September 2015 - tor-relays - lists.torproject.org

IP and SWIP for a Tor exit node
by starlight.2015q3＠binnacle.cx 27 Sep '15

27 Sep '15

>I have bought some credit on Aruba. . . Looked at Aruba offerings, check this out https://serverdedicati.aruba.it/server-dedicati/basic-1-3.aspx For 15 euros/month you can have a dedicated dual-core 1.6GHz with 100MBPS unmetered traffic. This will make a rather nice exit node for the cost and will run better than a typical VPS where one has no control over system load. Even with the low clock-speed, network processing latency will be very good. Probably is an Atom or maybe a Celeron CPU and the it will probably run at close to 100%--not a problem. If one 'tor' instance does not use more than 30-40% of the 100MBPS due to limited CPU, fire up a second relay. Up to two relays can run on a single IP address. But if one 'tor' instance runs at 50-60% of bandwidth or better it would make sense to stick with just the one. Non-exit relays typically load at 25-35%; is the intentional design of the bandwidth allocation system. However due to the relative shortage of them, exits run more like 80% of useable bandwidth as determined by the BWauths.

2 1

IP and SWIP for a Tor exit node
by starlight.2015q3＠binnacle.cx 27 Sep '15

27 Sep '15

(1) In the guide it is advised to "Get a separate IP for the node. . . You have the right idea. Tor-exit node IPs end up on all sorts of black-lists and it's best to segregate exit traffic from all other traffic. Try pulling up a few exits using http://multirbl.valli.org and you will see this. In particular, Tor exits usually test positive on http://www.abuseat.org/ (aka the Spamhaus CBL) as all sorts of infectious malware bot(s). (2) SWIP/RWHOIS + ARIN/RIPE SWIP'ing is a bit exotic though some ISPs provide it. Be sure to use a PO box in the contact info rather than your real address if you obtain this. What happens is that the handful of IP addresses assigned to your server get their own WHOIS sub-record listed first before the ISP address-block record. Has the advantage many abuse complaints will go directly to you instead of first to the ISP. At one time some residential ISPs SWIP'ed their customers by default, but this produced all kinds of problems and complaints so the practice is gone. Not necessary if you can manage a constructive dialog with the abuse department of the ISP. Start with an email to the address that http://www.abusix.org/ lists for the IP and ask them what procedures they might have where you can have abuse reports forwarded directly to you and/or have the IP noted as a Tor Exit / VPN / Proxy in whatever system they have for handling abuse reports. Most abuse reports are automated spam from WordPress blogs complaining about brute-force password attacks and automatic malware-detecting honeypots. If you hear from a real person it will be extraordinary.

2 1

IP and SWIP for a Tor exit node
by starlight.2015q3＠binnacle.cx 27 Sep '15

27 Sep '15

>What are additional IPs good for? My ISP sells additional >(public) IPs for 3,60 euro/month, would it be worth it or >necessary purchasing such an additional service? For the size node presently indicated, additional IP address are of no particular value. Extra IPs can be use for 1) running additional 'tor' router instances on medium-to-large multi-core servers with high available bandwidth (high as in 100TB/month per core for non-AES-NI CPU cores, multiple 1G connections or a 10G network connection for AES-NI CPUs) 2) allowing exit traffic to travel out on different interfaces than the OR port--not sure if that provides extra value 3) perhaps running a bridge node instance along with the router instance--is best to have non-adjacent IPs 4) for bridge-only setups extra IPs allow one to start new bridge instances when old ones are blocked by censors and/or simply run multiple bridges; again non-contiguous addresses are best If you can obtain a "bare-metal," "root" or "dedicated" server (synonyms) for a good price, in general the router will be dramatically faster due to better latency afforded by the lack of a virtualization layer and lack of competition from other users. Similar for Linux container setups where virtualization is almost free, but servers can be heavily loaded with numerous customers.

1 0

Blutmagie is Good Looking and VERY SLOW -- this script is VERY FAST
by starlight.2015q3＠binnacle.cx 27 Sep '15

27 Sep '15

one more enhancement: added a -W option to have underscore characters used for inactive flag positions. Produces a single column for flags, thus enabling trivial command-line 'awk' and 'perl -n' scripting.

1 0

new exit node
by support＠ruggedinbox.com 26 Sep '15

26 Sep '15

Hi we are running from few hours a new Tor exit node: 87.120.37.163 aka tor-exit-node-01.cryptonoid.com aka cryptonoid.com We couldn't register the IP with ARIN but of course the data center knows what we are doing and is willing to take the risk, we hope to be able to handle the abuses notices and are here to learn :) The current configuration is: ORPort 9001 Address tor-exit-node-01.cryptonoid.com Nickname cryptonoid01 RelayBandwidthRate 768 KB RelayBandwidthBurst 1024 KB ContactInfo RuggedInbox team <support(a)ruggedinbox.com> DirPort 9030 DirPortFrontPage /etc/tor/tor-exit-notice.html ExitPolicy accept *:22 ExitPolicy accept *:80 ExitPolicy accept *:443 ExitPolicy accept *:465 ExitPolicy accept *:993 ExitPolicy accept *:995 ExitPolicy reject *:* Does it looks good to you ? Currently both https://torstatus.blutmagie.de and https://atlas.torproject.org/#search/87.120.37.163 show the server as 'relay', not as exit. Is that normal ? Thank you, RuggedInbox team

3 6

Flipping from guard and back again
by 29230912＠tutanota.com 24 Sep '15

24 Sep '15

https://atlas.torproject.org/#details/113FCC01A29B4600A8BAA1CB72E6AB1FD899A… Any pointers about why my relay is flipping between guard and not guard? Thank you

4 3

Legal status of operating Tor exit in UK?
by Jonathan Baker-Bates 24 Sep '15

24 Sep '15

I run an exit node with an ISP who initially indicated they would not have a problem with Tor as long as I was transparent about what I was doing, and ran a sufficiently reduced exit policy. They have now sent me evidence of malicious traffic coming from the exit. I don't think they've had any 3rd party complaints about this traffic, but they have expressed various misgivings about Tor in general. They now also want me to consider running Snort IDS on the outgoing traffic. I don't intend to monitor my traffic. But it occurs to me I don't know whether my ISP needs to be worried about it or not. The last one wasn't, so why them? I've asked the EFF about the legal situation in the UK, who passed me to the Open Rights Group. They've not replied to my enquiry as of three weeks ago. So does anyone know of any reliable source of information on running Tor exits in the UK? What would happen if my ISP pressed me to monitor my traffic, and I refused on legal grounds? I'm not suggesting I actually do that, or that there are even any legal grounds to refuse. In fact right now I'm resigned to closing down the node if my ISP turns up the heat. They probably have me by the balls. But I'm at least curious, and can't immediately find any information about things like public carrier status, or traffic monitoring conducted by people like me when it's done in the context of onion routing. Thanks in advance for any help.

9 10

Re: [tor-relays] Deciding where to put new Tor relays
by Virgil Griffith 22 Sep '15

22 Sep '15

After talking with APNIC/RIPE, it looks like that if we ask nicely we can get high-quality BGP-peering graphs for the entire Internet (not 100% complete, but it's the same data they use internally). Spend some time thinking about exactly what kinds of attacks we wish to harden against. Once we understand the attacks, I'll figure out the appropriate graph-theory for hardening against it. -V On Mon, Sep 21, 2015 at 6:48 PM Moritz Bartl <moritz(a)torservers.net> wrote: > Interesting, thanks for the update. Maybe we can find some time at the > dev meeting to chat. :) > > Moritz > > On 09/10/2015 07:12 AM, Virgil Griffith wrote: > > I'm at an APNIC conference in Jakarta, and they demoed a new tool which > > shows the interconnections (peering + transits) between AS numbers > > within a given country (will eventually work for regions). > > > > URL: http://labs.apnic.net/vizas/ > > Left-panel is IPv4 and right-panel is IPv6. > > > > Here is the fellow who built it: > > https://www.linkedin.com/pub/geoff-huston/42/828/891 > > > > > > For Tor, this tool helps us prioritize the ASs for new relays. To > > maximize censorship resistance, we would want relays on AS numbers in > > the middle (lots of interconnections) that do not currently have Tor > relays. > > > > We can imagine giving out Roster bonus points depending on the > > AS-number. The points would go something like: > > > > AS_i_bonus_points = ASweight(i) / #_Tor_relays_on_AS > > > > ASweight(i) = k * \sum_{j=1}^n num_ips_routed_by_edge_i_j > > where k is an arbitrary constant (k=1 is reasonable). > > > > This could be very useful for deciding where to put new relays. I'll > > see if I can access to the raw data that generates these graphs so we > > have more than just pretty pictures. > > > > Much love, > > -V > > -- > Moritz Bartl > https://www.torservers.net/ >

2 2

Tor is starting without the -f /etc/tor/torrc option
by Tor Stuff 22 Sep '15

22 Sep '15

I am running tor on a new Ubuntu 14.04.3 LTS system. I have restarted tor a couple of times with service tor restart I noticed when I start arm that it is telling me that The torrc differs from what tor's using. You can issue sighup to reload ... It seems that tor is running with default values and is not reading /etc/tor/torrc as there is no ... -f /etc/tor/torrc option being used by the running tor when it is displayed with 'ps'. The 'ps' output for the tor instance is /usr/bin/tor --defaults-torrc /usr/share/tor/tor-service-defaults-torrc --hush I had asumed that because I have set DirPort to 80 and ORPort to 443 in /etc/tor/torrc and can see in the tor log files that those two ports are reachable from outside, that the running tor was reading /etc/tot/torrc. Something is amiss with my tor configuration but I don't know what. Any hints as to where to look would be welcome while I try to RTFM again! Cheers Q

4 3

Non-standard Bridge
by Geoff Down 22 Sep '15

22 Sep '15

Hello all, I'm trying to set up a Bridge/Client Tor instance with the following torrc: ControlPort 9051 ExitPolicy reject *:* HashedControlPassword <pwd> Nickname <nickname> ORListenAddress 0.0.0.0:9001 ORPort 80 BridgeRelay 1 ContactInfo <contactinfo> Should this work as a bridge? Client functionality is fine (port 80 is forwarded to 9001) but there is no reachability test in the log. I have a "bridge's hashed identity key fingerprint" in there; where is it I can check online to be sure the BridgeDB has received it? I wanted to check it worked with fixed ports before I tried 'ORPort auto'. GD -- http://www.fastmail.com - Faster than the air-speed velocity of an unladen european swallow

3 5