless/ of grandfather status if that bandwidth is "given away" to third parties (such as through Tor). Yet you say here that you are "not enforcing that automatically". How will I know if/when you do decide to enforce that? And what do you define as "abuse"? I am sure that you will understand that I need clarification because I could potentially be hit with a severe financial penalty should you choose to enforce the policy without my noticing. I appreciate that as a $10.00 a month customer I am getting a phenomenally good deal and fully accept that I may have to pay more in future (regardless of your original offer back in 2013 of "free bandwidth forever" when I was grandfathered in). If I
Re: [tor-relays] DigitalOcean starting Exit node crackdown
On Thu, 15 May 2014 13:44:36 -0400 Shawn Nock allegedly wrote: > > Hello friends, > > As I recall, there are several exits running on DigitalOcean's > infrastructure. This is presented FYI: > Hello Shawn Thanks for posting this. Please let us know how you get on. I run a middle node on DO (plus two tails/whonix mirrors) and would be concerned if their policy is hardening against Tor. Best Mick - Mick Morgan gpg fingerprint: FC23 3338 F664 5E66 876B 72C0 0A1F E60B 5BAD D312 http://baldric.net - signature.asc Description: PGP signature ___ tor-relays mailing list tor-relays@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
Re: [tor-relays] DigitalOcean starting Exit node crackdown
On Thu, 15 May 2014 14:59:05 -0400 Shawn Nock allegedly wrote: > Shawn Nock writes: > > Update: HOLY CRAP! > > > Hello > > > > Thanks for your well worded response. > > > > You have argued your case well and we have decided to allow your tor > > exit node. Congratulations on a good outcome. Your response to DO support was obviously good enough to be used as a model for others in a similar position in future. And congrats also to DO for seeing some sense and taking the right decision. Best Mick - Mick Morgan gpg fingerprint: FC23 3338 F664 5E66 876B 72C0 0A1F E60B 5BAD D312 http://baldric.net - signature.asc Description: PGP signature ___ tor-relays mailing list tor-relays@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
Re: [tor-relays] Spam
On Fri, 27 Jun 2014 09:41:53 +0100 kingqueen allegedly wrote: > > > Had a similar situation. My take is - it is never too late to > > obfuscate. It does matter. > > Thank you! I have done. Random Person > I think that is the first time I have seen ROT13 used as a form of email obfuscation. I have seen images (usually PNG) being used - but then I have also seen that ruined by the use of the mailto: tag around the image. Mick - Mick Morgan gpg fingerprint: FC23 3338 F664 5E66 876B 72C0 0A1F E60B 5BAD D312 http://baldric.net - signature.asc Description: PGP signature ___ tor-relays mailing list tor-relays@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
[tor-relays] Busted links on Tor Relay standard web page
My apologies if this has been discussed before and I have missed it. I have been reviewing the web page on my relay (which is based on the standard Tor explanation page) and have noticed that several links are now broken following update of the Tor site itself (e.g. https://www.torproject.org/torusers.html.en no longer exists) I also notice that https://tor-svn.freehaven.net/svn/tor/trunk/contrib/exitlist cannot be reached at all and the same page over http seems not to exist. If other operators are similarly using a page based on the old template, they may wish to update. Best Mick - Mick Morgan gpg fingerprint: FC23 3338 F664 5E66 876B 72C0 0A1F E60B 5BAD D312 http://baldric.net - signature.asc Description: PGP signature ___ tor-relays mailing list tor-relays@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
Re: [tor-relays] Tools for managing multiple relays
On Thu, 15 Oct 2015 17:11:23 -0400 starlight.201...@binnacle.cx allegedly wrote: > Choices are not simple. > Never have been. And they get tougher over time. Trust me. ----- Mick Morgan gpg fingerprint: FC23 3338 F664 5E66 876B 72C0 0A1F E60B 5BAD D312 http://baldric.net - signature.asc Description: PGP signature ___ tor-relays mailing list tor-relays@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
Re: [tor-relays] TorFlow
On Tue, 10 Nov 2015 11:30:53 +1100 Tim Wilson-Brown - teor allegedly wrote: > > > On 10 Nov 2015, at 11:05, I wrote: > > > > That is very nice and gives an idea of the need for more > > geographical diversity. > > > > Do you have an idea why there is almost no activity visible from > > Australia and none from New Zealand? > > International bandwidth is very expensive in the antipodes. > There are very few providers with unlimited or terabyte data plans. > Australia just brought in a mandatory data retention law in > April/October 2015. > Any idea where that concentration of 16 relays South of Ghana in the Gulf of Guinea is? The traffic there seems disproportionate to the size of the location. Mick (Beautiful and really cool visualisation BTW. Many thanks to the designer(s) and coder(s)). - Mick Morgan gpg fingerprint: FC23 3338 F664 5E66 876B 72C0 0A1F E60B 5BAD D312 http://baldric.net - signature.asc Description: PGP signature ___ tor-relays mailing list tor-relays@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
Re: [tor-relays] Unbelieveable
On Fri, 04 Dec 2015 09:29:58 -0800 AMuse allegedly wrote: > > > Looks like you got more than you paid for. > > On 2015-12-03 18:46, Kurt Besig wrote: > > > -BEGIN PGP SIGNED MESSAGE- > > Hash: SHA1 > > > > That I got two responses after posting to tor-relays regarding a > > fairly simple, I thought, CntrolPort question on a new VPS relay.. > > That's pathetic. Thanks for all your input. > +1 to that. People on this list are all volunteers - both as relay operators and as list participants. If any of those volunteers choose to help fellow list members, then good for them. However, if list posters whine and castigate others then they should not be surprised if no-one helps in future. Mick ----- Mick Morgan gpg fingerprint: FC23 3338 F664 5E66 876B 72C0 0A1F E60B 5BAD D312 http://baldric.net - signature.asc Description: PGP signature ___ tor-relays mailing list tor-relays@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
Re: [tor-relays] intense DDOS of exit relay from China
On Tue, 22 Mar 2016 14:08:29 + Dhalgren Tor allegedly wrote: > All traffic originated from China. > But that does not necessarily mean that the attacker was in China, merely that he/she/it owns a botnet "in china". ----- Mick Morgan gpg fingerprint: FC23 3338 F664 5E66 876B 72C0 0A1F E60B 5BAD D312 http://baldric.net - signature.asc Description: PGP signature ___ tor-relays mailing list tor-relays@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
Re: [tor-relays] I would like to help.
On Wed, 30 Mar 2016 07:22:45 +0200 brightsidedarkside allegedly wrote: > Hey Genral G, An impressively helpful, generous, complete and patient response to a plea for help. Exactly the sort of response which shows how good the community can be abd which puts to shame the sort of unhelpful, snarky, smart ass responses we sometimes see on this list and elsewhere. Congratulations and thanks Christian. Mick - Mick Morgan gpg fingerprint: FC23 3338 F664 5E66 876B 72C0 0A1F E60B 5BAD D312 http://baldric.net - signature.asc Description: PGP signature ___ tor-relays mailing list tor-relays@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
Re: [tor-relays] 84 exits (growing..) (was: 68 new exits)
On Sat, 7 May 2016 07:46:31 -0500 Tristan allegedly wrote: > Strange that some of the relays are running on Digital Ocean. Running > a Tor relay of any kind is against their AUP. Not so. I've been running a tor node on DO for three years now. They know it, they are happy, so am I. Mic - Mick Morgan gpg fingerprint: FC23 3338 F664 5E66 876B 72C0 0A1F E60B 5BAD D312 http://baldric.net - ___ tor-relays mailing list tor-relays@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
Re: [tor-relays] 84 exits (growing..) (was: 68 new exits)
On Sun, 8 May 2016 02:46:42 +0500 Roman Mamedov allegedly wrote: > > (That said, yeah, as others have replied DO TOS only restricts > "grandfathered" accounts in this regard.) > Again, not so. I have a grandfathered account. DO have never had a problem with my Tor node (or my other high traffic VMs). Mick - Mick Morgan gpg fingerprint: FC23 3338 F664 5E66 876B 72C0 0A1F E60B 5BAD D312 http://baldric.net - signature.asc Description: PGP signature ___ tor-relays mailing list tor-relays@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
[tor-relays] control_auth_cookie problem
Hi Guys I use munin to monitor a bunch of stuff (including tor) on my servers. The long run munin stats are quite useful. I checked my stats today and noticed that there were no entries for tor on one machine going back a couple of weeks. Now I know I rebooted the machine in question about 12 days ago and I /think/ I upgraded tor at that time. Certainly the restart will have caused a regeneration of the cookie file anyway. Checking my logs, I see the following from munin: "Unable to connect to Tor ControlPort (515 Authentication failed: Wrong length on authentication cookie" and similarly in the tor log: " Got authentication cookie with wrong length (16)" Now I can see that the cookie file is 32 characters long, so I'm guessing that the file contains a control character that is screwing up the munin php plugin line "$cookie = file_get_contents($cookiepath);" Anyone else seen this before? Any ideas for fixing it? - short of restarting tor again (I've done that and I'm reluctant to keep on stopping and starting what should be a stable server), Thanks Mick - The text file for RFC 854 contains exactly 854 lines. Do you think there is any cosmic significance in this? Douglas E Comer - Internetworking with TCP/IP Volume 1 http://www.ietf.org/rfc/rfc854.txt - signature.asc Description: PGP signature ___ tor-relays mailing list tor-relays@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
Re: [tor-relays] Sorry, HotMail users, you're rejected
On Mon, 22 Aug 2011 12:47:42 -0700 Mike Perry allegedly wrote: > Thus spake Steve Snyder (swsny...@snydernet.net): > > > Got another threatening e-mail from my ISP today, prompted by > > another SpamCop complaint regarding spam run through HotMail. > > HotMail records the address of the originating server and that, > > again, is my exit node. > > > > So I have to curtail exit access to HotMail. Yeah, it sucks, but I > > know of no way to block the sending of webmail while still allowing > > it to be retrieved. > > Make sure this is done via exit policy and not iptables or DNS filter. > > Also, are you sure you have the whole hotmail netblock? > And make sure that you similarly block all webmail remailers. Hotmail aren't the only ones to stick "X-Originating-IP" headers in the mail. But seriously, I think this is a bad idea. Much better to explain to your ISP what has happened and why you are not responsible. I have done exactly that with my ISP when they shovelled spamcop crud my way. They understood entirely, reacted like professionals and told spamcop where to go. If your provider won't help, it may be time to switch providers. Mick - The text file for RFC 854 contains exactly 854 lines. Do you think there is any cosmic significance in this? Douglas E Comer - Internetworking with TCP/IP Volume 1 http://www.ietf.org/rfc/rfc854.txt - signature.asc Description: PGP signature ___ tor-relays mailing list tor-relays@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
[tor-relays] icecat
Resending because I sent from the wrong address Begin forwarded message: To: tor-relays@lists.torproject.org Subject: icecat All I have now had a total of three abuse requests from the ISP hosting one of my tor nodes from a company called icecat (r...@icecat.biz) On the first two occasions I pointed to the notice on my server about it being a tor node and they went away. This time they are threating to null route my server if I don't do something. So reluctantly I have added a reject of 87.255.38.35:* to my exit policy. I'd be interested to hear from any other operators who have been pestered in this way about supposed abuses of icecat. Best Mick - The text file for RFC 854 contains exactly 854 lines. Do you think there is any cosmic significance in this? Douglas E Comer - Internetworking with TCP/IP Volume 1 http://www.ietf.org/rfc/rfc854.txt - signature.asc Description: PGP signature ___ tor-relays mailing list tor-relays@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
Re: [tor-relays] Middleman/guard nodes raided in the Netherlands
On Thu, 10 Nov 2011 12:48:44 +0100 David allegedly wrote: > Nicknames of the servers where AIVD and MIVD, no clue what the public > key was. But consider them compromised. Maybe your Police have no sense of humour? AIVD = Intelligence and Security Service. MIVD = Military Intelligence and Security Service. Good luck anyway. Mick - The text file for RFC 854 contains exactly 854 lines. Do you think there is any cosmic significance in this? Douglas E Comer - Internetworking with TCP/IP Volume 1 http://www.ietf.org/rfc/rfc854.txt - signature.asc Description: PGP signature ___ tor-relays mailing list tor-relays@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
Re: [tor-relays] In which countries are relays needed, disallowed?
On Fri, 25 Nov 2011 10:12:56 -0500 (EST) "Steve Snyder" allegedly wrote: > I tried to set up a Tor relay in the UK today and was told that UK > law prohibited anonymous Internet traffic. My tentative UK ISP told > me that they must be able to provide identification of users if > presented with a court order. Hmmm... Rubbish. I run two tor exit nodes in the UK (and have run three in the past). The ISP in question is at best misguided, at worst lying. The ISP must be able to identify its customer - i.e. you. Try a different ISP. I currently use ThrustVPS and Daily because they give a lot of bandwidth for not much money. But I have also used, and can thoroughly recommend, Bytemark. I'd use bytemark for all my traffic if they offered as much bandwidth as I get elsewhere. Just be sure that you tell your chosen ISP that you are going to run a Tor node and read their AUP carefully. Mick - The text file for RFC 854 contains exactly 854 lines. Do you think there is any cosmic significance in this? Douglas E Comer - Internetworking with TCP/IP Volume 1 http://www.ietf.org/rfc/rfc854.txt - signature.asc Description: PGP signature ___ tor-relays mailing list tor-relays@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
Re: [tor-relays] Can bridge run in tiny VPS
On Tue, 14 Feb 2012 10:46:22 +0100 krugar allegedly wrote: > On 02/14/2012 02:42 AM, tor-rel...@nickcoleman.org wrote: > > Bandwidth is 500GB up and down per month. Tor can have half of > > this (note the up *and* down). > > > > excerpt of config from my torrc (running 0.2.2.35): > > RelayBandwidthRate 150 KBytes > RelayBandwidthBurst 300 KBytes > ExitPolicy reject *:* > > traffic stats from my hoster for 01/2012: > > 222.78 GB IN / 225.37 GB OUT / 448.14 GB TOTAL Also useful to add accounting limits if you wish to restrict overall usage within a particular period. For example, I have about 750 GB pcm to donate to Tor. I manage to stay within this by setting a daily accounting limit as below: AccountingStart day 18:00 AccountingMax 13 GB Note that the AccountingMax figure is /each way/ so we need to double this to 26 GB to see what the actual maximum traffic will be restricted to. As the manual page explains, it is better to have a collection of fast servers which are up most of the time rather than a host of slow servers which are always up. And you (Nick) might want to consider getting a VPS to dedicate to Tor. They are pretty cheap these days. But if you can't do this, then donate a sum (say $5 a month) to the tor project who will use it to provide additional bandwidth. Every little helps. Mick - blog: baldric.net fingerprint: E8D2 8882 F7AE DEB7 B2AA 9407 B9EA 82CC 1092 7423 - signature.asc Description: PGP signature ___ tor-relays mailing list tor-relays@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
Re: [tor-relays] What to do about icecat.biz abuse complaints?
On Sat, 14 Apr 2012 07:15:56 -0400 (EDT) "Steve Snyder" allegedly wrote: > I often get abuse complaints from icecat,biz saying that a "RIP > attempt" was seen from the IP address of my exit node. Apparently > this involves too many connections in a given period of time. I had the same problem last year. In response to my question about what others were doing, Moritz Bartl said: "Icecat was discussed recently on tor-talk, see https://lists.torproject.org/pipermail/tor-talk/2011-September/021446.html In short : We now ignore the automated reports." Mick - blog: baldric.net fingerprint: E8D2 8882 F7AE DEB7 B2AA 9407 B9EA 82CC 1092 7423 - signature.asc Description: PGP signature ___ tor-relays mailing list tor-relays@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
[tor-relays] too many abuse reports
Hi I have today, reluctantly, switched my node torofotheworld.aibohphobia.org from an exit node to relay only. My ISP has stayed faithful over several abuse reports in the past, but this week following two more in quick sucession (from brazilian government services by the look of it) they have asked that I shut down the exit policy. Rather than lose the node entirely, I have agreed. Some bozo has been using sqlmap to scan servers through tor. Mick - blog: baldric.net fingerprint: E8D2 8882 F7AE DEB7 B2AA 9407 B9EA 82CC 1092 7423 - signature.asc Description: PGP signature ___ tor-relays mailing list tor-relays@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
Re: [tor-relays] too many abuse reports
On Tue, 22 May 2012 13:29:54 -0500 Jon allegedly wrote: > > Yep same here, got notice today from ISP on a report of the 20th for > alledged hacking with someone using sqlmap. the reporting ip was a > brazilian gov ip address. > > I just blocked the port and kept on serving > I assume you mean "IP address" rather than "port" here. Despite offering, I wasn't given the opportunity to do that. Interesting that you also seem to have been used in targetting the brazilian government. Mick - blog: baldric.net fingerprint: E8D2 8882 F7AE DEB7 B2AA 9407 B9EA 82CC 1092 7423 - signature.asc Description: PGP signature ___ tor-relays mailing list tor-relays@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
Re: [tor-relays] too many abuse reports
On Tue, 22 May 2012 15:27:41 -0400 Michael Millspaugh allegedly wrote: > Can you be more specific with your resolution for this issue? > I've received a second abuse report in a week for the same issue - SQL > scanning - and I'll have to shut down my node unless I can somehow > block this activity. I have source and destination ports and IPs > available, but it lists the source as my IP so I'm not sure how to > see what the originating IP was. > In my case, at the request of my ISP, I have changed my exit policy to: ExitPolicy reject *:* i.e. I am now a relay, not an exit node. Brutal, but that's what my ISP wanted. Mick - blog: baldric.net fingerprint: E8D2 8882 F7AE DEB7 B2AA 9407 B9EA 82CC 1092 7423 - signature.asc Description: PGP signature ___ tor-relays mailing list tor-relays@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
Re: [tor-relays] too many abuse reports
On Tue, 22 May 2012 13:17:20 -0700 Mike Perry allegedly wrote: > > As of yet, no one has mentioned the port. Out of curiosity, is it > included in the Reduced Exit Policy? > https://trac.torproject.org/projects/tor/wiki/doc/ReducedExitPolicy Mike The port number reported was 80. My exit policy was restricted to 80 and 443 anyway. Interestingly (and confusingly) though, one report was for an attack on port 8080. But since the report gave this evidence: "Destination: 10.15.116.34 (8080) Content: os=185--technique=BES HTTP/1.1 Accept-Encoding: identity Accept-Language: en-us,en;q=0.5 Connection: close Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 User-Agent: sqlmap/1.0-dev (r4997) (http://www.sqlmap.org) Accept-Charset: ISO-8859-15,utf-8;q=0.7,*;q=0.7 Host: 200.189.116.10 Pragma: no-cache Cache-Control: no-cache,no-store" and the address of the target is clearly an RFC1918 reserved net, I figured this host was behind some device doing NAT, possibly a web load balancer of some kind. Sort of (sadly) amusing though that the complainant didn't notice that they were accusing me of attacking an unrouteable network... > Also, I think the right answer is a solution like > https://trac.torproject.org/projects/tor/wiki/doc/TorAbuseTemplates#SSHBruteforceAttempts > rather than blocking anything on the relay side. Given the above, I doubt the capability of the complainant to implement such a strategy. Simpler just to complain to another ISP and get them to own the problem. > Yeah, this sucks. But hey, if you're forced to be a middle relay, you > now have a lot of really super cheap options for bandwidth. You should > consider shopping around. Bandwidth litterally gets cheaper every > year. > > For example, last year, FDCservers was charging $600/mo for 1 Gbit > dedicated. This year, they now provide a 10 Gbit line for that price! > > FDC doesn't allow exits either, but the falling price points tells me > you should seriously try to renegotiate price with your ISP (or just > move elsewhere) if they are degrading your service by forcing you into > non-exit. > > Exit bandwidth is worth paying a premium for, because it does require > more resources at the ISPs end in terms of occasional abuse noise. You > could also try negotiating upwards if your ISP's prices are already > competitive with FDC's for middle service. Something tells me they're > not, though :). > I'm not in the market for a $600/month server. I'm a private individual paying for as much bandwidth as I can afford on a VPS dedicated to tor. I also provide a tails mirror on another VPS. But yes, I may now move to another provider. My current ISP seems no longer to want to support me. Mick - blog: baldric.net fingerprint: E8D2 8882 F7AE DEB7 B2AA 9407 B9EA 82CC 1092 7423 - signature.asc Description: PGP signature ___ tor-relays mailing list tor-relays@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
Re: [tor-relays] too many abuse reports
On Tue, 22 May 2012 16:21:46 -0500 Jon allegedly wrote: > > > The port was 57734 - of course that doesn't mean another port could > be used That looks like a source port to me. In my case, the (allegedly) attacked ports were 80, so clearly webservers. Mick - blog: baldric.net fingerprint: E8D2 8882 F7AE DEB7 B2AA 9407 B9EA 82CC 1092 7423 - signature.asc Description: PGP signature ___ tor-relays mailing list tor-relays@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
Re: [tor-relays] running first Relay, low budget VPS on a Gigabit line
On Tue, 12 Jun 2012 21:12:30 +0200 Rejo Zenger allegedly wrote: > Hi Tim, > > > Today iftop shows the VPS puts 35 MByte/s in both directions > > through the line. *Phew* > > The hosting plan includes 50GB per month so I'm a bit over the fair > > use. > > > What would you do? Let it run? throttle down? do no harm? > > Check the comments and variables in the configuration file. The ones > you are looking for are: > > RelayBandwidthRate > RelayBandwidthBurst > AccountingMax > AccountingStart > > > Any suggestions how to measure the traffic would be appreciated, > > must be roughly 12 TB the last 2 days. > > There are a number of approaches. I am running vnstat for this > purpose. > Plus one for vnstat from me. And you /really/ want to throttle your node if you are going that much over your allowance. Mick - blog: baldric.net fingerprint: E8D2 8882 F7AE DEB7 B2AA 9407 B9EA 82CC 1092 7423 - signature.asc Description: PGP signature ___ tor-relays mailing list tor-relays@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
Re: [tor-relays] 'help'
On Sat, 7 Jul 2012 02:07:50 + Mikegong allegedly wrote: > > some trouble like this:Your DNS provider gave an answer for > "nykqypf34.net", which is not supposed to exist. Apparently they are > hijacking DNS failures. Trying to correct for this. We've noticed 1 > possibly bad address so far. > > > How to set? and give me the map example. > thankyou. > > Hi In my experience this is caused by the ISP using opendns.com to resolve queries. opendns is notorious for responding to queries which should return NXDOMAIN with answers which point to its own servers. If you can't find a better server on your ISP's network, then change your resolver to point to something like the open public servers 4.2.2.1 or 4.2.2.6 or (if you must) the google servers at 8.8.8.8. HTH Mick - blog: baldric.net fingerprint: E8D2 8882 F7AE DEB7 B2AA 9407 B9EA 82CC 1092 7423 - signature.asc Description: PGP signature ___ tor-relays mailing list tor-relays@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
Re: [tor-relays] Call for discussion: turning funding into more exit relays
On Thu, 26 Jul 2012 12:01:13 -0400 (EDT) "Steve Snyder" allegedly wrote: > Is there any justification for a low-bandwidth Tor node? And if so, > what is the practical minimum bandwidth needed to actually see any > traffic? Yes. I run one. And have run two (or three at one time). I currently run one on a rented VPS which shovels around 700-750 Meg per month. The fastest I have run only gave 1Gig of traffic per month. I currently don't allow exit (but have in the past) following a series of hassles from my (otherwise quite accomodating) ISP who was getting flak about abuse. I guess I am typical of the low usage "domestic" type user who got fed up with the impact on his ADSL line of running Tor locally so moved it to a cheap VPS. I tunnel out to that VPS over SSH when I use Tor and find that a much better way of accessing the network. I choose to fund a Tor node because I am a Tor user and I believe in giving something back to the Tor community by way of thanks. I do not want, nor do I need, funding for that. Mick - blog: baldric.net fingerprint: FC23 3338 F664 5E66 876B 72C0 0A1F E60B 5BAD D312 Note that I have recently upgraded my GPG key see: http://baldric.net/2012/07/20/gpg-key-upgrade/ - signature.asc Description: PGP signature ___ tor-relays mailing list tor-relays@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
Re: [tor-relays] Electronic surveillance on major tor exits
On Mon, 23 Jul 2012 11:03:24 -1000 Name Withheld allegedly wrote: > Most Tor users probably don't read the manual and follow best > practices. I'm sure we've all seen traffic where users are using > google maps to find directions from their home, or logging into their > true-name mail accounts. When you combine this "State of our Method" > with a choke on the number I'm surprised that no-one else seems to have picked up on this. But no, "we have /not/ all seen traffic where users" are doing something Because we aren't looking at user's traffic. And we damned well should not be. Mick - blog: baldric.net fingerprint: FC23 3338 F664 5E66 876B 72C0 0A1F E60B 5BAD D312 Note that I have recently upgraded my GPG key see: http://baldric.net/2012/07/20/gpg-key-upgrade/ - signature.asc Description: PGP signature ___ tor-relays mailing list tor-relays@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
Re: [tor-relays] Call for discussion: turning funding into more exit relays
On Tue, 24 Jul 2012 07:05:41 -0400 Mike allegedly wrote: > in closing, don't discredit the cheaper solutions. They do work just > fine and you don't need a pocket of money to throw at something. > Telling the provider what you plan on doing and educating them works > wonders as well. It has for me at least. > Seconded. - blog: baldric.net fingerprint: FC23 3338 F664 5E66 876B 72C0 0A1F E60B 5BAD D312 Note that I have recently upgraded my GPG key see: http://baldric.net/2012/07/20/gpg-key-upgrade/ - signature.asc Description: PGP signature ___ tor-relays mailing list tor-relays@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
Re: [tor-relays] Call for discussion: turning funding into more exit relays
On Mon, 23 Jul 2012 14:58:54 -0400
Roger Dingledine allegedly wrote:
> The result though is a direct tradeoff
> with relay diversity: on today's network, clients choose one of the
> fastest 5 exit relays around 25-30% of the time, and 80% of their
> choices come from a pool of 40-50 relays.
> https://trac.torproject.org/projects/tor/ticket/6443
That cannot be good for the health of the network. It reduces the
size and complexity of the attackers target.
> Since extra capacity is clearly good for performance, and since we're
> not doing particularly well at diversity with the current approach,
> we're going to try an experiment: we'll connect funding to exit relay
> operators so they can run bigger and/or better exit relays.
>
> If we do it right (make more faster exit relays that aren't the
> current biggest ones, so there are more to choose from), we will
> improve the network's diversity as well as being able to handle more
> users.
Improving diversity (rather than outright speed) is, in my view, a
greater priority given your point above.
> We've lined up our first funder (BBG, aka http://www.voanews.com/),
> and they're excited to have us start as soon as we can. They want to
> sponsor 125+ fast exits.
Forgive me, but what do they want in return? ("He who pays the
piper...")
I'm ambivalent about the idea of funding. Whilst I can see that it
might help the Tor network to grow, I see downstream problems if
funding dries up (or is "threatened" to be withdrawn). Whilst
volunteer funding (and resourcing) can probably never provide the size
and speed of network we would all like to see, it has the advantage
of freedom from a lot of potential constraints. Being a Brit, I also
prefer the model of "unpaid blood donation" to the commercial
model used in some countries. (It just makes you feel good)
> More generally, we need to consider sustainability. Our current exit
> relay funding is for a period of 12 months, and while there's reason
> to think we will find continued support, the Tor network must not end
> up addicted to external funding. So long as everybody is running an
> exit relay because they want to save the world, I think we should be
> fine.
I agree 100%
Mick
-
blog: baldric.net
fingerprint: FC23 3338 F664 5E66 876B 72C0 0A1F E60B 5BAD D312
Note that I have recently upgraded my GPG key see:
http://baldric.net/2012/07/20/gpg-key-upgrade/
-
signature.asc
Description: PGP signature
___
tor-relays mailing list
tor-relays@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
Re: [tor-relays] Electronic surveillance on major tor exits
On Thu, 26 Jul 2012 14:30:02 -0400 (EDT) "Steve Snyder" allegedly wrote: > I took "seen" to mean looking over someone's shoulder as they used > Tor, not sniffing their traffic. He specifically used the word "traffic". That does not imply shoulder surfing. - blog: baldric.net fingerprint: FC23 3338 F664 5E66 876B 72C0 0A1F E60B 5BAD D312 Note that I have recently upgraded my GPG key see: http://baldric.net/2012/07/20/gpg-key-upgrade/ - signature.asc Description: PGP signature ___ tor-relays mailing list tor-relays@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
Re: [tor-relays] Call for discussion: turning funding into more exit relays
On Mon, 30 Jul 2012 18:51:35 -0400 Steve Snyder allegedly wrote: > Allowing exits from ports 80 and 443 will always carry the risk of > abuse complaints. > > It would be better to retain 80 and 443 as exit ports and just block > traffic to the Google/Yahoo/AOL/etc. mail servers but I don't how > that could be done with their respective load-balancing schemes. IP address based policy is tricky to use when large systems can use wide address ranges. And these addresses change over time. Question for tor developers. How hard would it be to change the logic (and syntax) of exit policy in tor to allow domain based formulations like: reject *.gmail.com reject *aol.com etc. Mick - blog: baldric.net fingerprint: FC23 3338 F664 5E66 876B 72C0 0A1F E60B 5BAD D312 Note that I have recently upgraded my GPG key see: http://baldric.net/2012/07/20/gpg-key-upgrade/ - signature.asc Description: PGP signature ___ tor-relays mailing list tor-relays@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
[tor-relays] DDOS?
Hi guys The provider for one of my VPSs, running my tor node tor.baldric.net has shut it down (unilaterally and without telling me) a couple of times this month, most recently today. Their response to my query as to why is that they say they are seeing a large DDOS attack on the VPS server hosting my node, apparently aimed at my address. I shut tor down while I investigated and when running nethogs I noticed a shed load of attempted connections to my tor port (443) from non-tor addresses. A snapshot is at http://rlogin.net/tor/incoming.png Anyone else seeing anything similar? I can't believe I'm the only node being poked. Cheers Mick - blog: baldric.net gpg fingerprint: FC23 3338 F664 5E66 876B 72C0 0A1F E60B 5BAD D312 - signature.asc Description: PGP signature ___ tor-relays mailing list tor-relays@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
Re: [tor-relays] DDOS?
On Sat, 29 Dec 2012 22:07:59 + mick allegedly wrote: > > I shut tor down while I investigated and when running nethogs I > noticed a shed load of attempted connections to my tor port (443) from > non-tor addresses. A snapshot is at > http://rlogin.net/tor/incoming.png > > Anyone else seeing anything similar? I can't believe I'm the only node > being poked. On further investigation, I think many of those addresses are likely to be tor related, possibly clients attempting to join tor through my node. How long does it take from the time a node is shut down to the point where no-one will attempt to connect through it? Mick - blog: baldric.net gpg fingerprint: FC23 3338 F664 5E66 876B 72C0 0A1F E60B 5BAD D312 - signature.asc Description: PGP signature ___ tor-relays mailing list tor-relays@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
Re: [tor-relays] DDOS?
On Sat, 29 Dec 2012 21:44:35 -0500 Matthew Finkel allegedly wrote: > > > > How long does it take from the time a node is shut down to the point > > where no-one will attempt to connect through it? > > > > Mick > > Hi Mick, > > Technically clients will attempt to use your node until the majority > of the directory authorities agree your node is no longer reachable > (should not take more than a little over 1 hour, assuming I > understand the code correctly) plus 3 hours (a client considers a > consensus valid for at most 3 hours), so roughly 4 hours. However, > because some clients have incorrectly set clocks, connections will > most likely trickle in past this point. I think after 5 hours no > valid clients should still try to connect. Matt That does indeed help. Thank you. I guess that what I was seeing was mostly tor client attempts. As for my VPS provider, they still haven't answered my questions as to why they shut down my machine without telling me. I suspect the DDOS excuse was just that, an excuse. I'm probably one of the few users who actually get anywhere near the full bandwidth allocation I pay for. Given that the VPS is cheap (and probably on a box which is oversold) it's entirely possible my usage is stretching the resource, and they don't like that. Ho Hum. Time to look for another provider. Cheers Mick - blog: baldric.net gpg fingerprint: FC23 3338 F664 5E66 876B 72C0 0A1F E60B 5BAD D312 - signature.asc Description: PGP signature ___ tor-relays mailing list tor-relays@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
[tor-relays] Disappointing AUP - (was Re: DDOS?)
On Sun, 30 Dec 2012 12:33:45 + mick allegedly wrote: > > Ho Hum. Time to look for another provider. > And in looking at alternatives I found this http://stormvz.com/terms.html on one site. The fourth "prohibited usage" item, lumps Tor in with Phishing Sites and Proxy Scanners. I've told them I'm disappointed, but getting UK based VPSs with useful amounts of bandwidth for tor is getting harder. My good wishes to all for 2013. Mick - blog: baldric.net gpg fingerprint: FC23 3338 F664 5E66 876B 72C0 0A1F E60B 5BAD D312 - signature.asc Description: PGP signature ___ tor-relays mailing list tor-relays@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
Re: [tor-relays] Disappointing AUP - (was Re: DDOS?)
On Mon, 31 Dec 2012 15:03:46 + Daniel Case allegedly wrote: > This might be a bit of a shameless plug, but I used to use bitfolk ( > bitfolk.com) - they have a generous allowance of bandwidth and allow > tor as long as you set it up correctly. Daniel I looked at bitfolk a while ago. They don't offer nearly enough transfer for a tor node or for my tails mirror (I want at least 1TB per month for each of them). For my own domestic usage (email/web server) I need a good solid stable provider and have been with bytemark for several years (most latterly on bigv.io). They are rock solid (and I have run a tor node with them in the past) but they don't offer the bandwidth I need at the price I am prepared to pay either. (Two reasonably high bandwidth VPS at bytemark prices would come to around 100 UKP per month (say 160 USD per month). Call me cheap, but I do this for free. Mick - blog: baldric.net gpg fingerprint: FC23 3338 F664 5E66 876B 72C0 0A1F E60B 5BAD D312 - signature.asc Description: PGP signature ___ tor-relays mailing list tor-relays@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
[tor-relays] MaxAdvertisedBandwidth advice please
Hi all Following a couple of my earlier messages to the list (about alleged DDOS on my node) I started up a new relay only node with digitalocean (thanks to Roman Mamedov for the pointer). In order to test their service I signed up for the minimal sized "droplet" (VPS) - 256Mb RAM, 1 core, 20Gb disk. Very quickly the VPS ramped up to over 1000 tor connections and a throughput of 25Mbit/s with a daily total traffic of 230 GiB. Absolutely astonishing when compared to the appalling service I was getting from my node at thrustvps. (After my complaints I was told "This is standard procedure for our clients, all nodes are on a 100mBits network, the node you are currently on shares that connection with 59 other virtual servers".) So no wonder the service was crap. But this morning I noticed that the new server had stopped and tor says in it's log "Your computer is too slow to handle this many circuit creation requests! Please consider using the MaxAdvertisedBandwidth config option or choosing a m ore restricted exit policy." I've never had the luxury of encountering this problem before, But clearly the network connectivity at digitalocean is not a limiting factor, and the resource of the VPS is. I monitored usage for the first day or so and top never showed any CPU bottleneck of high load averages, but memory was almost maxed out. The manual entry for "MaxAdvertisedBandwidth" is not particularly clear because it does not specify whether the bytes|KB|MB|GB is per second or a maximum for some other period. And I do not have the experience to know what rate would best be set on a node with limited memory (though I will buy larger nodes iof this test works out over a longer period) but apparently unlimited network capacity. So my question is, what can colleages recommend as a suitable maximum rate which will allow my node to provide maximum utility to the tor network without falling over? Many thanks in advance. Mick - blog: baldric.net gpg fingerprint: FC23 3338 F664 5E66 876B 72C0 0A1F E60B 5BAD D312 - signature.asc Description: PGP signature ___ tor-relays mailing list tor-relays@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
Re: [tor-relays] Disappointing AUP - (was Re: DDOS?)
On Tue, 01 Jan 2013 20:24:36 -0700 j...@duskro.net allegedly wrote: > Are you only seeking providers outside of the U.S.? > > I've been using PhoenixNAP for the last two years and am very happy > with their services. It's a dedicated server provider located in the > United States, but they are still very affordable. I've contacted > them in the past about running a TOR exit relay, and they said they > had no problems with it. Josh Thanks for the pointer - but yes, I'd prefer to stay away from the US. I think the US is probably already well served with tor nodes. Cheers Mick - blog: baldric.net gpg fingerprint: FC23 3338 F664 5E66 876B 72C0 0A1F E60B 5BAD D312 - signature.asc Description: PGP signature ___ tor-relays mailing list tor-relays@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
Re: [tor-relays] Disappointing AUP - (was Re: DDOS?)
On Sat, 05 Jan 2013 11:40:42 +0100 Moritz Bartl allegedly wrote: > If we did not run too many exits already, I would go for a Hong Kong > server with Limehost: > http://www.limehost.ro/servere/dedicated-models.html > > We have one of their older offers, dedi Gbit for 110 Euro in Romania. > I am not sure if they allow Tor exits in Hong Kong, but it does not > hurt to ask. > Thanks Moritz. I'm currently trialling a VPS at digitalocean.com in Amsterdam. So far it is looking very good - I'm not accustomed to unmetered traffic allowance on a Gig network so it I'm having to play with the configuration to prevent tor outpacing the VPS. Cheers Mick - blog: baldric.net gpg fingerprint: FC23 3338 F664 5E66 876B 72C0 0A1F E60B 5BAD D312 - signature.asc Description: PGP signature ___ tor-relays mailing list tor-relays@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
Re: [tor-relays] DigitalOcean, cheap VPS that's ok with middle relays
On Tue, 08 Jan 2013 10:47:40 -0800 Micah Lee allegedly wrote: > FYI, I just discovered a VPS provider DigitalOcean, and they seem fine > with people running non-exit nodes: > > https://www.digitalocean.com/community/questions/tor Yep - that "mick" was me. I contacted them through their forum foillowing a recommendation from Roman Mamedov on this list (see my post of 4 January). > The cheapest plan is $5/month (256mb ram, 1 core, 20gb drive) with > unlimited bandwidth. They give you New York and Amsterdam IP > addresses. I haven't tried running a relay on it so I don't know how > much bandwidth you can practically use, but it looks promising. > As I mentioned in an earlier post, I signed up for their cheapest plan (on 31/12/12) to test it. The VM has debian installed. I initially fired up tor with no restrictions whatever to see what happened. I quickly ran out CPU cycles. Tor log complained "Your computer is too slow to handle this many circuit creation requests! Please consider using the MaxAdvertisedBandwidth config option or choosing a more restricted exit policy." At one point (after a couple of days) tor just stopped and did not restart. No setting for MaxAdvertisedBandwidth I tried seemed to make any difference so I started experimenting with various throttle limits on the relay. I also set NumCPU to 1 and MaxOnionsPending 250 after reading a post recommending that. I currently have BandwidthRate 2500 KB and BandwidthBurst 2800 KB set and have a stable node that is running at circa 34 Mbit/s with just over 1000 tor circuits. Top reports cpu usage at around 30% and my vnstat stats (see below) predict 8.62 TiB traffic for the month. Now that I have a baseline, I will start to slowly ramp up the bandwidth allowance again to see what happens. Frankly, compared to my previous experience with some UK providers (see my posts about thrustvps in particular) this level of traffic for this price is astounding. If it keeps up, I'll likely pay for extra servers. Mick vnstat snapshot this morning - Database updated: Wed Jan 9 09:02:29 2013 eth0 since 12/31/12 rx: 1.15 TiB tx: 1.18 TiB total: 2.33 TiB monthly rx | tx |total| avg. rate +-+-+--- Dec '12 75.50 MiB |2.35 MiB | 77.85 MiB |0.24 kbit/s Jan '13 1.15 TiB |1.18 TiB |2.33 TiB | 27.63 Mbit/s --+-+-+--- estimated4.25 TiB |4.36 TiB |8.62 TiB | daily rx | tx |total| avg. rate -+-+-+--- yesterday 213.13 GiB | 217.74 GiB | 430.87 GiB | 41.83 Mbit/s today 64.71 GiB | 66.44 GiB | 131.16 GiB | 33.80 Mbit/s +-+-+--- estimated 171.93 GiB | 176.52 GiB | 348.46 GiB | - blog: baldric.net gpg fingerprint: FC23 3338 F664 5E66 876B 72C0 0A1F E60B 5BAD D312 - signature.asc Description: PGP signature ___ tor-relays mailing list tor-relays@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
Re: [tor-relays] ServerAstra from hungary allows exit relays
On Sun, 13 Jan 2013 05:37:44 +0600 Roman Mamedov allegedly wrote: > > My history with DigitalOcean ($5/month), in/out/total: > > Dec '12 4.99 TiB |5.32 TiB | 10.31 TiB | 44.00 > Mbit/s Nov '12 6.35 TiB |6.84 TiB | 13.19 TiB | 43.70 > Mbit/s Oct '12 2.10 TiB |2.26 TiB |4.36 TiB | 13.97 > Mbit/s A caveat on digitalocean. I signed up for a trial (and am happy) but I couldn't believe that my current traffic level was sustainable long term at that price point. So I specifically asked the question "what can I realistically use?" They replied: "We are currently offering free bandwidth and we certainly appreciate you reaching out to us because you are pushing a substantial amount and we do have backend processes running that constantly run consistency and health checks and bandwidth usage is something that we monitor. Mainly for detecting abuse or otherwise suspicious traffic. Your current traffic level of 32-40Mbps is fine. In the future we will eventually switch away from a free bandwidth model. Initially we roll out features to make everything simpler and to gauge our customers usage and to understand how to best cater the service to their needs." So - prices /will/ go up and/or bandwidth allowance /will/ go down. Best Mick - blog: baldric.net gpg fingerprint: FC23 3338 F664 5E66 876B 72C0 0A1F E60B 5BAD D312 - signature.asc Description: PGP signature ___ tor-relays mailing list tor-relays@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
Re: [tor-relays] US Investigators seem to learn
On Mon, 18 Feb 2013 02:05:40 -0800 Andrea Shepard allegedly wrote: > On Mon, Feb 18, 2013 at 04:59:09AM -0500, grarpamp wrote: > > > I thought I would let you know: Our US hoster is regularly > > > contacted by law enforcement about our exits there. Some agents > > > ask if the traffic pattern is balanced, ie. if the same amount of > > > traffic enters and leaves the box. > > > > > > I always argue that this is a good indicator for Tor traffic, and > > > that it is bad to mix Tor traffic with other traffic for that > > > exact reason. > > > > Due to encryption and compression it might only be balanced to > > within some typical ratio. I'm sure you have a handle on that > > number. But that any non 1:1 ratio could make it appear to be > > serving (or receiving) continual amounts of data. Which in the eye > > of agents could raise question. Another question is whether these > > US hosts are just volunteering this data to whoever comes asking, > > with or without your instruction, or complying with formal legal > > orders? > > > > On the plus side, hopefully everyone is coming away with the > > fact that it's just an uninteresting, agnostic, relay service and > > time is better spent elsewhere. > > Interesting; I'm pretty sure we do not use TLS compression. Nick M., > that's true, yeah? > > On the other hand, it could also be unbalanced because of: > > * Using that Tor process as a client > * Running a hidden service on that Tor process > * Running a directory mirror > For anyone who is interested I have posted the vnstat stats for my newest relay (0xbaddad) at http://rlogin.net/tor/bin-vnstats.txt Whilst not quite a 1:1 ratio, it is close enough I think to show that this is simply an agnostic relay. However, would not an exit node show unbalanced traffic? Most net activity these days is web browsing which is decidedly asymmetric - small outbound requests result in much larger inbound responses. Won't an exit relay reflect that as it is the last hop before the actual target site? Mick - blog: baldric.net gpg fingerprint: FC23 3338 F664 5E66 876B 72C0 0A1F E60B 5BAD D312 - signature.asc Description: PGP signature ___ tor-relays mailing list tor-relays@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
Re: [tor-relays] US Investigators seem to learn
On Mon, 18 Feb 2013 06:32:55 -0800 Andrea Shepard allegedly wrote: > On Mon, Feb 18, 2013 at 01:26:26PM +0000, mick wrote: > > Whilst not quite a 1:1 ratio, it is close enough I think to show > > that this is simply an agnostic relay. However, would not an exit > > node show unbalanced traffic? Most net activity these days is web > > browsing which is decidedly asymmetric - small outbound requests > > result in much larger inbound responses. Won't an exit relay > > reflect that as it is the last hop before the actual target site? > > It'd be balanced by the encrypted traffic to the middle node. Ah yes, of course! Thanks Mick - blog: baldric.net gpg fingerprint: FC23 3338 F664 5E66 876B 72C0 0A1F E60B 5BAD D312 - signature.asc Description: PGP signature ___ tor-relays mailing list tor-relays@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
Re: [tor-relays] Recommended specifications for 1Gbps exit
On Mon, 04 Mar 2013 18:37:01 + Matt Joyce allegedly wrote: > > Of course being a server any contention is more likely going to be on > the other side, but while I can find gigabit capable servers to try > pulling from finding one to try pulling from me is entirely another > story. I did make a test file if anyone has the connection and 1GB of > bw to try please let me know what you get > http://torexit2.mttjocy.co.uk/1GBtest.bin > Here you go: http://rlogin.net/tor/torexit2.txt Deeply unscientific, but real world. Mick - blog: baldric.net gpg fingerprint: FC23 3338 F664 5E66 876B 72C0 0A1F E60B 5BAD D312 - signature.asc Description: PGP signature ___ tor-relays mailing list tor-relays@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
Re: [tor-relays] Recommended specifications for 1Gbps exit
On Mon, 04 Mar 2013 18:37:01 + Matt Joyce allegedly wrote: > Of course being a server any contention is more likely going to be on > the other side, but while I can find gigabit capable servers to try > pulling from finding one to try pulling from me is entirely another > story. I did make a test file if anyone has the connection and 1GB of > bw to try please let me know what you get > http://torexit2.mttjocy.co.uk/1GBtest.bin > Matt A thought. You could try for yourself using the same service I used at https://www.digitalocean.com/features if you wanted to run some more tests. Digital Ocean sell their "droplets" by the hour. So you could easily fire up a test VM for less than the cost of a coffee and doughnuts... Mick - blog: baldric.net gpg fingerprint: FC23 3338 F664 5E66 876B 72C0 0A1F E60B 5BAD D312 - signature.asc Description: PGP signature ___ tor-relays mailing list tor-relays@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
Re: [tor-relays] big spike in cpu usage
On Fri, 5 Apr 2013 13:50:29 -0400 Owen Gunden allegedly wrote: > I have been running a non-exit tor relay for a few months now. It's > on a metered VPS, so after some experimenting I found that I can > afford about this much bandwidth: > > RelayBandwidthRate 250 KB > RelayBandwidthBurst 500 KB Owen You don't give details of your VPS, so comparisons may be difficult. But I have the following config options on my main (non-exit) relay: -- NumCPU 1 MaxOnionsPending 300 # rate limit - anything above about 2500 KB seems to cause tor # to invoke oom-killer BandwidthRate 2100 KB BandwidthBurst 2200 KB --- That relay is on a VM with 512Mb RAM, one CPU slice and 1Gig network connectivity (with unlimited traffic allowance). Stats can be seen at: https://atlas.torproject.org/#details/C332113DF99E367E4190424CE825057D91337ADD I had the same problems you are seeing until I set the rate limits above and increased MaxOnionsPending to 300. My CPU usage now hovers around 65-85% for about 2000 established tor connections. Mick - blog: baldric.net gpg fingerprint: FC23 3338 F664 5E66 876B 72C0 0A1F E60B 5BAD D312 - signature.asc Description: PGP signature ___ tor-relays mailing list tor-relays@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
Re: [tor-relays] big spike in cpu usage
On Sun, 07 Apr 2013 21:35:36 +0200 Miłosz Gaczkowski allegedly wrote: > On 07/04/2013 20:25, Andreas Krey wrote: > > No, its not 'per second'. [...] > Oh, wow, looks like I completely misunderstood what > RelayBandwidthBurst does. I assumed it's a burst rate that would be > occasionally allowed in peak times, not a "credit limit". If you're > sure your description is correct, I may need to reconfigure my node. Errr. Me too. My RelayBandwidthBurst limit is set on the assumtion that that is the max I will ever see (and allow). Confused. Mick - blog: baldric.net gpg fingerprint: FC23 3338 F664 5E66 876B 72C0 0A1F E60B 5BAD D312 - signature.asc Description: PGP signature ___ tor-relays mailing list tor-relays@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
Re: [tor-relays] BitTorrent complaint
On Tue, 09 Apr 2013 18:33:26 +0200 bartels allegedly wrote: > On 04/09/2013 06:24 PM, Steve Snyder wrote: > > Just make life easy for yourself and use the Reduced Exit Policy: > > > >https://trac.torproject.org/projects/tor/wiki/doc/ReducedExitPolicy > Good advice. Had not seen that. > > Must say it is a pretty loose list. I do not see the point in > accessing a squid proxy server over tor. It sort of defeats the > purpose. Or if you really feel you /must/ run an exit at this stage, try limiting yourself to just http and https. ExitPolicy accept *:80 ExitPolicy accept *:443 ExitPolicy reject *.* Though personally I'm with Romanov here. Just relay with no exit until you have a better feel for tor. Mick - blog: baldric.net gpg fingerprint: FC23 3338 F664 5E66 876B 72C0 0A1F E60B 5BAD D312 - signature.asc Description: PGP signature ___ tor-relays mailing list tor-relays@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
Re: [tor-relays] BitTorrent complaint
On Tue, 9 Apr 2013 18:01:40 +0100 mick allegedly wrote: > > Though personally I'm with Romanov here. Correction. "Roman" (forgive me Roman). Mick - blog: baldric.net gpg fingerprint: FC23 3338 F664 5E66 876B 72C0 0A1F E60B 5BAD D312 - signature.asc Description: PGP signature ___ tor-relays mailing list tor-relays@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
Re: [tor-relays] Tor node monitoring
On Wed, 17 Apr 2013 01:19:34 +0200 Lunar allegedly wrote: > Alex Beal: > > I was wondering what, if any, software you use for monitoring your > > relays. It would be nice if I could get an email when the Tor > > daemon crashes, and maybe another every night telling me about > > bandwidth used, average speed, etc. > > For external monitoring, I wrote a Nagios check using Stem. It is > available at: > > http://anonscm.debian.org/gitweb/?p=users/lunar/check_tor.git > and there are munin plugins by Ge van Geldorp (tor_connections and tor_traffic) at http://munin-monitoring.org/wiki/PluginCat beware that the old munin exchange site has disappeared. Mick - blog: baldric.net gpg fingerprint: FC23 3338 F664 5E66 876B 72C0 0A1F E60B 5BAD D312 - signature.asc Description: PGP signature ___ tor-relays mailing list tor-relays@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
Re: [tor-relays] How does CERT-FI know my SOCKS4 port?
On Wed, 10 Jul 2013 17:04:12 +0200 Logforme allegedly wrote: > I assume the ISP did a port scan. Do you have port 9050 open in your > firewall? Unlikely. I think it would be very unusual for an ISP in any country to portscan anyone without prior authority (such as would appear in a contract). Such action is illegal in may jurisdictions. And in any case, Steve has already said that his socks port is bound only to localhost (127.0.0.1). The report from CERT-FI must simply record the fact that they have seen (or had reported) apparent open proxy relaying from Steve's IP address with source port 9050. Without a lot more detail about configuration, and the exact details of the reporting from CERT-FI it is difficult to make any assumptions. If I were Steve, I would contact CERT-FI directly for more information. They are likely to be very helpful. Mick > On 2013-07-10 15:57, Steve Snyder wrote: > > My ISP recently sent to me a CERT-FI auto-report on > > malware-infected servers in my ISP's address space. I was send > > this report because my IP address was among those flagged. My > > entry looks like this: - Mick Morgan gpg fingerprint: FC23 3338 F664 5E66 876B 72C0 0A1F E60B 5BAD D312 http://baldric.net - signature.asc Description: PGP signature ___ tor-relays mailing list tor-relays@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
Re: [tor-relays] Home broadband - worth running a relay?
On Thu, 11 Jul 2013 21:43:00 +0100 Nick allegedly wrote: > Hi there, > > I have a reasonable ADSL connection, and a little always-on server. > The bandwidth is in the region of 2Mib/s down, something less up > (maybe 256Kib/s). Is it useful for me to run a tor relay with this > bandwidth? I'd like to run one which isn't an exit, at least for > now. > > If not, am I correct in thinking that a bridge is an appropriate > help? That's what I'm doing currently, but if a relay would be more > useful I'd be very happy to do that. > > One other unrelated(ish) question: I'm in the UK, where the idea of > censorship isn't resisted as strongly as it ought to be, and as a > result my internet connection is subject to a smallish amount of > censorship: whatever is on the secret IWF blacklist plus the pirate > bay. Does this mean that running an exit node from a home connection > here at some point in the future would not be helpful? Or only if > all HTTP(S) was blocked (as the IWF blacklist is secret there's > presumably no way to tell the tor network what is inaccessible from > this node). Nick I too am in the uk. In my view, running tor on your home broadband connection is probably a bad idea. As you have already noted, the connection is not completely unfiltered and you may find other problems arise as soon as you try to run a relay. I think you might find it almost impossible to successfully run an exit relay without a lot of hassle from your ISP which might end up in your disconnection. Besides that, the amount of bandwidth available on a domestic ADSL is low and you will find that tor impacts heavily on usage unless it is heavily throttled. For several years now I have sucessfully run relays (both exit and non-exit) on fairly cheap VPSs. This has the dual advantage of separating your own connection from tor and of providing dedicated bandwidth to the relay. You will need to check with the VPS provider that they are happy to allow tor. Some are, most aren't and of those most are not happy with exit relays because they end up getting (often robotic) abuse complaints. Of course your VPS does not have to be in the UK. I have run relays with bytemark.co.uk (non-exit), daily.co.uk (exit and non-exit) thrustvps.com (ditto) rapidswitch.com (ditto). I currently use digitalocean.com (in the Netherlands, but a US company) and thrust - though for a variety of reasons I will probably drop thrust at the end of my contract with them and move that one elsewhere. Always/always check the ISP's AUP in advance and then email them telling them what you intend to do before signing up. In my experience, those which are content to allow tor sometimes change their mind after the first few abuse complaints. You then have the option of switching to non-exit, or simply taking your custom elsewhere. It depends on how you want to play things and what you are getting for your money. Nowadays you can get a useful amount of bandwidth (1-2 TiB pcm) on a reasonably specced VM (512 Mb RAM, 1 core, 20-40 GB disk) very cheaply (on the order of 5-10 UKP pcm, or much less if you shop around). Take a look at lowendbox.com for some ideas of offers on cheap VPS. Then do some research on the suppliers, contact those you shortlist and be open about what you intend to do. HTH Mick - Mick Morgan gpg fingerprint: FC23 3338 F664 5E66 876B 72C0 0A1F E60B 5BAD D312 http://baldric.net - signature.asc Description: PGP signature ___ tor-relays mailing list tor-relays@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
Re: [tor-relays] Home broadband - worth running a relay?
On Fri, 12 Jul 2013 14:22:44 +0100 mick allegedly wrote: > On Thu, 11 Jul 2013 21:43:00 +0100 > Nick allegedly wrote: > > > Hi there, > > > > I have a reasonable ADSL connection, and a little always-on > > server. The bandwidth is in the region of 2Mib/s down, something > > less up (maybe 256Kib/s). Is it useful for me to run a tor relay > > with this bandwidth? I'd like to run one which isn't an exit, at > > least for now. > Nowadays you can get a useful amount of bandwidth (1-2 TiB pcm) on a > reasonably specced VM (512 Mb RAM, 1 core, 20-40 GB disk) very cheaply > (on the order of 5-10 UKP pcm, or much less if you shop around). Take > a look at lowendbox.com for some ideas of offers on cheap VPS. Then do > some research on the suppliers, contact those you shortlist and be > open about what you intend to do. Forgot to add - take a look at http://www.edis.at/en/home for example. They have reasonable offerings (but limited on the KVM option) in a variety of countries and I have already established that they would be comfortable with non-exit tor relays. Mick - Mick Morgan gpg fingerprint: FC23 3338 F664 5E66 876B 72C0 0A1F E60B 5BAD D312 http://baldric.net - signature.asc Description: PGP signature ___ tor-relays mailing list tor-relays@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
Re: [tor-relays] Home broadband - worth running a relay?
On Fri, 12 Jul 2013 19:04:22 -0700 Gordon Morehouse allegedly wrote: > mick: > > Forgot to add - take a look at http://www.edis.at/en/home for > > example. They have reasonable offerings (but limited on the KVM > > option) in a variety of countries and I have already established > > that they would be comfortable with non-exit tor relays. > > Be aware that depending on the data center, the KVM nodes at Edis get > rebooted fairly often ... if you want to run a larger relay and be > flagged stable, maybe not the best choice. > > -Gordon Gordon Thanks - useful to know. Any information on the openVZ offering? Best Mick ----- Mick Morgan gpg fingerprint: FC23 3338 F664 5E66 876B 72C0 0A1F E60B 5BAD D312 http://baldric.net - signature.asc Description: PGP signature ___ tor-relays mailing list tor-relays@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
Re: [tor-relays] Home broadband - worth running a relay?
On Sat, 13 Jul 2013 10:03:11 -0700 Gordon Morehouse allegedly wrote: > mick: > > Gordon > > > > Thanks - useful to know. Any information on the openVZ offering? > > > They told me it was rebooted much less often, but they didn't offer it > in Iceland, which is where I was interested in having my data > physically located. They also said the Iceland KVM nodes tended to > get rebooted a lot less than where I was at the time (continental > Europe at one of their many locations). So, YMMV. > > But I would say, the Edis OpenVZ offerings are probably pretty good > for Tor relays. Gordon Again, thanks for the info. Mick - Mick Morgan gpg fingerprint: FC23 3338 F664 5E66 876B 72C0 0A1F E60B 5BAD D312 http://baldric.net - signature.asc Description: PGP signature ___ tor-relays mailing list tor-relays@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
Re: [tor-relays] Sitevalley is no longer Tor-friendly
On Thu, 18 Jul 2013 10:49:46 -0400 Tom Ritter allegedly wrote: > Sending this out, as I suspect I am not the only person running a node > on SiteValley, as they have pretty good bandwidth for pretty cheap. > > I had inquired in the beginning if they allowed Tor, and they said > yes, but if we get too many abuse complaints we'll shut it down. So > maybe 4 or 5 abuse complaints later they did indeed give me the > ultimatum to shut it down or get shut down. So I made them give me a > new IP address, and made it into a middle node. (The new IP was > because I was thinking of making it a bridge.) Hmm. Pretty crummy AUP. And /very/ crummy treatment of a customer. I wonder if we are going to see more of this sort of thing now. I think the tor network needs greater geographic diversity. Mick - Mick Morgan gpg fingerprint: FC23 3338 F664 5E66 876B 72C0 0A1F E60B 5BAD D312 http://baldric.net - signature.asc Description: PGP signature ___ tor-relays mailing list tor-relays@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
Re: [tor-relays] Sitevalley is no longer Tor-friendly
On Thu, 18 Jul 2013 12:02:29 -0400 krishna e bera allegedly wrote: > On 13-07-18 11:51 AM, mick wrote: > > > > I wonder if we are going to see more of this sort of thing now. I > > think the tor network needs greater geographic diversity. > > Makes me wonder if there is some kind of legal pressure being applied > to American ISPs to disallow Tor and similar services and > infrastructure. Or perhaps owners of some ISPs are polarizing toward > the PATRIOT act side especially after the Snowden thing. > I'd like to think it may simply be a form of "self censorship" i.e. the ISP is wary of some future, unspecified, action and simply seeks a quiet life. I can't see legal pressure working - tor violates no laws. Mick - Mick Morgan gpg fingerprint: FC23 3338 F664 5E66 876B 72C0 0A1F E60B 5BAD D312 http://baldric.net - signature.asc Description: PGP signature ___ tor-relays mailing list tor-relays@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
Re: [tor-relays] What to do about port scans?
On Wed, 31 Jul 2013 14:48:05 -0400 Steve Snyder allegedly wrote: > I wouldn't have thought that the Tor network was fast enough for port > scanning, but apparently it is. I have recently seen a rash of SSH > port scanning (or so my ISP reports). What can/should I do about > this? I'm not sure exactly what you are saying here. 1. Do you mean that the scans (directed at you) all came from tor exit nodes? 2. Or do you mean that your tor node was scanned from elsewhere? 3. Or do you mean that your tor exit node was used in port scanning someone else? > I know I can limit the rate of connections using iptables. What's > the consensus on this? Is this considered advisable, or a breach of > expected exit node behavior? If you are an exit node and you allow connection to port 22, and you are being used to scan others (3 above) then I would say it would be inadvisable to interfere with that connection. Better to be explict in your exit policy by denying exit to port 22. Of course that simply moves the problem to some other exit node, but your ISP will stop complaining (which may be what you need). > > Do I have any options other than iptables to restrict the rate of > port 22 connection attempts? I find that there is a huge drop in ssh scanning activity if the daemon is simply moved to a non-standard port. So if the problem is 1 or 2 above, a simple sshd reconfig may help. HTH Mick ----- Mick Morgan gpg fingerprint: FC23 3338 F664 5E66 876B 72C0 0A1F E60B 5BAD D312 http://baldric.net - signature.asc Description: PGP signature ___ tor-relays mailing list tor-relays@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
Re: [tor-relays] VPS
On Sat, 3 Aug 2013 16:54:20 -0400 George Herndon allegedly wrote: > i'm happy with digitalocean > > George Herndon > ghern...@eyeontech.com And so am I - for a relay. DO are not very keen on exits. See https://www.digitalocean.com/community/questions/tor Mick ----- Mick Morgan gpg fingerprint: FC23 3338 F664 5E66 876B 72C0 0A1F E60B 5BAD D312 http://baldric.net - signature.asc Description: PGP signature ___ tor-relays mailing list tor-relays@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
Re: [tor-relays] VPS Hardware Specification & Advice
On Tue, 06 Aug 2013 20:40:11 +0200 Tor Pids allegedly wrote: > > The VPS specs you posted should be more than enough - but the price > is too expensive! > > Seconded. You could easily get 1TiB pcm for < 5 UKP (i.e. around 5 euros or 5 USD. 7-10 euros should buy you 2 TiB. I can recommend digitalocean.com at 5 USD. They have offerings in Amsterdam, SanFrancisco and NYC. They are happy to allow relays, less happy with exits. HTH Mick ----- Mick Morgan gpg fingerprint: FC23 3338 F664 5E66 876B 72C0 0A1F E60B 5BAD D312 http://baldric.net - signature.asc Description: PGP signature ___ tor-relays mailing list tor-relays@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
Re: [tor-relays] new relays
On Thu, 22 Aug 2013 08:45:33 -0500 a432511 allegedly wrote: > > I just spun up 2 relays (1 exit, 1 non-exit) in Amsterdam using > DigitalOcean as the VPS provider. It's been up for about 8 hours now. > Here was the message I sent to them regarding the servers: > I have three DigitalOcean VMs. One in Amsterdam is a (non-exit) relay (https://baldric.net/2013/01/13/what-a-difference-a-gig-makes/), the other two, in SanFrancisco and NYC, are tails mirrors. /Before/ starting the tor relay I specifically asked DO if they had any problems with tor. They told me much what they have apparently told you. Certainly I gained the impression that they would not be happy if their IP addresses appeared in abuse complaints. (https://www.digitalocean.com/community/questions/tor) I followed up that conversation in a support ticket and they have been fine with me running a relay ever since. > > The other thing that I am weighing is just a moral question regarding > misuse of the Tor network for despicable things like child porn. I > understand that of all the traffic it is a small percentage and that > ISPs essentially face the same dilemma, but I wonder if more can be > done to make Tor resistant to evil usage. > Tor is neutral. You and I may agree that certain usage is unwelcome, even abhorrent, but we cannot dictate how others may use an anonymising service we agree to provide. If you have a problem with that, you probably should not be running a tor node. Best Mick ----- Mick Morgan gpg fingerprint: FC23 3338 F664 5E66 876B 72C0 0A1F E60B 5BAD D312 http://baldric.net - signature.asc Description: PGP signature ___ tor-relays mailing list tor-relays@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
Re: [tor-relays] new relays
On Tue, 27 Aug 2013 11:08:34 -0500 Jon Gardner allegedly wrote: > On Aug 22, 2013, at 11:56 AM, mick wrote: > > > Tor is neutral. You and I may agree that certain usage is unwelcome, > > even abhorrent, but we cannot dictate how others may use an > > anonymising service we agree to provide. If you have a problem with > > that, you probably should not be running a tor node. > > Then why have exit policies? Exit nodes regularly block "unwelcome" > traffic like bittorrent, and there's only a slight functional > difference between that and using a filter in front of the node to > block things like porn (which, come to think of it, also tends to be > a bandwidth hog like bittorrent--so it doesn't have to be just a > moral question). If someone has a problem with exit nodes blocking > things like porn (or bittorrent, or...), then they probably should > not be using Tor. > > The very idea of Tor is based on moral convictions (e.g., that > personal privacy is a good thing, that human rights violations and > abuse of power are bad things, etc.). Nope. Not in my view. Tor's USP is anonymity of access to any and all network resources. I say again, tor is neutral. It cares not about what those resources are - it just shovels bits. And as a relay operator I cannot say that bits of type A are OK to retrieve but not bits of type B. I do not even know what type of bits are transferred. As someone else here said "censorship implies surveillance". > The Tor devs go to great lengths to try to keep "evil" governments > from using Tor against itself. Why not devote some effort toward > keeping "evil" traffic off of Tor? Define "evil" (or its converse "good"). I'd bet that given any random selection of people in a room you'd get a broad spectrum of views. The only way you can safely meet /all/ those views is not to take a position at all and remain neutral. I repeat tor is neutral. > > It's worth discussion. > I agree. Best Mick - Mick Morgan gpg fingerprint: FC23 3338 F664 5E66 876B 72C0 0A1F E60B 5BAD D312 http://baldric.net - signature.asc Description: PGP signature ___ tor-relays mailing list tor-relays@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
Re: [tor-relays] new relays
On Wed, 28 Aug 2013 07:22:16 +0200 Andreas Krey allegedly wrote: > On Tue, 27 Aug 2013 23:12:01 +, Tor Exit wrote: > >GET /index.php?file=../../../../../../../etc/passwd > > > > Why not employ similar techniques on a Tor exit? We can be 100% > > sure about the malicious intent. > > No, you can't be sure. That request could quite well be totally > legitimate; you are not in a position to judge for the site owner. > Absolutely true. I could be using tor to test my own website's security mechanisms. In fact, I /have/ used tor to test my own websites.. Best Mick ----- Mick Morgan gpg fingerprint: FC23 3338 F664 5E66 876B 72C0 0A1F E60B 5BAD D312 http://baldric.net - signature.asc Description: PGP signature ___ tor-relays mailing list tor-relays@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
Re: [tor-relays] new relays
On Tue, 27 Aug 2013 19:34:13 -0700 Andy Isaacson allegedly wrote: > > If only there were a separate TCP port for HTTP-with-Porn and all the > pornographers used it, then an exit policy for "HTTP-without-porn" > would be possible. But alas, we don't even have vague agreement on > what constitutes porn, much less a social contract requiring all > pornographers to segregate their traffic for our convenience. > > RFC6969, Pornographic HTTP. #ideasforapril1 Wonderful! Love it. (I have often pondered the possibility of a DPI "porn filter" which rejects traffic based on the "proportion of flesh coloured packets to the total" or some such nonsense. Second order problem - define "flesh coloured".) Best Mick ----- Mick Morgan gpg fingerprint: FC23 3338 F664 5E66 876B 72C0 0A1F E60B 5BAD D312 http://baldric.net - signature.asc Description: PGP signature ___ tor-relays mailing list tor-relays@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
Re: [tor-relays] Hello List
On Wed, 28 Aug 2013 10:37:34 -0400 "Kevin C. Krinke" allegedly wrote: > What services (other than Tor) can I host? > What else is needed in the general community? > Kevin Congratulations and welcome. You could consider a tails mirror https://tails.boum.org/contribute/index.en.html But I'd recommend against running it on your relay. If you have free capacity elsewhere then I'm sure the guys at tails would be happy to hear from you. Mick ----- Mick Morgan gpg fingerprint: FC23 3338 F664 5E66 876B 72C0 0A1F E60B 5BAD D312 http://baldric.net - signature.asc Description: PGP signature ___ tor-relays mailing list tor-relays@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
[tor-relays] huge increase in relay traffic
I'm currently seeing more than a doubling of connections (from a mean of c. 2000 established connections to just over 5000) on my relay at 0xbaddad. The log is full of the (expected) messages: "Your computer is too slow to handle this many circuit creation requests!" I guess this is related to the massive jump in connected clients in the past few days and I assume that everyone else is seeing something similar. Mick - Mick Morgan gpg fingerprint: FC23 3338 F664 5E66 876B 72C0 0A1F E60B 5BAD D312 http://baldric.net - signature.asc Description: PGP signature ___ tor-relays mailing list tor-relays@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
Re: [tor-relays] Overload data for Exit vs Non-Exit (and Guard vs Middle)?
On Fri, 30 Aug 2013 18:25:54 -0700 Mike Perry allegedly wrote: > To try to get to the bottom of the recent influx of clients to the Tor > network, it might be useful to compare load characteristics since 8/19 > for nodes with different types of flags. > > People with Munin setups: it would be especially useful if you could > post links/graph images for connection counts, bandwidth, and CPU load > since 8/19. Here you go: https://pipe.rlogin.net/munin/network-month.html https://atlas.torproject.org/#details/C332113DF99E367E4190424CE825057D91337ADD Tor is running on bin.rlogin.net. I am currently seeing close to 6000 established connections (or three times normal mean) but actual traffic is only running slightly higher than normal. My vnstats for the last month are at https://baldric.net/2013/08/31/vnstat-on-my-tor-node/ Mick ----- Mick Morgan gpg fingerprint: FC23 3338 F664 5E66 876B 72C0 0A1F E60B 5BAD D312 http://baldric.net - signature.asc Description: PGP signature ___ tor-relays mailing list tor-relays@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
Re: [tor-relays] Overload data for Exit vs Non-Exit (and Guard vs Middle)?
On Sat, 31 Aug 2013 18:30:41 +0100 mick allegedly wrote: > Here you go: > > https://pipe.rlogin.net/munin/network-month.html > etc U. I've just had a (paranoid?) thought after reading the recent post from Gordon Morehouse about DDOS. I don't normally expose those stats to the world. Indeed I'd guess a few other people who collect such stats don't either. Now, whilst these stats (along with those from others who respond) might help investigations of the impact of whatever is causing the recent uptick, we may also be giving valuable data to whoever is behind the attack (if we assume it is an attack). As I said, probably paranoid, but if there /is/ a single actor behind this phenomenon then he or she might be delighted to be given such a collection of data points from the network. Oh well. Mick - Mick Morgan gpg fingerprint: FC23 3338 F664 5E66 876B 72C0 0A1F E60B 5BAD D312 http://baldric.net - signature.asc Description: PGP signature ___ tor-relays mailing list tor-relays@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
Re: [tor-relays] Too little traffic on my #2 non-exit relay
On Wed, 18 Sep 2013 20:41:17 +0200 Christian Dietrich allegedly wrote: > Thanks, but both relays have been started at the same time. > Due to the fact that they also have the same configuration, > both should offer up to 1 gigabit/s bandwidth. > > "RelayBandwidthRate 125 MBytes > RelayBandwidthBurst 125 MBytes" > > Both relays are exactly the same, except for the IPv4 adress. > Neither relay shows any family members. That /may/ cause a problem since they are obviously related. Mick ----- Mick Morgan gpg fingerprint: FC23 3338 F664 5E66 876B 72C0 0A1F E60B 5BAD D312 http://baldric.net - signature.asc Description: PGP signature ___ tor-relays mailing list tor-relays@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
Re: [tor-relays] relays "in the cloud"
On Wed, 2 Oct 2013 02:21:13 -0400 grarpamp allegedly wrote: > > The community should make node placement more of a > process under some metrics to avoid placement collisions. > 'myfamily' is a concept that spans more than just the operator. An interesting, and very valid point. One drawback of the advertisement of "tor friendly" ISPs (either on the list or on the wiki) could be a tendency to cluster nodes to the detriment of the network. Mick - Mick Morgan gpg fingerprint: FC23 3338 F664 5E66 876B 72C0 0A1F E60B 5BAD D312 http://baldric.net - signature.asc Description: PGP signature ___ tor-relays mailing list tor-relays@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
[tor-relays] BBG and Tor funding
See http://www.theguardian.com/world/2013/oct/04/nsa-gchq-attack-tor-network-encryption Note the new addition at the end of this article, presumably added at the request of BBG "• This article was amended on 4 October after the Broadcasting Board of Governors pointed out that its support of Tor ended in October 2012." So. How does this square with BBG's alleged support for financing new fast exit relays? https://lists.torproject.org/pipermail/tor-relays/2013-September/002824.html Best Mick - Mick Morgan gpg fingerprint: FC23 3338 F664 5E66 876B 72C0 0A1F E60B 5BAD D312 http://baldric.net - signature.asc Description: PGP signature ___ tor-relays mailing list tor-relays@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
Re: [tor-relays] VPS
On Sun, 20 Oct 2013 10:58:20 -0700 Gordon Morehouse allegedly wrote: > > If you're on a 10Mbps port and set your limits to about 5Mbps > RelayBandwidthRate, you're going to need more than 256MB - probably > more like 768MB and a cron job to restart Tor if it chews up all RAM > and gets itself killed. I run tor perfectly happily on a VPS with 512MB of RAM. That node is on a Gig backbone, advertises 2.1 MB/s (2100 KB) and shovels data at anywhere between 24 and 32 Mbit/s all day every day for a monthly total of anywhere from 9.5 to 10.5 TiB per month. See https://atlas.torproject.org/#details/C332113DF99E367E4190424CE825057D91337ADD last rebooted when I upgraded to Tor 0.2.4.17-rc about three weeks ago. The limiting factor on a pi is not just memory. It is CPU. Mick ----- Mick Morgan gpg fingerprint: FC23 3338 F664 5E66 876B 72C0 0A1F E60B 5BAD D312 http://baldric.net - signature.asc Description: PGP signature ___ tor-relays mailing list tor-relays@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
Re: [tor-relays] VPS
On Sun, 20 Oct 2013 12:40:52 -0800 I allegedly wrote: > Mick, > > Is Serverstack.nl particularly pro-tor exit nodes? > By the front page it would seem so. > > Robert Heh! I hadn't seen that before. (Though take a look at serverstack.com for a more, erm, normally corporate front page). Honestly, I do not know serverstack's position. I rent that particular VPS from digitalocean, it just happens to be in Amsterdam on AS46652. digitalocean's own position appears to be supportive of non-exit relays only. Mick ----- Mick Morgan gpg fingerprint: FC23 3338 F664 5E66 876B 72C0 0A1F E60B 5BAD D312 http://baldric.net - signature.asc Description: PGP signature ___ tor-relays mailing list tor-relays@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
Re: [tor-relays] Is there any reason to keep the default exit policy?
On Mon, 4 Nov 2013 13:43:29 + Thomas Hand allegedly wrote: > Running as exit relay should be a consensual and informed decision of > the operator. > Agreed. I'll add my voice to those voting in favour of the default policy for a relay being non-exit. As Tom said, those competent enough to run tor in a VPS can be trusted to be competent enough to edit torrc to allow exit (and apply an appropriate policy). A naive, or new, tor user should not be bitten by a default exit. As I believe Gordon M said earlier, that is a serious "WTF?" Mick - Mick Morgan gpg fingerprint: FC23 3338 F664 5E66 876B 72C0 0A1F E60B 5BAD D312 http://baldric.net - signature.asc Description: PGP signature ___ tor-relays mailing list tor-relays@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
Re: [tor-relays] Traffic in port 9050 in a relay (denial of service attack?)
On Wed, 06 Nov 2013 10:30:30 + Kevin Steen allegedly wrote: > On 06/11/13 06:09, Andreas Krey wrote: > > On Tue, 05 Nov 2013 14:09:40 +, Thomas Hand wrote: > > ... > >> Also, use iptables! If it is a dedicated VPS then drop anything > >> you dont recognize, > > > > What for? The ports that you want to block are rejected by the > > kernel anyway, as there is no one listening. (The minor added > > protection that malware needs to be root to disable iptables and > > effectively listen - is that worth the work?) > > Dropping bad requests will reduce your bandwidth usage through not > having to send TCP RST responses, and will also increase the workload > of the attacker as they'll have to wait for a timeout on each > connection. It is also good practice to whitelist traffic inbound. The fact that there is no service currently listening on port "N" does not mean that there will /never/ be a service listening on port "N". Blocking by default can protect you from that WTF moment when you find that some system upgrade or reconfiguration has fired up a service you didn't expect or thought you had removed. I've been there. I also believe in belt and braces. > I wouldn't recommend dropping everything, though, as it makes > troubleshooting very difficult - just drop connections to ports which > get attacked. I disagree. Dropping all traffic other than that which is explicitly required is IMHO a better practice. (And how do you know in advance which ports get attacked?) Best Mick - Mick Morgan gpg fingerprint: FC23 3338 F664 5E66 876B 72C0 0A1F E60B 5BAD D312 http://baldric.net - signature.asc Description: PGP signature ___ tor-relays mailing list tor-relays@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
Re: [tor-relays] Traffic in port 9050 in a relay (denial of service attack?)
On Tue, 5 Nov 2013 13:39:50 -0800 I allegedly wrote: > Ip tables are a mystery to me. > Can someone either explain them or point to a complete explanation, > please? > > Robert > > "Also, use iptables! If it is a dedicated VPS then drop anything you > dont recognize, "leaving only Tor ports (9001,9030 default) and maybe > a service port like 22 for SSH for "something. Port 9050 should not > be visible from outside..." Robert The linux kernel ships with a default network packet processing subsystem called netfilter (see http://www.netfilter.org/ for a description of the system). iptables is the mechanism by which you can define rules to apply to packet filtering in that system. Most people use iptables to set up default firewall rulesets allowing inbound traffic only to certain services and denying all others. For example, on a webserver you might wish to allow in only traffic aimed at ports 80 and, if you are running SSL/TLS, 443. (Of course if that webserver is running remotely you almost certainly need to allow in traffic to the ssh port to permit remote administration). This is not strictly on-topic for the tor list so you might care to spend some time perusing the netfilter web page and its related resources (FAQs, lists etc). Short term and if it helps you, I wrote some recommended iptables configuration scripts a while ago. See https://baldric.net/2012/09/09/iptables-firewall-for-servers/ Note, however, that whilst /I/ believe those configurations to be safe and useful, I would not recommend that you blindly trust my scripts without first understanding what they do. Netfilter is complex, and trusting some unknown third party (me) with your firewall configuration may not be the best idea in the world. :-) Best Mick ----- Mick Morgan gpg fingerprint: FC23 3338 F664 5E66 876B 72C0 0A1F E60B 5BAD D312 http://baldric.net - signature.asc Description: PGP signature ___ tor-relays mailing list tor-relays@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
Re: [tor-relays] Traffic in port 9050 in a relay (denial of service attack?)
On Wed, 06 Nov 2013 14:00:09 +0200 Lars Noodén allegedly wrote: > On 11/06/2013 01:26 PM, mick wrote: > > I disagree. Dropping all traffic other than that which is > > explicitly required is IMHO a better practice. (And how do you know > > in advance which ports get attacked?) > > Using reject instead of drop simplifies troubleshooting. > > http://www.chiark.greenend.org.uk/~peterb/network/drop-vs-reject > > Drop tends to get in the way. Again, I disagree. But I recognise that this can be a religious decision. My default policy is to drop rather than reject. I know that strict adherence to standards implies we should “REJECT” with a helpful ICMP error message. But, doing that can mean that incoming packets with a spoofed source address can get replies sent back to that (innocent) source address. DDOS bots exploit this behaviour. I’d rather break standards than help a DDOS bot. :-) Mick - Mick Morgan gpg fingerprint: FC23 3338 F664 5E66 876B 72C0 0A1F E60B 5BAD D312 http://baldric.net - signature.asc Description: PGP signature ___ tor-relays mailing list tor-relays@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
Re: [tor-relays] Traffic in port 9050 in a relay (denial of service attack?)
On Wed, 06 Nov 2013 14:00:15 +0100 Jeroen Massar allegedly wrote: > On 2013-11-06 13:47 , mick wrote: > > On Wed, 06 Nov 2013 14:00:09 +0200 > > Lars Noodén allegedly wrote: > > > >> On 11/06/2013 01:26 PM, mick wrote: > >>> I disagree. Dropping all traffic other than that which is > >>> explicitly required is IMHO a better practice. (And how do you > >>> know in advance which ports get attacked?) > >> > >> Using reject instead of drop simplifies troubleshooting. > >> > >> http://www.chiark.greenend.org.uk/~peterb/network/drop-vs-reject > >> > >> Drop tends to get in the way. > > > > Again, I disagree. But I recognise that this can be a religious > > decision. My default policy is to drop rather than reject. I know > > that strict adherence to standards implies we should “REJECT” with a > > helpful ICMP error message. > > Configure your host with DROP, do an nmap, then configure it with > REJECT thus for Linux: > > IPv4: -j REJECT --reject-with icmp-port-unreachable" > IPv6: -j REJECT --reject-with icmp6-port-unreachable" > > Now repeat that nmap; indeed, for the DROP it is shown that these > ports are filtered, for REJECT the ports are just 'closed'. > > Hence, the adversary did not learn anything in the REJECT case > (services apparently are not there), but in the DROP case they > learned that you have a firewall configured and that those services > are likely there... Not true. Since my default is to drop for ALL ports not expicitly open and receiving traffic, the adversary has learned nothing about what other services may or may not be there. I have no need to say politely to anyone connecting to any random port on my server, "Sorry, nothing here, you can close your connection". The only legitimate connections inbound to my server are those for which I advertise a service. > > As you say it is one of those 'religious' decisions, but in this, the > facts show what should be preferred for multiple reasons ;) I also prefer vi to emacs :-) > > But, doing that can mean that > > incoming packets with a spoofed source address can get replies sent > > back to that (innocent) source address. DDOS bots exploit this > > behaviour. > > As there is no amplification (only a portion of the incoming packet is > included) this is not used; there are much better sources of attack. > I agree. DNS amplification is much more dangerous and useful to an adversary. But that does not mean that no adversary will attempt to use ICMP replies in an attack. Mick - Mick Morgan gpg fingerprint: FC23 3338 F664 5E66 876B 72C0 0A1F E60B 5BAD D312 http://baldric.net - signature.asc Description: PGP signature ___ tor-relays mailing list tor-relays@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
Re: [tor-relays] Watching the attacks on my relay
On Fri, 08 Nov 2013 20:15:51 +0100 elrippo allegedly wrote: > Jope. I tend to have some issues with some CA's. > But yes you are right, i should get me a decent certificate. > I will do that, promise. > > You self signed your site certificate...? > > > I don't see any problem per se with a self-signed certificate on a site which does not purport to protect anything sensitive (such as financial transactions). The problem with this particular certificate is that the common name identifier is both wrong (www) and badly formattted (http://) But both of those errors can be corrected very quickly. Why pay a CA if you don't trust the CA model? Mick - Mick Morgan gpg fingerprint: FC23 3338 F664 5E66 876B 72C0 0A1F E60B 5BAD D312 http://baldric.net - signature.asc Description: PGP signature ___ tor-relays mailing list tor-relays@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
[tor-relays] OT :Self-signed SSL certs - was - Re: Watching the attacks on my relay
On Sat, 9 Nov 2013 09:22:12 -0500 Paul Syverson allegedly wrote: > On Sat, Nov 09, 2013 at 12:50:18PM +0000, mick wrote: > > > > > I don't see any problem per se with a self-signed certificate on a > > site which does not purport to protect anything sensitive (such as > > financial transactions). The problem with this particular > > certificate is that the common name identifier is both wrong (www) > > and badly formattted (http://) But both of those errors can be > > corrected very quickly. > > > > Why pay a CA if you don't trust the CA model? > > > > You may want to take a look at > https://blog.torproject.org/blog/life-without-ca > Paul Thanks for the pointer - nice post. I tend to agree, though I am not personally that fanatical about deleting all CAs in my browser. I /am/ deeply sceptical about what any particular SSL cert may, or may not, be telling me. I use self signed certs on my email server and on my website. But they are are there to protect my authentication. I do not expect anyone else to trust them. Mick - Mick Morgan gpg fingerprint: FC23 3338 F664 5E66 876B 72C0 0A1F E60B 5BAD D312 http://baldric.net - signature.asc Description: PGP signature ___ tor-relays mailing list tor-relays@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
Re: [tor-relays] OT :Self-signed SSL certs - was - Re: Watching the attacks on my relay
On Sat, 9 Nov 2013 21:30:13 +0600 Roman Mamedov allegedly wrote: > On Sat, 9 Nov 2013 12:50:18 + > mick wrote: > > > I don't see any problem per se with a self-signed certificate on a > > site which does not purport to protect anything sensitive (such as > > financial transactions). The problem with this particular > > certificate is that the common name identifier is both wrong (www) > > and badly formattted (http://) But both of those errors can be > > corrected very quickly. > > > > Why pay a CA if you don't trust the CA model? > > If your primary objection is the need to pay for certificates (and > not e.g. the possibility of CA itself being backdoored etc), then I'd > suggest considering CACert[1]. It provides free wildcard certificates > which are already trusted out of the box by some[2] FOSS operating > systems such as Debian. > > I'd say it is better than trusting individual self-signed certs, and > somewhat better than using your own root CA cert, since it saves the > effort required to install your own CA on all machines you need to > use it on. > > [1] http://www.cacert.org/ > [2] http://wiki.cacert.org/InclusionStatus > Roman Paying for certificates is not my objection. My objection is to the model which says that "if I give money to a commercial entity in exchange for a certificate, that means that the trust chain is valid." I've actually bought certificates for websites I managed in the past and I am deeply unimpressed with the process. And, as you say, the cert could be backdoored. There are a huge number of CAs from all over the place in the default set shipped in ca-certificates - who do I trust? I have looked at CA-Cert in the past. They have the problem of very limited acceptability (https://en.wikipedia.org/wiki/Comparison_of_SSL_certificates_for_web_servers) But as I said, in my particular case, my certs are there to protect my credentials in transit. I don't have to care about whether others trust me. So I don't need a CA. (Though if I did want others to trust me, I'd probably use CAcert). Best Mick - Mick Morgan gpg fingerprint: FC23 3338 F664 5E66 876B 72C0 0A1F E60B 5BAD D312 http://baldric.net - signature.asc Description: PGP signature ___ tor-relays mailing list tor-relays@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
Re: [tor-relays] Proper bandwidth units [was: Exit nodes on Gandi]
On Mon, 25 Nov 2013 15:46:02 -0500 grarpamp allegedly wrote: > > No. This kind of lazy acceptance is exactly why rockets crash, > and rockets crashing are why one must use proper terms. > 'gib, kib' are not cased correctly, thus people have no idea what > you explicitly mean. They might presume your lazy casing means > 'Gib, KiB' but then your rocket might crash. Reference and > enforcement is the proper cure. > This argument (Mbit/s versus GiB/month) reminds me of the old saw about the most useless unit of velocity (furlongs/fortnight instead of m/sec). Mick - Mick Morgan gpg fingerprint: FC23 3338 F664 5E66 876B 72C0 0A1F E60B 5BAD D312 http://baldric.net - signature.asc Description: PGP signature ___ tor-relays mailing list tor-relays@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
Re: [tor-relays] Torservers awarded $250,000 by Digital Defenders
On Sat, 14 Dec 2013 13:28:52 +0100 Christian allegedly wrote: > -BEGIN PGP SIGNED MESSAGE- > Hash: SHA1 > > Hej! > > Torservers.net has been awarded $250,000 over two years by the Digital > Defenders Partnership to strengthen and improve the Tor network, the > anonymity system crucial to journalists and human rights defenders > using the Internet. > > <https://blog.torservers.net/20131213/torservers-awarded-25-by-digital-defenders.html> > That is good news. Congratulations to all involved in gaining this support, and many thanks to the donors for their generosity. ----- Mick Morgan gpg fingerprint: FC23 3338 F664 5E66 876B 72C0 0A1F E60B 5BAD D312 http://baldric.net - signature.asc Description: PGP signature ___ tor-relays mailing list tor-relays@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
Re: [tor-relays] System Time
On Thu, 16 Jan 2014 00:19:13 +1100 nano allegedly wrote: > On 15/01/2014 10:29 PM, Sebastian Urbach wrote: > > Good Morning, > > > > I really tried very hard to stay calm but at least someone has to > > say it. I think operating relays / bridges can be described as a > > cutting edge job or experience. [ deletia ] > > I expect a bit of resistance and a bit of a shitstorm right now. > > Please feel free to direct this straight to me and not to the list. > > I also would like a discussion regarding the facts of the matter to > > take place on this list very much. No shitstorm yet. nano says: > Sebastian, > > I respect your opinion and appreciate your frustration borne from the > inabilities of less skilled correspondents and their submissions. [ deletia ] > In the interest of full disclosure, I > consider myself one of these "new relay operators" [0] so my opinions > are most likely affected by bias. We have all been "noobs" at something at some time. Personally I have benefited immensely over the course of my life from the the knowledge and experience of others who were generous enough to share with me. In return, I like to think that others may be able to benefit from whatever small ability I may have by sharing on /my/ experience. I am a firm believer in the maxim that the only dumb question is the one you didn't ask. Best Mick - Mick Morgan gpg fingerprint: FC23 3338 F664 5E66 876B 72C0 0A1F E60B 5BAD D312 http://baldric.net - signature.asc Description: PGP signature ___ tor-relays mailing list tor-relays@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
Re: [tor-relays] Trying Trusted Tor Traceroutes
On Sun, 19 Jan 2014 20:57:07 -0600 Anupam Das allegedly wrote: > Dear Tor relay operators, > We have recently received a good > rate of participation by relay operators to our measurement project. > To give everyone an idea of the current participation rate we have > hosted a live scoreboard of all our participants, available at > http://128.174.241.211:443/relay_scoreboard > > The live scoreboard highlights all the IPs from which we received > traceroute results along with the current status of the script > running in their machine. The live scorebaord also summarizes the > participation by the top Tor Families and the top guard and exit > relays. > > We thank all the relay operators who have participated and hope more > relay operators will participate soon. > All Before starting this (given the Hetzner experiences), I checked with my VPS provider (DigitalOcean) that they were happy. They have said that they see no problem, and even if they do later spot an issue they will take no precipitate action because of my prior alert to them. So. guard relay 0xbaddad now has the script running. Mick - Mick Morgan gpg fingerprint: FC23 3338 F664 5E66 876B 72C0 0A1F E60B 5BAD D312 http://baldric.net - signature.asc Description: PGP signature ___ tor-relays mailing list tor-relays@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
Re: [tor-relays] Scoreboard enhancements / Trying Trusted Tor Traceroutes
On Sun, 26 Jan 2014 16:04:01 +0100 Sebastian Urbach allegedly wrote: > > My system, as an example, took about 2 days and 23 hours to complete > the run. I use scamper with the default settings. You can also turn > up the pps value and finish even faster. > > How long will this take?: > > http://web.engr.illinois.edu/~das17/tor-traceroute_v1.html#q-howlong > > How much bandwidth, disk space, RAM, and CPU will this consume?: > > http://web.engr.illinois.edu/~das17/tor-traceroute_v1.html#q-howmanyresources > Fo info, my relay (512MB RAM, 1 core VPS) finshed the scamper run (with default settings) in just over 3.5 days. I've just kicked off a second run. Mick - Mick Morgan gpg fingerprint: FC23 3338 F664 5E66 876B 72C0 0A1F E60B 5BAD D312 http://baldric.net - signature.asc Description: PGP signature ___ tor-relays mailing list tor-relays@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
