- tor-relays - lists.torproject.org

Multiple ServerTransportListenAddr OBFS2|3|4 Configuration
by Gary C. New 15 Dec '22

15 Dec '22

All: I noticed that the obfs2, obfs3, and obfs4 transport names seem to be hardcoded into tor. I have been able to configure the torrc to register each of the transports for multiple ServerTransportListenAddr: # cat torrc ORPort xxx.xxx.xxx.xxx:443 NoListen ORPort 192.168.0.31:9001 NoAdvertise SocksPort 9050 SocksPort 192.168.0.31:9050 ControlPort 9051 HTTPTunnelPort 9080 HTTPTunnelPort 192.168.0.31:9080 ExtORPort 192.168.0.31:auto BridgeRelay 1 BridgeDistribution moat ServerTransportPlugin obfs2 exec /opt/bin/obfs4proxy -enableLogging ServerTransportListenAddr obfs2 192.168.0.31:3102 ServerTransportOptions obfs2 iat-mode=2 ServerTransportPlugin obfs3 exec /opt/bin/obfs4proxy -enableLogging ServerTransportListenAddr obfs3 192.168.0.31:3103 ServerTransportOptions obfs3 iat-mode=2 ServerTransportPlugin obfs4 exec /opt/bin/obfs4proxy -enableLogging ServerTransportListenAddr obfs4 192.168.0.31:3104 ServerTransportOptions obfs4 iat-mode=2 DirCache 1 ExitRelay 0 # grep -i obfs ./torlog 2022/12/14 00:39:07 [NOTICE]: obfs4proxy-0.0.14 - launched Dec 13 17:41:48.000 [notice] Registered server transport 'obfs2' at '192.168.0.31:3102' Dec 13 17:41:48.000 [notice] Registered server transport 'obfs3' at '192.168.0.31:3103' Dec 13 17:41:48.000 [notice] Registered server transport 'obfs4' at '192.168.0.31:3104' # netstat -anp | grep obfs4proxy tcp 0 0 192.168.0.31:3102 0.0.0.0:* LISTEN 30185/obfs4proxy tcp 0 0 192.168.0.31:3103 0.0.0.0:* LISTEN 30185/obfs4proxy tcp 0 0 192.168.0.31:3104 0.0.0.0:* LISTEN 30185/obfs4proxy My question is whether the respective obfs2|3|4 transport names force the corresponding protocol? If so... Are there any ServerTransportOptions that can force the obfs4 protocol on the legacy obfs2|3 transports? Also... It wasn't clear in the manual whether obfs4proxy -enableLogging takes an optional path/file? I appreciate any knowledge on the subjects. Respectfully, Gary

2 2

Are HTTPTunnelPort and SocksPort Disabled in Bridge Mode?
by Gary C. New 14 Dec '22

14 Dec '22

All: Are HTTPTunnelPort and SocksPort Disabled in Bridge Mode (BridgeRelay 1)? Recently, I migrated over to Bridge Relays and discovered I can no longer client connect over 9080 (HTTPTunnelPort) or 9050 (SocksPort). I've confirmed that listeners are still binding to 9080 and 9050, but I can no longer client connect over them. However, I am able to successfully client connect over the new ServerTransportListenAddr and Port. Is it possible to use HTTPTunnelPort and SocksPort in Bridge Mode (BridgeRelay 1)? Respectfully, Gary— This Message Originated by the Sun. iBigBlue 63W Solar Array (~12 Hour Charge) + 2 x Charmast 26800mAh Power Banks = iPhone XS Max 512GB (~2 Weeks Charged)

1 1

Re: [tor-relays] inet_csk_bind_conflict
by Gary C. New 10 Dec '22

10 Dec '22

On Saturday, December 10, 2022, 7:23:28 AM PST, David Fifield <david(a)bamsoftware.com> wrote: On Sat, Dec 10, 2022 at 09:59:14AM +0100, Anders Trier Olesen wrote: >> IP_BIND_ADDRESS_NO_PORT did not fix your somewhat similar problem in your >> Haproxy setup, because all the connections are to the same dst tuple <ip, port> >> (i.e 127.0.0.1:ExtORPort). >> The connect() system call is looking for a unique 5-tuple <protocol, srcip, >> srcport, dstip, dstport>. In the Haproxy setup, the only free variable is >> srcport <tcp, 127.0.0.1, srcport, 127.0.0.1, ExtORPort>, so toggling >> IP_BIND_ADDRESS_NO_PORT makes no difference. > No—that is what I thought too, at first, but experimentally it is not > the case. Removing the IP_BIND_ADDRESS_NO_PORT option from Haproxy and > *doing nothing else* is sufficient to resolve the problem. Haproxy ends > up binding to the same address it would have bound to with > IP_BIND_ADDRESS_NO_PORT, and there are the same number of 5-tuples to > the same endpoints, but the EADDRNOTAVAIL errors stop. It is > counterintuitive and unexpected, which why I took the trouble to write > it up. > As I wrote at #40201, there are divergent code paths for connect in the > kernel when the port is already bound versus when it is not bound. It's > not as simple as filling in blanks in a 5-tuple in otherwise identical > code paths. > Anyway, it is not true that all connections go to the same (IP, port). > (There would be no need to use a load balancer if that were the case.) > At the time, we were running 12 tor processes with 12 different > ExtORPorts (each ExtORPort on a different IP address, even: 127.0.3.1, > 127.0.3.2, etc.). We started to have EADDRNOTAVAIL problems at around > 3000 connections per ExtORPort, which is far too few to have exhausted > the 5-tuple space. Please check the discussion at #40201 again, because > I documented this detail there. > I urge you to run an experient yourself, if these observations are not > what you expect. I was surprised, as well. I wonder if IP_BIND_ADDRESS_NO_PORT is better implemented in Nginx? https://www.nginx.com/blog/overcoming-ephemeral-port-exhaustion-nginx-plus/ Respectfully, Gary— This Message Originated by the Sun. iBigBlue 63W Solar Array (~12 Hour Charge) + 2 x Charmast 26800mAh Power Banks = iPhone XS Max 512GB (~2 Weeks Charged)

1 0

upcoming directory authority changes
by Roger Dingledine 08 Dec '22

08 Dec '22

Hello fellow relay operators, Later today (Tuesday) we plan to do a synchronized shift where we make two configuration changes on the directory authorities. The goal will be to make these changes while maintaining the right threshold of signatures so relays and users still get a safe network status consensus that they trust. For background, Tor uses a threshold consensus design, where as long as a majority of directory authorities are behaving properly, all users get the same accurate view of the Tor network. You can learn more about the design in the bottom half of https://support.torproject.org/about/key-management/. Specifically, we plan to make these changes: (1) Temporarily remove Faravahar from the set of directory authorities, until Sina finds a new good home for it. We weren't all comfortable with its previous hosting location inside Team Cymru's network (see the bottom of https://blog.torproject.org/role-tor-project-board-conflicts-interest/ for more details), so to be extra safe we are making it no longer participate in the consensus process until it is reborn in its future home. You can read more about Sina and why we are excited to keep him involved in the Tor community at https://blog.torproject.org/volunteer-spotlight-sina-rabbani-helps-activist…. (2) Rotate to fresh identity keys for moria1, the directory authority that I run. In early November 2022 there was a remote break-in to the computer running moria1. Based on the evidence and the type of attack, I believe it was a standard automated attack -- that is, I think they weren't targeting the directory authority and also they never realized it *was* a directory authority. But to be extra safe, we decided to rotate to a fresh set of keys. I was also in the middle of a planned move to better hardware, so overall it was good timing for a fresh new start. I should note that for both moria1 and Faravahar, we have no evidence of any misuse of their keys. But more importantly, the threshold consensus design keeps Tor users safe *even if* we are underestimating what happened. Tor users and relays demand a consensus signed by a majority of the directory authorities, and right now that's five out of eight. Tor's security/privacy/anonymity properties remained safe before, during, and after these changes. Some closing thoughts and details: * We actually already removed Faravahar in the Tor git repository and in the Tor release 0.4.7.11 (which came out Nov 10 and has been in Tor Browser since Nov 22), so modern clients and relays are already demanding signatures from five authorities that aren't Faravahar. The change we'll do today is to make the other directory authorities stop incorporating its vote and signature into the consensus. Doing these changes at different times opened the window for surprising but harmless log warnings like https://bugs.torproject.org/tpo/core/tor/40725. We could see similar issues with the new moria1 key, and if so they should go away once there's a new release with the new key and you have upgraded. * In my opinion there is a good argument for every directory authority making fresh keys every few years anyway, especially in a world with sophisticated attackers who might try to obtain keys and not leave any traces. So for example when we bring Faravahar back I think it should be with entirely new keys. * Secure consensus designs have become much better in the past decade, in large part from all the Bitcoin enthusiasm. Our current design was always intended to be a placeholder until we got something better. And our friends in the PETS research community have been exploring edge cases where evil directory authorities can create mischief even when they're slightly less than a full majority. So while we're triaging the usual fires and priorities, we shouldn't forget about improving the directory design. * Directory authority keys already have a notion of an offline long-term identity with shorter-lifetime online keys that expire periodically, with the goal of limiting the future impact of a compromise. But it seems like this role separation never quite matches up well to the security issues that arise in practice, whereas it definitely adds complexity both to the design and to operation. This piece of the design could use some new ideas. * Lastly, the directory authority operator community is a community too, and the security of the Tor network relies on social trust and cooperation between these fine people. We used to have directory authority operator meetups in person at security conferences and at Tor dev meetings, to maintain the social and community connections. Covid put a stop to that along with so many other things, and we should work to bring it back. We could start by encouraging directory authority operators to participate in the monthly virtual relay operator meetups. Thanks for reading all the way to the end / hope this level of detail helps, --Roger

3 3

Re: [tor-relays] Tor DDoS Mitigation iptables scripts update. Version 4.0.1
by Chris 05 Dec '22

05 Dec '22

Hi Andres, Not at all. That's how I'm running my own relays. Just run the **combined.sh** on each individual VM and you'll be fine. As for the ORPort, yes, I agree. There are ways to read the torrc file and set the ORPort automatically. I will incorporate that into the scripts in future versions. My original intention was to put something simple together with minimum complexity that anyone with little or no expertise can understand and modify if necessary without breaking the code. I've also set up a [Discussion Board](https://github.com/Enkidu-6/tor-ddos/discussions) for the repository on github in case you have any questions, suggestions or simply need further help. On 12/1/2022 11:57 AM, Anders Trier Olesen wrote: > Hi Chris > > We run all the 12 dotsrc relays on a single host with many IP > addresses. Would we need to change anything? > > Btw, you can make the scripts find the all the OR ports by running > something like ‘ss -pl | grep tor’. > > - Anders > > tor. 1. dec. 2022 kl. 09.02 skrev Chris <tor(a)wcbsecurity.com > <mailto:tor@wcbsecurity.com>>: > > Background: > > A set of bash scripts used to apply iptables rules to fight the > current > DDoS attacks. They require no dependencies to install except > iptable/nftables which all Linux flavors already have and require no > particular expertise. The issue was discussed here: > > [issue > 40093](https://gitlab.torproject.org/tpo/community/support/-/issues/40093) > > Change log: > > Some modifications due to a change in the nature of the attacks. > > - Re ordered rules for more efficiency and reducing the load > - Removed the hashlimit rule as it puts more load on the system > with not > much overall benefit as the attackers have adapted to it and it > reduces > the size of the block list. > - Reduce the number of allowed concurrent connections to 2 if > you're not > a relay. > - Use of remove.sh cron script at regular intervals (optional) > will give > relays a chance to create up to 4 connections if they need to. > ******- Created a new cron file **refresh-authorities.sh** to refresh > your allow-list with the most up to date IP addresses for the > authorities and snowflake. Should be run daily. > - Removed an unnecessary line in the update files. > - Modified Readme.MD file to reflect new changes. > > The new modifications have been tested for two weeks now and the > systems > are running smoothly with no ill effect. > > You can read more and download here: > > [Enkidu-6 tor-ddos on Github](https://github.com/Enkidu-6/tor-ddos) > > To avoid occasional NTor drops a minimum NumCPUs 16 in torrc is > recommended. > > P.S. > The NumCPUs option is unfortunately poorly documented. It really has > nothing to do with the number of CPUs you have. It's about the > number of > worker threads Tor will create to deal with decryption of > onionskins. So > you can have two CPUs and still set NumCPUs to 16. > > > _______________________________________________ > tor-relays mailing list > tor-relays(a)lists.torproject.org > <mailto:tor-relays@lists.torproject.org> > https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays >

2 2

Another attempt against Tor DDoS
by Frank Steinborn 04 Dec '22

04 Dec '22

Hi, I want to show you my anti DDoS solution for my relays (aswell ;-). It works without ipset, but with a mix of the recent and hashlimit iptables modules. What is does: * If one IP address tries to make 7 SYN connection attempts per second, they are locked out for 300 seconds. If they try another connection in that timeframe, the timer is reset and they are locked out for another 300 seconds. * Threre are no more SYNs allowed if 4 connections are already in use to the ORPort. It works *very* well for me. Other solutons are far more aggressive but I feel my solution works perfectly against the attacks, even if they are not that aggresive. On top of that, I feel its more easy to implement into ones existing firewall solution. You can find the repo here: https://github.com/steinex/tor-ddos Feel free to give it a shot and feedback would be much appreciated! Greetings, steinex

1 0

relayor v22.0.0-rc is released
by nusenu 03 Dec '22

03 Dec '22

Hi, relayor v22.0.0-rc is released. relayor is an ansible role that helps you with running tor relays with minimal effort (automate everything). https://github.com/nusenu/ansible-relayor#main-benefits-for-a-tor-relay-ope… Changes since relayor v21.2.0-rc: * MetricsPort support improvements: * generate nginx reverse server config for remote prometheus scraping on the relay (we do not install nginx) * generate htpasswd file for HTTP basic auth of MetricsPort on the relay * debian/ubuntu: support new alpha repos (branch name is no longer included in the repo name). * FreeBSD 12.3 is supported kind regards, nusenu -- https://nusenu.github.io

2 4

Difficulties testing my bridge
by binarynoise 02 Dec '22

02 Dec '22

Hello everyone, I run a bridge and as I was doing maintenance on my server, I wanted to check whether my bridge works and whether the bandwidth is really as low as advertised in the relay search (it's not, maybe because no-one uses it, as it's on reserved distribution). So I started my tor-browser, opened htop locally and on the server and started browsing. Everything went smoothly, but something was odd: I did not see any traffic on my server (that idles most of the time, so I should see my bridges traffic). Checked connection-info: no bridge there. Went to settings, checked the bridge settings: yes, I had entered by bridge-line. Odd. Continued to the tor logs: oh, bridge-line didn't parse. Interesting. (I put in the server's identity key ed25519 fingerprint instead of the not-ed25519 one and put my bridges name somewhere there too). Ok, but why doesn't it tell me? Why is there no big "Couldn't connect to your configured bridges"- warning after hitting the connect-to-tor-button? Anyway, does some tool exist, where you enter your bridge's information or run it on the server, that tells you if the recommended versions of tor + dependencies are installed and actually used? That would make the task of keeping the bridge healthy easier. Greetings binarynoise

3 4

Tor DDoS Mitigation iptables scripts update. Version 4.0.1
by Chris 30 Nov '22

30 Nov '22

Background: A set of bash scripts used to apply iptables rules to fight the current DDoS attacks. They require no dependencies to install except iptable/nftables which all Linux flavors already have and require no particular expertise. The issue was discussed here: [issue 40093](https://gitlab.torproject.org/tpo/community/support/-/issues/40093) Change log: Some modifications due to a change in the nature of the attacks. - Re ordered rules for more efficiency and reducing the load - Removed the hashlimit rule as it puts more load on the system with not much overall benefit as the attackers have adapted to it and it reduces the size of the block list. - Reduce the number of allowed concurrent connections to 2 if you're not a relay. - Use of remove.sh cron script at regular intervals (optional) will give relays a chance to create up to 4 connections if they need to. ******- Created a new cron file **refresh-authorities.sh** to refresh your allow-list with the most up to date IP addresses for the authorities and snowflake. Should be run daily. - Removed an unnecessary line in the update files. - Modified Readme.MD file to reflect new changes. The new modifications have been tested for two weeks now and the systems are running smoothly with no ill effect. You can read more and download here: [Enkidu-6 tor-ddos on Github](https://github.com/Enkidu-6/tor-ddos) To avoid occasional NTor drops a minimum NumCPUs 16 in torrc is recommended. P.S. The NumCPUs option is unfortunately poorly documented. It really has nothing to do with the number of CPUs you have. It's about the number of worker threads Tor will create to deal with decryption of onionskins. So you can have two CPUs and still set NumCPUs to 16.

1 0

Considering running a relay on AWS Free tier
by Keifer Bly 29 Nov '22

29 Nov '22

Hi, So I don't know if I will do it, but I am considering setting up a tor middle relay on AWS free tier. I have been asking their support tem regarding how much traffic one can push and remain free tier, their response was: If your microservice application is using an RDS or Amazon DynamoDB Accelerator (DAX) database, the Lambda-to-database traffic will be free if it’s in the same region, including if VPC peering is used. Traffic to databases in a different region will incur a regional transfer fee of $0.09 per GB for both the Lambda and database egress traffic. Ingress traffic is free for both.\" I am wondering does anyone else run tor middle relays on AWS free tier, and what is the best torrc configuration to use for keeping the inbound and outbound traffic in free tier in case I do go fourth with this? Thanks. --Keifer

2 1