On Tue, Apr 11, 2023 at 12:09:15PM +0000, Finn wrote:
Hello everyone,
We are hosting multiple relays under our AS 210558 and received an email from a local police station in Germany requesting user data, nothing unusual.
The weird thing is, that the relay in question is only a relay and not an exit node since its creation (185.241.208.179) (https://nusenu.github.io/OrNetStats/w/relay/B67C7039B04487854129A66B16F5EE3C...) - anyone has an idea how this happens?
Thanks for running relays!
Do you know what kind of user data they wanted?
It looks like your relay has been a Guard relay (i.e. has had the Guard flag) for most of the past year. One possibility is that they have somehow decided that a user they are trying to track uses your relay as one of their Guards. That is, in this scenario they decided that the user connects to your relay consistently over time, so they are asking you to help them learn more about that user.
Of course, your Tor relay in its default settings doesn't have any useful data for them, and you should keep it configured that way.
It is unclear how much people might be trying to do "guard discovery" attacks in practice, and also unclear how well they might work -- there is a lot of research on this class of attacks in theory but not much is known about whether it matters in practice.
And who knows, it could be something else: maybe they are just fishing for general information, or maybe they are intentionally creating useless work and stress for you and your hosting provider to discourage you from wanting to help Tor users.
More reading on the 'guard discovery attack' topic:
* PETS paper, From "Onion Not Found" to Guard Discovery: https://petsymposium.org/2022/files/papers/issue1/popets-2022-0026.pdf
* The Vanguards idea: https://blog.torproject.org/announcing-vanguards-add-onion-services/
Part of the vanguards idea is implemented by default in Tor 0.4.7: https://gitweb.torproject.org/torspec.git/tree/proposals/333-vanguards-lite.... https://gitlab.torproject.org/tpo/core/tor/-/issues/40363
Hope this helps, --Roger