[tor-relays] Comcast blocks ALL traffic with tor relays

xmrk2 xmrk2 at protonmail.com
Mon Jun 12 19:00:59 UTC 2023 

Okay, you planted some doubt. This is a quote what my peer wrote me about the issue, I hope it is ok to quote, contains no personal or sensitive info, emphasis added:

> Comcast/Xfinity! has a bumpy past with tor. They periodically block it, get yelled out by their subscribers and the media, then unblock it. At this moment, outgoing tor is working. That is I am able to put the Brave browser in tor mode. But, because of the intermittent interruptions, I've given up on using tor when running behind my ISP.

Outgoing tor is working - so he has to be able to connect to some relay, not necessarily all of them. Or he configured a tor bridge because of past problems and forgot about it?

> Are you sure that port forwarding To your relay is reliably working and that some "security feature" in your Comcast modem/router isn't causing the problem? I haven't researched any reports of Comcast blocking so I can't speak to any other anecdotal reports of said blocking. I sure hope it isn't the case. If it is, I'll certainly drop them in a flash too.

Well, I am not in the US, no Comcast here :), and running OpenWrt on my router. My peer is Comcast customer. I was connected to > 100 lighting nodes while not able to connect to my Comcast peer. I did not check specifically, my lightning node should be reachable by IPv4, IPv6 and tor/onion, so in theory there could have been no inbound IPv4 connection while having > 100 connections. But not likely. I think I either checked my fail2ban-client banned, or turned off fail2ban.

Still, there could be some DDoS protection on my Comcast peer's end. To corroborate: lightning nodes need to be connected, they try to reconnect frequently to all their "neighbours". I myself see that when I take my lightning daemon offline for just 10 minutes, many IP addresses end in my fail2ban list. So my Comcast peer could have just taken his node offline, his router would see too many connection attempts from me and consider it DoS and ban me. Still, I would expected to be unbanned after some time, and this does not seem to happen, so this would be argument against DDoS protection.

For reference, this is my fail2ban's jail.local, perhaps too aggressive:

[lnd]
enabled = true
ports = 9735:9736
filter = lnd
logpath = ...
maxretry = 4

[lnd-repeat]
enabled = true
ports = 9735:9736
filter = lnd
logpath = ...
maxretry = 12
findtime = 1h
bantime = 1h

I'll test again by starting tor middle relay, and check inbound IPv4 connections, should bring some results in a few hours.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.torproject.org/pipermail/tor-relays/attachments/20230612/3d5b7982/attachment-0001.htm>

More information about the tor-relays mailing list