[tor-relays] What causes circuits to collapse?

Hi, I have configured a Tor bridge to go through a particular Tor guard relay (that I also own), as an experiment. Upon initialization I am getting this warning: "Your guard [fingerprint] is failing an extremely large amount of circuits. This could indicate a route manipulation attack, extreme

Re: [tor-relays] Exit flag and port 6667 vs 6697

> Port numbers and TLS ore orthogonal: port 443 can be used for cleartext, > and port 80 for encrypted traffic. In the case of IRC, it's quite common > for 6667 to be used with TLS. When a relay operator uses exit policies, I believe they express an intent to block certain types of applications,

Re: [tor-relays] HOW-TO: Simple DNS resolver for tor exit operators

The DNS issue is in the "long tail" - rare/unique websites are unlikely to be cached, yet they likely represent the most interesting targets. I do agree that running dnsmasq (or a similar caching resolver) is probably sufficient to make DNS attacks too unreliable to invest in. I am not sure why

Re: [tor-relays] ORSN DNS servers vs OpenNic

Check this list and choose the ones with the lowest ping from your node: https://www.lifewire.com/free-and-public-dns-servers-2626062 Make sure to avoid DNS servers marketed as "secure" (for example, do NOT use "Comodo Secure DNS") since they perform arbitrary censorship/redirection. Also, do not

Re: [tor-relays] dnsmasq configuration for an exit relay (Debian)

i.debian.org/HowTo/dnsmasq#Local_Caching ). 3) Make sure that the file /etc/dnsmasq.conf contains the line "listen-address=127.0.0.1" (to restrict dnsmasq to the local system). 4) Set the cache size to 1 by adding or editing this line "cache-size=1" in the

Re: [tor-relays] dnsmasq configuration for an exit relay (Debian)

My hosting provider runs no DNS servers and recommends using 8.8.x.x, so I have to pick something. On Sun, Oct 8, 2017 at 10:22 AM, Ralph Seichter <m16+...@monksofcool.net> wrote: > On 08.10.17 18:34, Igor Mitrofanov wrote: > >> Unless configured otherwise, Dnsmasq chooses a se

Re: [tor-relays] dnsmasq configuration for an exit relay (Debian)

ol.net> wrote: > On 08.10.17 19:48, Igor Mitrofanov wrote: > >> My hosting provider runs no DNS servers and recommends using 8.8.x.x, >> so I have to pick something. > > You don't have to pick, and this is not meant to be patronising. Install > Unbound with the few lines of conf

Re: [tor-relays] dnsmasq configuration for an exit relay (Debian)

Unless configured otherwise, Dnsmasq chooses a server from the list randomly, so the more servers the operator specifies in dnsmasq.conf, the less traffic each server gets. This increases the diversity of DNS requests, complicating traffic analysis for any adversary that controls some, but not

Re: [tor-relays] dnsmasq configuration for an exit relay (Debian)

Toralf, thanks for the data. Has that 10% stabilized, or is it still growing for your node? On Sun, Oct 8, 2017 at 9:54 AM, Toralf Förster <toralf.foers...@gmx.de> wrote: > -BEGIN PGP SIGNED MESSAGE- > Hash: SHA256 > > On 10/08/2017 06:34 PM, Igor Mitrofanov wrote: >

Re: [tor-relays] dnsmasq configuration for an exit relay (Debian)

>> # Only listen on loopback >> >> interface=lo >> bind-interfaces > > What is your opinion about the config line "listen-address=127.0.0.1" advised > in https://wiki.debian.org/HowTo/dnsmasq#Local_Caching ? It should have a similar effect, except that 127.0.0.1 is IPv4 only, while "interface=lo"

Re: [tor-relays] dnsmasq configuration for an exit relay (Debian)

relays sending DNS requests to a large and diverse number of destinations can make practical DNS-assisted traffic correlation prohibitively expensive. On Sun, Oct 8, 2017 at 12:03 PM, Ralph Seichter <m16+...@monksofcool.net> wrote: > On 08.10.17 20:48, Igor Mitrofanov wrote: > >>

Re: [tor-relays] SSH brute force attempts to connect to my Middle Relay IP address

I have setup a (private, key-based) Tor hidden service for SSH administration. It works well and leaves no extra open ports to attack. If you also take advantage of package updates over Tor (via the local SOCKS5 proxy that any Tor instance provides) the only non-OR incoming traffic you need to

Re: [tor-relays] SSH brute force attempts to connect to my Middle Relay IP address

: [tor-relays] SSH brute force attempts to connect to my Middle Relay IP address > On 4 Oct 2017, at 02:26, Igor Mitrofanov <igor.n.mitrofa...@gmail.com> wrote: > > I have setup a (private, key-based) Tor hidden service for SSH administration. It works well and leaves no extra open

Re: [tor-relays] HOW-TO: Simple DNS resolver for tor exit operators

If it's important enough to do on a single relay, it's important enough to do it across the entire network. I bet there are, and will always be, plenty of exit node operators not reading this email list, or not planning to do anything, or not configuring everything properly, etc. On Tue, Sep 12,

Re: [tor-relays] HOW-TO: Simple DNS resolver for tor exit operators

I wonder if these are all half-measures, and Tor needs a first-class solution to the DNS weakness. Every Tor relay can have a simple resolver built-in, and/or perhaps all Tor relays could be running a DHT-style global DNS cache. In case of a cache miss, the exit relay could build a circuit to

Re: [tor-relays] Detecting Network Attack [re: exit synflooded]

After reading every paper and post on sysctl.conf and iptables tuning I could find, and reading some kernel code, I have come to a conclusion that, while there are a few settings to tune (can share mine, but your mileage *will* vary), most of the defaults are actually not broken in the latest

Re: [tor-relays] Issues with faravahar?

On Tue, Dec 12, 2017 at 1:17 PM, tor wrote: >>I am getting this too, I saw this the logs a few months ago and didn't think >>anything of it. > > > I wouldn't worry about it. Faravahar has a long history of misbehavior: > >

Re: [tor-relays] Atlas is now Relay Search!

Atlas definitely looked lighter, more airy. The new UI looks dense and dated, with that Microsoft Office style table from the 90s. Oh well, I'll get used to it - at least it is not yet another "Web 2.0" Bootstrap. The idea of merging Atlas into Metrics is definitely a good one. On Tue, Nov 14,

[tor-relays] "Fast" flag definition

Hi, It looks like 94.7% of all Running relays have the "Fast" flag now. If that percentage becomes 100%, the flag will become meaningless. What were the reasons behind the current definition of "Fast", and are those still valid? If not, should "Fast" become self-adjusting ("faster than 2 Mbps or

Re: [tor-relays] Combined relay and hidden service, good idea or not?

It is safe to assume that both relays and select hidden services are being scanned 24/7. When your host reboots (say, as a result of an automatic OS update), both your relay and your hidden service become unavailable at the same time, instantly revealing the IP of the hidden service. On Thu, Jan

Re: [tor-relays] Setting myfamily

Is there a way to inherit a portion of torrc (to avoid copying the same MyFamily line into every torrc)? On Thu, Jan 4, 2018 at 11:12 AM, John Ricketts wrote: > Agreed. All of my 50 relays list all relays including itself. ___

Re: [tor-relays] MaxMemInQueues - per host, or per instance?

to set MaxMemInQueues without making it too conservative. On Fri, Dec 22, 2017 at 11:46 AM, r1610091651 <r1610091...@telenet.be> wrote: > It would expect it to be per instance. Instances are independent of each > other. Further one can only run 2 instances max / ip. > > On Fri, 22 Dec 2017

[tor-relays] MaxMemInQueues - per host, or per instance?

Hi, Is MaxMemInQueues parameter per-host (global) or per-instance? Say, there are 10 relays on the same 24 GB host. Should I set MaxMemInQueues to 20 GB, or 2 GB in each torrc? Thanks, Igor ___ tor-relays mailing list tor-relays@lists.torproject.org

[tor-relays] hidden service performance

I'd like to call out the apparent hidden service performance slowdown: https://metrics.torproject.org/torperf.html?start=2017-04-23=2018-01-21=all=onion=50kb I hope the dev team is looking into it. Thanks, Igor ___ tor-relays mailing list

[tor-relays] tor-instance-create vs. /etc/tor/torrc

Hi, I use tor-instance-create to spawn a number of relay instances. However, there seems to be one extra instance running - the default one that reads /etc/tor/torrc (and not /etc/tor/instances/INSTANCE/torrc). How do I disable that default tor relay? It opens port 9050 and does who else knows

Re: [tor-relays] Tor website overhaul -- who deserves punishment?

Alison, can you please share a link to the results of 'user testing as well as research on usability, accessibility, and localization'? I most definitely welcome the idea of making Tor look modern (and would like to help if I can) but it would be good to see what standards the development team is

Re: [tor-relays] Relay Consensus Low

Matt, if you only have 1 host, it may be more beneficial to create 2 relays on it (or more than 2 - if you have more than 1 IPv4 address available) using tor-instance-create. You could be hitting the limits of what a single CPU core can do. On Sun, May 26, 2019 at 4:07 PM Keifer Bly wrote: > >

Re: [tor-relays] Blog: How Malicious Tor Relays are Exploiting Users in 2020 (Part I)

Is there anything Tor can do inside the Tor browser itself? I would understand and support something as drastic as disabling non-HTTPS, non-Onion connections altogether. When the user types a URL with no protocol prefix, the browser will assume HTTPS. This may break some websites, so a transition

Re: [tor-relays] Tor project helping to attempt to cancel Richard Stallman

I denounce the Tor Project's political activism under the new administration and this attempt to fuel the cancel culture. I am signing the supporting letter for Richard Stallman and pausing my relays. I realize that this is largely symbolic, but so is running Tor relays in the first place. I am