- tor-relays - lists.torproject.org

Re: [tor-relays] Advantage in more exits in the same /8?
by Jesse Victors 27 Aug '14

27 Aug '14

-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA384 On 08/27/2014 04:03 PM, tor-relays-request(a)lists.torproject.org wrote: > Not to drift too far off course, but I think you have your masking > back wards or confused at least. > > a /8 is 16M addresses 18.0.0.0/8 for example, so not a small block, > and a /16 has 64K. > > two consecutive /16's say 128.30.0.0/16 and 128.31.0.0/16 make a /15 > (120.30.0.0/15) > > the real concern is administrative control not addressing. for exmaple > both the /8 and /15 mentioned above and some other smaller patches of > addressing are all on MIT campus and part of the same administrative > domain in the sense that all traffic passes through a small set of > routers at some point. Being a university it doesn't imediately imply > root access to all servers. this isn't true of all (or even most) > /8's, nor does even a /24 with 256 addresses need to be in a single > geographic or andministrative zone. > > -Jon Thanks Jon, You're right, I had my ranges weird, even in my title, thanks for the correction. To clarify, because the nodes are physically close to one another, they are in the same /24, namely x.x.x.x - x.x.x.y. Yes, the real issues is the traffic concentration to a specific set of routers, which is why I'm asking. I'm trying to get a sense of where to draw the line, but from the responses so far it looks like I've got room to spare. - -- Jesse V. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.14 (GNU/Linux) Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iQF8BAEBCQBmBQJT/lfPXxSAAAAAAC4AKGlzc3Vlci1mcHJAbm90YXRpb25zLm9w ZW5wZ3AuZmlmdGhob3JzZW1hbi5uZXQxMjgyMjhENjEyODQ1OTU1NzBCMjgwRkFB RDk3MzY0RkMyMEJFQzgwAAoJEK2XNk/CC+yAYCwH/i6Ci/SS6dpXr703mlajr31C fXX2WOKVWoGGTkPDXkQJM18+uI0DGRaieahmQ99VAGwA8+PAFhq9QsISLZ/Bby9g rZCOkY9E9xel2uu80hiMlP99h4WkjJtbgeX1cGXXOoJq1d+MLHIzQqgzZvmVry2+ piIUsXRO693r+TiU6BzZjnpBm+Omo6BzvOuJmUq34/XztdrGWSfoCvpwlesbMJZc sNGN1N5wQ3U1FcQTkwJc2wVyTpQNyu+tgvZyqwusIwAlH7J9cN/zg+eNZ+3ZpPUv 7DjiKhwQCQUqv/LHC5sK7FmQNELLwXPGvTaflvjfhF9uSBWCAX9JVEBNsHrB1M0= =77pe -----END PGP SIGNATURE-----

1 0

Re: [tor-relays] Advantage in more exits in the same /8?
by Jesse Victors 27 Aug '14

27 Aug '14

-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA384 > Message: 5 > Date: Tue, 26 Aug 2014 19:50:21 +0200 > From: Anders Andersson <pipatron(a)gmail.com> > To: tor-relays(a)lists.torproject.org > Subject: Re: [tor-relays] Advantage in more exits in the same /8? > Message-ID: > <CAKkunMYKgXKT1OEbV5Lft9edqLhvAJsbxv7QkHQn6dCbpuj36Q(a)mail.gmail.com> > Content-Type: text/plain; charset=UTF-8 > > On Tue, Aug 26, 2014 at 3:47 PM, Jesse Victors > <jvictors(a)jessevictors.com> wrote: > >> I run some relays and an exit in a university setting. The nodes are in the same /8 block and are physically close to one another as well. Is there any advantage in turning one of the relays into another exit? This is something that my ISP would be agreeable to, but I'm also pondering the effects on the Tor network as a whole. > Just want to be clear here: Do you really mean /8 and not /24? There's > only one university I can find with a /8 block. Anders, no I literally mean the same /8. The university has its own /16 and recently required another /16, but since my nodes are physically close to one another they are in the same /8. My concern is that too many nodes in a small block can result in a large concentration of Tor circuits in that block. No circuit should use any two nodes from the same /16 unless forced to, so my question really revolved around how many is too many Tor circuits and how much is too much traffic through the same /8 or /16 in people's opinion. - -- Jesse V. On 08/27/2014 06:00 AM, tor-relays-request(a)lists.torproject.org wrote: > Message: 2 > Date: Tue, 26 Aug 2014 16:24:42 +0200 > From: Moritz Bartl <moritz(a)torservers.net> > To: tor-relays(a)lists.torproject.org > Subject: Re: [tor-relays] Advantage in more exits in the same /8? > Message-ID: <53FC98AA.2000607(a)torservers.net> > Content-Type: text/plain; charset=ISO-8859-1 > > Hi Jesse, > > On 08/26/2014 03:47 PM, Jesse Victors wrote: >> > It seems to me that too many nodes under the same ISP is >> > problematic because it concentrates too much traffic in >> > the same AS, but on the other hand, Tor could use more exits. >> > More importantly, how many is too many nodes in the same /8, >> > or in the same /16? Where would you draw the line? > Very good question. Ideally, the Tor client would be AS-aware, and you > would not have to worry about it. For the interested reader, see for > example [1]. Until then, my thinking is that I compare to other > locations. https://compass.torproject.org/ is very helpful for that: For > example, if you group by AS, the largest AS right now (i3d, NL) in > regards to exit capacity has 11%, and OVH tops the overall network at > 10% consensus weight. > > As a rough rule, I'd avoid to push more than 1-2Gbit/s of traffic at one > ISP. On the plus side, as long as you don't top the list, you're > weighing down other locations. And universities are a preferred location. > > Make sure to use the MyFamily statement correctly: Unless relays are on > the same /16, Tor might pick multiple of them for a circuit. Also, if > you want to push more than ~100 Mbit/s on a single machine, you need > AES-NI or run multiple relays, for more than 400 Mbit/s you need to run > multiple relays in any case. The multi-relay initscript can be quite > helpful for that. > > [1] http://freehaven.net/anonbib/#ccs2013-usersrouted > [2] https://www.torservers.net/wiki/setup/server#multiple_tor_processes > > -- Moritz Bartl https://www.torservers.net/ Thanks Moritz, Ok, so I think 1-2 Gbit/s is a good number, that just seems like an awful lot of data to me and I'd rather see that spread out more diversely of course. I'm aware that no circuit should contain two nodes from the same /16 unless forced to, and the MyFamily value further helps with that. My concern was not with a single circuit using multiple nodes there, but rather many circuits preferring that AS. Diversity helps security. That being said, by your advice I'm nowhere near that threshold, so I could keep going. Thanks for the tips on the multiple Tor instances and the optimization tips. - -- Jesse V. /CS, Network Security / -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.14 (GNU/Linux) Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iQF8BAEBCQBmBQJT/e7iXxSAAAAAAC4AKGlzc3Vlci1mcHJAbm90YXRpb25zLm9w ZW5wZ3AuZmlmdGhob3JzZW1hbi5uZXQxMjgyMjhENjEyODQ1OTU1NzBCMjgwRkFB RDk3MzY0RkMyMEJFQzgwAAoJEK2XNk/CC+yAu0wIAK3rn17vEWQZTZy5KVBgOnUI TstJAkqO9Wjkfxf++E/5h8OMRdU1f3rV2mArJgGbgc344ttueM8iPntneaK4jI9W 4FrEqiMf7X6boYZXyeG81gYaGT6nf8ePSK5+1xY3pGR+2R3gXbDt/AU/LIZFsL2w r+9znukltzWBudfM76Fzd7jJcrwC+2giguHKU1/oxpKDh1xWuQC4maOYxZexGSLw JFz/O9Ca/CIDH/5Pbm6uJFe3Ec1zzm6z8cgsfBmGY8GHj3xBM8bNttP+a+fW7J5Z W01uoYss6tuw3jhVAp/+LKm4GcXsdtUjJIAX56yvEURCa6L9CbuTYha4cBI4zFw= =OHSc -----END PGP SIGNATURE-----

2 1

Ongoing scan from FDCServers block
by linenoiz＠Safe-mail.net 27 Aug '14

27 Aug '14

For the past week or so I've been seeing unsolicited echo replies coming from FDC servers block and one that looks like it is owned by China(?) Most of the entries are from 67.159.54.101 and I am seeing around one per minute. I verified by running tcpdump for a couple minutes (no longer, I'm not an illegal wiretapper!) that I'm not sending echo requests. IPTables is configured to drop and log this invalid traffic. Any idea what they are trying to accomplish? Some convoluted way of pinging me because they don't get an ICMP unreachable back? And why every minute? DENY IN=eth0 OUT= MAC=xxx SRC=67.159.54.101 DST=yyy LEN=40 TOS=0x08 PREC=0x20 TTL=55 ID=61817 PROTO=ICMP TYPE=0 CODE=0 ID=10249 SEQ=0 DENY IN=eth0 OUT= MAC=xxx SRC=67.159.54.101 DST=yyy LEN=40 TOS=0x08 PREC=0x20 TTL=55 ID=61817 PROTO=ICMP TYPE=0 CODE=0 ID=58375 SEQ=0 DENY IN=eth0 OUT= MAC=xxx SRC=67.159.54.102 DST=yyy LEN=40 TOS=0x08 PREC=0x20 TTL=55 ID=39417 PROTO=ICMP TYPE=0 CODE=0 ID=62498 SEQ=0 DENY IN=eth0 OUT= MAC=xxx SRC=50.117.112.42 DST=yyy LEN=40 TOS=0x00 PREC=0x00 TTL=56 ID=28340 PROTO=ICMP TYPE=0 CODE=0 ID=30728 SEQ=0 DENY IN=eth0 OUT= MAC=xxx SRC=50.117.112.42 DST=yyy LEN=40 TOS=0x00 PREC=0x00 TTL=56 ID=28334 PROTO=ICMP TYPE=0 CODE=0 ID=30728 SEQ=0 DENY IN=eth0 OUT= MAC=xxx SRC=50.117.112.42 DST=yyy LEN=40 TOS=0x00 PREC=0x00 TTL=56 ID=28335 PROTO=ICMP TYPE=0 CODE=0 ID=54277 SEQ=0

2 1

managing bandwidth quotum
by Kees Goossens 26 Aug '14

26 Aug '14

Dear all, A question on how to manage a bandwidth quotum of my internet provider. I run a non-exit relay on a hosted server with 1000 GB bandwidth per month. In essence, should I A- only set the AccountingMax, and let the relay figure out the RelayBandwidthRate & RelayBandwidthBurst by itself B- set the AccountingMax, and set RelayBandwidthBurst to whatever the provider will allow (much higher than the average rate) C- set the AccountingMax, and set RelayBandwidthRate to the average rate (quotum/31 days), and optionally set RelayBandwidthBurst D- only set the RelayBandwidthRate to the average rate, and hope that I don’t go too much over my quotum This could perhaps be rephrased as: - is it better to offer a high bandwidth for part of the month and then hibernate, or - should I offer a lower average bandwidth for the whole month? Details: I’ve set “AccountingMax 450 GB” with the appropriate accounting start (conservative, since I log in occasionally too). 450 GB / 31 days => 168 KB / sec average Setting “BandwidthRate 168 KB” seems to severely underutilise the relay. Setting “BandwidthRate 1000 KB”, to force usage of the relay, uses the relay bandwidth at a much larger rate (2670 KB/s consensus weight), and will cause hibernation after ~25 days. Thanks. Kees

3 2

Advantage in more exits in the same /8?
by Jesse Victors 26 Aug '14

26 Aug '14

-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA384 Hey everyone, I run some relays and an exit in a university setting. The nodes are in the same /8 block and are physically close to one another as well. Is there any advantage in turning one of the relays into another exit? This is something that my ISP would be agreeable to, but I'm also pondering the effects on the Tor network as a whole. It seems to me that too many nodes under the same ISP is problematic because it concentrates too much traffic in the same AS, but on the other hand, Tor could use more exits. More importantly, how many is too many nodes in the same /8, or in the same /16? Where would you draw the line? - -- Jesse V. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.14 (GNU/Linux) Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iQF8BAEBCQBmBQJT/JACXxSAAAAAAC4AKGlzc3Vlci1mcHJAbm90YXRpb25zLm9w ZW5wZ3AuZmlmdGhob3JzZW1hbi5uZXQxMjgyMjhENjEyODQ1OTU1NzBCMjgwRkFB RDk3MzY0RkMyMEJFQzgwAAoJEK2XNk/CC+yAc30H/itZHxdCndyXrynjhCI9N3Y/ jtdQ4V2UVWGe0YdsHBrSibexvZxj9EGtNHAuBNuf9ZPrTV5BXV4/Q0RXRZSp+AZ7 NVCp0/7wv/R/n+1qJqWfD2F0D27pyQoaHTMHSJKWXeVN71F5uM4+ScG5qyGsgsG7 Op9s3K5tYTr4m2WcPoAQke4Gj7Bn4nBIbJP8djPZeQ5ACKIDfBJjlgy6Q7fJE+E7 62GYvRknYVHjWAM6gsYSuHnoBCGPAcYkSWMOyPBf+rt8+J0HCMBja/yvzBMwMiNu jEGK/pFka6j+CKYZuEXIbfBV4MLnbZqaah5e58640rUvwqz5eFvf2pliONpVGY4= =aTsa -----END PGP SIGNATURE-----

3 2

how long till the axe falls on little guard relays?
by starlight.2014q3＠binnacle.cx 25 Aug '14

25 Aug '14

The guard status of the relay here is hanging on by a thread (consensus 5-in-favor 4-against) and this had me wondering until I read [tor-relays] don't worry (to much) if your relay is loosing the guard flag https://lists.torproject.org/pipermail/tor-relays/2014-July/005043.html Looking at the Consensus Health page it's clear that about 1000 other relays are also separated from Guard Oblivion by a single vote. I'm curious if anyone knows roughly when the next authority will upgrade to a version with the new criteria and the little guards get the chop.

5 5

Relay "kingqueen" lost Named attribute
by kingqueen 22 Aug '14

22 Aug '14

hi, Does anybody know why my relay "kingqueen" has lost its Named attribute? https://atlas.torproject.org/#details/7B48192A59A903F914ECF73ADBC3711F3E8EA… Thank you KQ

3 3

Re: [tor-relays] OnionTip.com distributes Bitcoin donations to all BTC addresses set in ContactInfo
by Tim 21 Aug '14

21 Aug '14

On 14 Aug 2014, at 22:00, Alexander wrote: >> On 2014-08-14 10:25, Mike Cardwell wrote: >> >> On the other hand. It costs you nothing to stick a bitcoin >> address in a config file to find out. > > Not being a lawyer, does accepting money for running a Tor relay make it > a commercial operation (in some countries) and put you in a different > legal position? > > Best regards, > Alexander Also not being a lawyer, if BTC isn't legal tender in your country (if such a concept exists), are you really accepting "money"? Tim

3 3

reaching out to relay ops that run outdated versions
by Nusenu 19 Aug '14

19 Aug '14

-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 FYI: I just sent out the email bellow to ~160 relay operators - I hope this results in some actual improvements. It is a bit disappointing to see even torservers.net, DFRI, icetor, Frenn vun der Enn, Calyx, Cymru in the recipients list. The recipient list is based on the following output (limited to relays faster than 999KB/s): grep -v 0.2.5.6 Tor_query_EXPORT.csv |grep -v 0.2.4.23|grep -v 0.2.6.0|head -n 344 (csv is from torstatus.blutmagie.de) > Hello, > > you are receiving this email because you are using an outdated tor > version on your tor relay. (your email address was taken from your > relay's contact info field) > > Tor v0.2.4.23 has been released on 2014-07-28 [1] to address a > security issue that makes de-anonymization attacks easier [2] - > please update to Tor v0.2.4.23 or v0.2.5.6. > > To find out your current version run the following command on your > relay: tor --version > > If you are using Linux: Package managers can be used to > automatically update Tor without requiring manual admin > intervention. > > > It is recommended to use the official APT/YUM repos from > torproject.org to get timely updates: APT: > https://www.torproject.org/docs/debian.html.en YUM: > https://www.torproject.org/docs/rpms.html.en > > > thanks for running a relay and making the tor network safer! > > > [1] > https://lists.torproject.org/pipermail/tor-announce/2014-July/000093.html > > [2] > https://lists.torproject.org/pipermail/tor-announce/2014-July/000094.html > -----BEGIN PGP SIGNATURE----- iQIcBAEBCgAGBQJT8IfkAAoJEDcK3SCCSvoecIMP/0NX+C4+h55BXaQt2RSwA472 PyEIjSRUwrlnc0navJ1pSHOusCWnrCiMFXQaQqcdCliODzEytPoaLynItiwAtKzp UhDja4Sp/Lag9m9CiNJ/0C9k9OeHQbKcEffLAnTVUOZmcBFwo2CsROruGgveOic6 gE13Yi9LuoHdtMfDDRgLoQyL5hqa1kogpj9maMjXZwEwXhZvNpd7GEUd79WjtVm+ eFoYTW4mgPXcU0fZOtuZxAAkrd/blEzr67o4aKiMeaNDo6zmXIBe1URsPkRf50dO kQ0m4/GSicdVyOnsId+f6RcpAD/LD7QiqIyxv/XZ9uEDqtI2RvxBxNeU9kXU8KK+ y4fsXKZ4pvXgj5Nqv7niNJlftegr1rrdRB7wAtZ/2ETpEL3dqC+aBo0bL+ctk1zZ RlXZkPTOTmGEh5pDxXr8P1rxukgivOsPw3tWmeCjb2+HeiRi117LNeccvwW3SZYE pDLVSJIhxpkFKxtJ8N4vTyqoQzX/N+g1gkOZ/yuF4aCIpfLFTxjUUkMt8wyEI+v2 HMiAXyeHBFh541b9ScTrLao21sxPDsQHq1mNf3RHRKESgiejWLZz74wojUU/drIP coZVoJ7U3aFqb6xgIlJzv8u+IcPld6Xsy3U8MUtD+4q2v7t9y6u6QBrj454YCQrQ Ms0g2ocOvRCTKWUgtbdx =BK/o -----END PGP SIGNATURE-----

9 17

Protecting your domain's reputation
by JusticeRage 19 Aug '14

19 Aug '14

Hello everyone! I am the operator of a somewhat recent exit node with SMTP allowed, and I have found out something worth sharing. Let me know if this is already known. As suggested by the Tor documentation, I set a reverse DNS which makes clear that my exit node belongs to the Tor network (tor-exit-readme.manalyzer.org) This week-end, I started to recieve weird e-mail delivery failure notifications, and even a line from a guy kindly asking me to stop sending him mail. The thing is, I was actually lucky to recieve all those, and I wouldn't have if I didn't have a catch-all address set for the whole domain. Looking at the source of the rejected e-mails, I found out that someone was forging e-mails which look like they come from my domain: Received: from tor-exit-readme.manalyzer.org (tor-exit-readme.manalyzer.org [95.130.11.147]) by smtp.craigslist.org (Haraka/2.5.0) with ESMTP id 66DDCADC-FEA4-4D62-8F08-2630AC1E0299.1 envelope-from <best_pharmacy5(a)manalyzer.org>; Mon, 18 Aug 2014 13:25:12 -0700 From: Levitra-Shop <best_pharmacy5(a)manalyzer.org> To: <rkdq8-4339052657(a)hous.craigslist.org> Subject: When It Comes Healthcare, Nothing Beats a Hometown Advantage, Rkdq8-4339052657 . (I got tons of these, all procedurally generated e-mail addresses.) The thing is, these e-mails don't just seem like they're coming from my domain: they ARE coming from my domain, since the machine sending them has a rDNS which belongs to it. From a mail server's perspective, they're actually very legitimate and probably won't be flagged as spam. I believe that someone is listing all the exit nodes which have a reverse DNS set up, and uses the domain to send out unwanted e-mail. This is a problem for operators for the following reasons: - The reputation of your domain is damaged, and legitimate e-mails sent from it may end up discarded - It strenghtens the idea that mail servers blindly reject everything that comes out of a Tor exit node The good news is, there is something you can do about it. This is exactly what Sender Policy Framework [1] was created for. Long story short, this is some information you can put in your DNS to indicate which machines are allowed to send e-mails for the domains, and which are not (hint: the exit node should not be listed in there). Here is a sample policy which says that only servers registered as MX in your DNS should send e-mails for the domain : tor-exit.domain.com. IN TXT "v=spf1 mx -all" If you need something more specific, I have found a nice wizard [2] which will help greatly. If you run an exit node and have a reverse DNS set up, I highly recommend you take ten minutes to look into this. Please note that this will NOT prevent Tor users from sending e-mail or restrain their freedom in any way; it will only prevent ill-intentioned people from spoofing your domain. I also think that there should be a note in the Tor documentation about this issue (I couldn't find anything regarding this). I hope this helps! [1] https://en.wikipedia.org/wiki/Sender_Policy_Framework [2] http://www.spfwizard.net/ -- JusticeRage

3 3