June 2024 - tor-relays - lists.torproject.org

Question on bridge hibernation
by Keifer Bly 18 Aug '24

18 Aug '24

Hi, So for my bridge at https://metrics.torproject.org/rs.html#details/4D6E3CA2110FC36D3106C86940A1… Is set to hibernate once it reaches a certain traffic level (this is to prevent massive charges to my VPS). Now that is in hibernation, when will it start again, and how would this effect how it's distributed? Are bridges that are hibernating removed from relay search? Mew to hibernation, thanks. May 14 18:49:39.000 [notice] Configured to measure statistics. Look for the *-stats files that will first be written to the data directory in 24 hours from now. May 14 18:49:39.000 [warn] You are running Tor as root. You don't need to, and you probably shouldn't. May 14 18:49:39.000 [notice] Bootstrapped 0% (starting): Starting May 14 18:49:47.000 [notice] Starting with guard context "default" May 14 18:49:47.000 [notice] Registered server transport 'obfs4' at '[::]:8081' May 14 18:49:48.000 [notice] Bandwidth soft limit reached; commencing hibernation. No new connections will be accepted May 14 18:49:48.000 [notice] Going dormant. Blowing away remaining connections. May 14 18:49:48.000 [notice] Delaying directory fetches: We are hibernating or shutting down. --Keifer

3 2

Recent Tor versions not reloading config on / ignoring HUP kill signal.
by George Hartley 10 Aug '24

10 Aug '24

Hi, I think this started with release 0.4.8.10, but both of my Tor relays no longer reload their config when doing for example: - systemctl reload tor@exit Here is the relevant part of the unit file: > [Unit]Description=Anonymizing overlay network for TCP > After=syslog.target network.target nss-lookup.target > > [Service] > Type=notify > NotifyAccess=all > ExecStartPre=/usr/bin/tor -f /etc/tor/torrc_%i --verify-config > ExecStart=/usr/bin/tor -f /etc/tor/torrc_%i > ExecReload=/bin/kill -HUP ${MAINPID} > KillSignal=SIGINT > TimeoutSec=75 > Restart=on-failure > WatchdogSec=1m > LimitNOFILE=32768 Checking with: - journalctl -u tor@exit Just tells me that systemd attempted and successfully executed the specified reload command, but the actual line from the Tor instance stating that the config has been reloaded is missing. Is anyone else experiencing this? Regards, George

2 2

Tor Metrics 'Running' flag is back for bridges who don't publish the OrPort
by lists＠for-privacy.net 30 Jul '24

30 Jul '24

I don't know if this was mentioned at the Tor Relay Meeting yesterday, if so, I missed it. ;-) A few months ago there was a recommendation to not exposing OrPort for bridges. This had the unpleasant effect that all bridges were 'red' on Tor Metrics, even though they were running perfectly fine. I noticed yesterday after the meeting that everything is 'green' again. https://metrics.torproject.org/rs.html#search/ForPrivacyNET Thank you, I believe these 6 people did that: https://gitlab.torproject.org/tpo/network-health/team/-/issues/318 -- ╰_╯ Ciao Marco! Debian GNU/Linux It's free software and it gives you freedom!

5 7

Quick Assist Technology and Tor?
by mail＠nothingtohide.nl 25 Jun '24

25 Jun '24

Hi o/, During the Tor Operator Meetup I asked about Quick Assist Technology (QAT) support and was asked to bring it to the tor-relays mailing list so the network team can take a look at the question. In 2025 we're going to build one or more new servers and we're looking in to optimizing the performance per watt ratio since some of our current servers are rather power hungry ;-). I'm wondering whether QAT works for Tor to offload compression, hashing and encryption. In theory, looking at the nature of Tor (a lot encryption), this could result in a huge performance boost of 100-300% (based on other hashing, cryptographic and compression offload benchmarks). Support for QAT also has improved considerably over the years so many programs/workloads already work nicely with it, but I'm not sure about Tor. It looks like Tor uses [1] RSA-1024, AES-CBC, AES-CTR, Curve25519, Ed25519, SHA1, AES256, AES3-256. Most (no Curve- and Ed25519) should in theory also work with QAT [2] (although I guess only a few would impact performance significantly when offloaded). But the question is: does it really work? If not, what would be needed to make it work? Are there Tor operators who already utilize QAT? Does the Network Team have some insight in to this? :) Some of the potential advantages when comparing a similar amount of traffic: - Lower power consumption (much cheaper to run in expensive European countries). - Less CPU cycles required (= cheaper CPUs). - Less heat/cooling required (easier to put in distribution boxes and other small places). - Smaller physical footprint (easier to put in distribution boxes and other small places). - Alleviates some of the issues and challenges caused by Tor's single threaded architecture by effectively increasing bandwidth per CPU core considerably. With regards, tornth [1] https://spec.torproject.org/tor-spec/preliminaries.html?highlight=cipher#ci… [2] https://www.intel.com/content/www/us/en/support/articles/000093843/technolo…

4 4

Why should we avoid adding bridges fingerprints in MyFamily?
by Edward Cage 23 Jun '24

23 Jun '24

Hi all, Quick question about the fingerprints of our bridges. It's clearly written in torrc that we should not include them in MyFamily. I don't well understand why, especially because: - Every bridge, and their fingerprints, are publicly listed on Tor Metrics; - The contact email is disclosed for each of them, and it allows our bridges and relays to be easily linked to a same operator. (or should we use a different email address for each bridge?) Best regards

2 1

Next Tor Relay Operator Meetup - June 22, 2024 at 19 UTC
by gus 22 Jun '24

22 Jun '24

Hello, Please save the date: the next Tor Relay Operator will happen Saturday, June 22 at 19 UTC! We're still working on the agenda for this meetup, however feel free to add your topics directly to this pad or just reply to the mailing list: https://pad.riseup.net/p/tor-relayop-june22-meetup-keep ## Agenda 1. Announcements - EOL work: bridges running 0.4.7.x were rejected from the network: https://lists.torproject.org/pipermail/tor-relays/2024-June/021678.html - Snowflake extension issue: https://gitlab.torproject.org/tpo/anti-censorship/team/-/issues/142 - Farahavar directory authority is back! https://gitlab.torproject.org/tpo/core/tor/-/commit/39ba9ce0d7913ceb53fc1f1… 2. Network Health - Reports of relays ddos & ongoing onion services overload 3. Policy and proposals discussion: - https://gitlab.torproject.org/tpo/community/policies/-/issues/22 4. Next events - Tor presence at DEFCON, Las Vegas - Summer break & next Tor Relay Operator online meetup 5. Questions & Answers <add your questions here> ## How to join us Meetup details - Room link: https://tor.meet.coop/gus-og0-x74-dzn - When: June 22, 19.00 UTC - Duration: 60 to 90 minutes - Tor Code of Conduct: https://community.torproject.org/policies/code_of_conduct/ - Registration: No need for a registration or anything else, just use the room-linkabove. We will open the room 10 minutes before. cheers, Gus -- The Tor Project Community Team Lead

2 2

Tor non-exit list
by Carsten Otto 22 Jun '24

22 Jun '24

Hi Dan, For reference: https://www.dan.me.uk/dnsbl https://www.dan.me.uk/tornodes https://www.dan.me.uk/torlist/?full First of all, thank you for your tools and other contributions. The mere fact that your DNS blocklists are used by countless vendors should be a compliment in itself, and I'd be happy to have that much impact with my own projects. As you already state on your own site ("Please think carefully before choosing to use this list for blocking purposes"), your non-exit Tor relay list is a bit unusual. I'm running ftp.halifax.rwth-aachen.de, a major file mirror serving around 30 TByte of data at around 4 GBit/sec (on average). Recently, we added Tor relays on the same IP address, and your list correctly picked this up (137.226.34.46). Now, I'm writing as this caused quite a lot of mayhem. Several "security" appliance vendors didn't "think carefully" before adding your non-exit list to their devices. Among those are Arbor Prevail, Check Point, Ubiquiti (UniFi) - feel free to search for "ET TOR Known Tor Relay/Router (Not Exit) Node" to see the effect of this. In addition to private users making use of such devices, several banks/corporations/institutions started blocking our IP address, causing some frustration with us and their admins, as their Linux/Jenkins/... updates suddenly stopped working. As you might have guessed, changing "security" configurations (even if they may be wrong or questionable) is quite a challenge, and in some cases the (motivated) admins weren't unable to fix this issue on their end. As you seem to be well aware of what Tor is, what an exit relay does and what a non-exit relay does, would you be willing to retire the non-exit blocklist (at least the part that can be used for automated blocks)? I'd argue that the current setup does more harm than good (assuming you agree that Tor is a good thing in general). I'd be happy to discuss pros and cons, but ultimately that's your decision to make. Thanks Carsten -- Dr. Carsten Otto http://verify.rwth-aachen.de/otto/

5 6

Relay usage dropped 9x when enabling UFW. What UFW rules do other relay operators enact?
by admin＠likogan.dev 19 Jun '24

19 Jun '24

Hello all, I'm running relay 292FCACE773DC259B799914A23BE65A6A6178E8F and have noticed traffic drops when enabling UFW. Around 2024-01-15, I enabled UFW on this server. I noticed a 9x drop in traffic (10.88M -> 1.708M), and coughed it up to relay weirdness. This is about when my relays Guard status would randomly drop every few weeks. I finally got fed up with this huge drop in traffic on 2024-06-11 and was about to reinstall my server OS. This is when I decided to disable UFW and found that my traffic went back over a few days (2.215M -> 8.948M). Here are my tor-related UFW rules; To Action From -- ------ ---- [ 3] 9001 ALLOW IN Anywhere [11] 9001 (v6) ALLOW IN Anywhere (v6) I'm really confused how UFW firewalled most, but not all, of my relays traffic. What UFW rules do other relay operators enact? Thanks, Likogan

3 2

Re: [tor-relays] Relay usage dropped 9x when enabling UFW. What UFW rules > do other relay operators enact?
by zorc 19 Jun '24

19 Jun '24

Hi Likogan, > What UFW rules do other relay operators enact? I'm running 4CEAFCE5841C0DAE30164B4F59452F7F4D818A67 on Linux Mint 21.3 (should be close to Ubuntu Jammy) with UFW enabled, and don't have any issues. I have the same two rules for Tor as you do. I can imagine three things: 1. To me it looks like you have other rules before your Tor rules. Are any of them rate limiting? 2. I don't run an exit node, so I don't know how UFW would behave in that case. 3. Do you have logging rules? I once had issues with my router running out of CPU due to some logging rules being triggered by Tor-related traffic (potentially malicious). Maybe UFW could achieve something similar? Hope that helps. Cheers, zorc

1 0

Which choice is better
by theyarewatching 18 Jun '24

18 Jun '24

Hello all, I have been operating 8 middle relays for several months and due to my internet service limitations I have to make some changes. I have cox panorama service in the USA and for the most part it works well. My dilemma is with all of my VMs running and relays etc it tends to overload my connection. This causes my household streaming to drop off and my fam is not happy with me. The question I have for you is the following. Which is preferable; four middle relays running with no limits or eight middle relays with speed limits? I am asking which would be better for the network? I'll await your answers Thanks for the input SDS

2 1