[tor-relays] Comcast blocks ALL traffic with tor relays

[xmrk2]

Yes, I agree 100% with Danny's summary here, so I have to concede, I did not found enough evidence that Comcast blocks connections *to* tor relays. I apologize. Specifically, I did some tests with ronqtorrelays at risley.net , who is a Comcast Business customer, and he had no problem initiating TCP connection to my relay, even to tor-unrelated port.

About the other direction - from tor relays or exits to Comcast:

> https://www.xfinity.com/support/articles/using-xfinity-xfi-advanced-security mentions "Blocks remote access to smart devices from known dangerous sources.". What do you mean by dangerous sources, and does it include tor relays or exits?
>
> [https://www.xfinity.com/support/articles/using-xfinity-xfi-advanced-security](https://urldefense.com/v3/__https:/www.xfinity.com/support/articles/using-xfinity-xfi-advanced-security__;!!CQl3mcHX2A!GL-M865o8Ul6VQiGJSAHwue9MmlLnlCkSlez2kSjTpTq91B5S2TV_6hpdIS3pBMgjK8UBjTiRgcW8Hu1XzhBRik$)mentions "Blocks remote access to smart devices from known dangerous sources.". What do you mean by dangerous sources, and does it include tor relays or exits?
>
> It may be down to the fact that “unknown” users connect to the relay/exit and that the average consumer user of the Advanced Security service does not want that. I suspect if someone wants this, it’s best to toggle Advanced Security off.
>
> [https://www.xfinity.com/support/articles/using-xfinity-xfi-advanced-security](https://urldefense.com/v3/__https:/www.xfinity.com/support/articles/using-xfinity-xfi-advanced-security__;!!CQl3mcHX2A!GL-M865o8Ul6VQiGJSAHwue9MmlLnlCkSlez2kSjTpTq91B5S2TV_6hpdIS3pBMgjK8UBjTiRgcW8Hu1XzhBRik$)mentions "Blocks remote access to smart devices from known dangerous sources.". What do you mean by dangerous sources, and does it include tor relays or exits?
>
> It may be down to the fact that “unknown” users connect to the relay/exit and that the average consumer user of the Advanced Security service does not want that. I suspect if someone wants this, it’s best to toggle Advanced Security off.
>
> [https://www.xfinity.com/support/articles/using-xfinity-xfi-advanced-security](https://urldefense.com/v3/__https:/www.xfinity.com/support/articles/using-xfinity-xfi-advanced-security__;!!CQl3mcHX2A!GL-M865o8Ul6VQiGJSAHwue9MmlLnlCkSlez2kSjTpTq91B5S2TV_6hpdIS3pBMgjK8UBjTiRgcW8Hu1XzhBRik$)mentions "Blocks remote access to smart devices from known dangerous sources.". What do you mean by dangerous sources, and does it include tor relays or exits?
>
> It may be down to the fact that “unknown” users connect to the relay/exit and that the average consumer user of the Advanced Security service does not want that. I suspect if someone wants this, it’s best to toggle Advanced Security off.
>
> [https://www.xfinity.com/support/articles/using-xfinity-xfi-advanced-security](https://urldefense.com/v3/__https:/www.xfinity.com/support/articles/using-xfinity-xfi-advanced-security__;!!CQl3mcHX2A!GL-M865o8Ul6VQiGJSAHwue9MmlLnlCkSlez2kSjTpTq91B5S2TV_6hpdIS3pBMgjK8UBjTiRgcW8Hu1XzhBRik$)mentions "Blocks remote access to smart devices from known dangerous sources.". What do you mean by dangerous sources, and does it include tor relays or exits?
>
> It may be down to the fact that “unknown” users connect to the relay/exit and that the average consumer user of the Advanced Security service does not want that. I suspect if someone wants this, it’s best to toggle Advanced Security off.
>
> It may be down to the fact that “unknown” users connect to the relay/exit and that the average consumer user of the Advanced Security service does not want that. I suspect if someone wants this, it’s best to toggle Advanced Security off.

Seems you do not understand the difference between exit relay and non-exit relay. (Nor does the persons who implemented this blocking of traffic from tor relays - this would explain a lot.)

I would first reformulate: unknown and anonymous users may route their traffic through tor, including some attacks (DDoS or worse), and this traffic will look like originating from tor *exit* relay. But this is only true about *exit* relays (and then only about some ports, but let's keep it simple). Non-exit relays only send tor-related traffic to other tor relays, never to other destinations. So when a non-exit relay R connects to a computer X, which does not run anything tor-related, you can be sure this connection is not tor-related and is really initiated by R. If we had a tor exit relay E, then connection E->X could be initiated by E or by a bad guy B who is abusing tor's anonymity. And X cannot tell the difference, so it is reasonable to assume the worst and block this. The traffic from B would really follow the path B->R1->R2->E->X, where R1 are R2 non-exit relays. You may argue that this bad traffic goes through R1 and R2, but so what? Blocking E->X is sufficient, but you are also blocking R1->X and R2->X.

Here is a basic explanation of relay types by the Tor project itself: https://community.torproject.org/relay/types-of-relays/ .

Q to community: Is there some better official document explaining difference between exit and non-exit relay? It could be more trustworthy than my explanation (and better written). Most of what I found is about tor exits, like https://community.torproject.org/relay/community-resources/tor-abuse-templates/ .

I can see how a random website does not bother to understand this - see reports in this thread about a bank blocking tor relays. But ISP's core competency should be networks, so I would expect an ISP to understand the real dangers and apply more nuance than "let's block everything tor-related".
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.torproject.org/pipermail/tor-relays/attachments/20230618/2aee099a/attachment.htm>