Oh the shame! Never had that tag on my exit before. I assume it was due to a bad boy attacking an IP, pointed out by my ISP, and the ISP put my server "under mitigation". I assume some filtering, which of course would have looked bad to TOR users. I did not spot the ISP's email for 30 minutes, but then I was able to block the offended IP. Within minutes of doing that the ISP said attack stop and my server was removed from mitigation. However the next day badexit tag on my exit and remains there How long does the tag last? I go to my other, overseas exit, a family member, to see the tag is aslo applied there to. Do family members get tarred with the same brush? I have turned both into relays for the time being. Or have I got this wrong. Is it a DNS thing? Are no some DNS providers causing issues forcing the tag? I am not using opendns. Gerry
Hi! gerard@bulger.co.uk:
Oh the shame! Never had that tag on my exit before.
Sorry to hear. :(
I assume it was due to a bad boy attacking an IP, pointed out by my ISP, and the ISP put my server "under mitigation". I assume some filtering, which of course would have looked bad to TOR users.
I did not spot the ISP's email for 30 minutes, but then I was able to block the offended IP. Within minutes of doing that the ISP said attack stop and my server was removed from mitigation. However the next day badexit tag on my exit and remains there
How long does the tag last?
So long as the Directory Authorities assign it.
I go to my other, overseas exit, a family member, to see the tag is aslo applied there to. Do family members get tarred with the same brush?
It depends on the reason for badexiting.
I have turned both into relays for the time being.
Or have I got this wrong. Is it a DNS thing? Are no some DNS providers causing issues forcing the tag? I am not using opendns.
It could be a DNS thing, I am not sure. I recently pushed a commit that leads to some exits getting that flag. I tried to contact all the relay operators beforehand (some did not have any ContactInfo set) but I got almost no reply back. For details see [1]. What's the fingerprint of your relay that got the badexit flag? Georg [1] https://trac.torproject.org/projects/tor/ticket/32864
Gerry
_______________________________________________ tor-relays mailing list tor-relays@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
George Thanks My exit, still badexit, is 51AE5656C81CD417479253A6363A123A007A2233 and I did get an email which I missed, as it is simply failing to exit, Implying my ISP was doing something before they told me. Seems to be exiting from my local port now. -----Original Message----- From: tor-relays <tor-relays-bounces@lists.torproject.org> On Behalf Of Georg Koppen Sent: 24 March 2020 18:21 To: tor-relays@lists.torproject.org Subject: Re: [tor-relays] BadExit Hi! gerard@bulger.co.uk:
Oh the shame! Never had that tag on my exit before.
Sorry to hear. :(
I assume it was due to a bad boy attacking an IP, pointed out by my ISP,
and
the ISP put my server "under mitigation". I assume some filtering, which of course would have looked bad to TOR users.
I did not spot the ISP's email for 30 minutes, but then I was able to block the offended IP. Within minutes of doing that the ISP said attack stop and my server was removed from mitigation. However the next day badexit tag on my exit and remains there
How long does the tag last?
So long as the Directory Authorities assign it.
I go to my other, overseas exit, a family member, to see the tag is aslo applied there to. Do family members get tarred with the same brush?
It depends on the reason for badexiting.
I have turned both into relays for the time being.
Or have I got this wrong. Is it a DNS thing? Are no some DNS providers causing issues forcing the tag? I am not using opendns.
It could be a DNS thing, I am not sure. I recently pushed a commit that leads to some exits getting that flag. I tried to contact all the relay operators beforehand (some did not have any ContactInfo set) but I got almost no reply back. For details see [1]. What's the fingerprint of your relay that got the badexit flag? Georg [1] https://trac.torproject.org/projects/tor/ticket/32864
Gerry
_______________________________________________ tor-relays mailing list tor-relays@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
btw, you need to have at least port 80 and 443 … port 80 is missing … Cheers, niftybunny
On 25. Mar 2020, at 23:28, gerard@bulger.co.uk wrote:
George
Thanks
My exit, still badexit, is 51AE5656C81CD417479253A6363A123A007A2233 and I did get an email which I missed, as it is simply failing to exit, Implying my ISP was doing something before they told me. Seems to be exiting from my local port now.
-----Original Message----- From: tor-relays <tor-relays-bounces@lists.torproject.org> On Behalf Of Georg Koppen Sent: 24 March 2020 18:21 To: tor-relays@lists.torproject.org Subject: Re: [tor-relays] BadExit
Hi!
gerard@bulger.co.uk:
Oh the shame! Never had that tag on my exit before.
Sorry to hear. :(
I assume it was due to a bad boy attacking an IP, pointed out by my ISP,
and
the ISP put my server "under mitigation". I assume some filtering, which of course would have looked bad to TOR users.
I did not spot the ISP's email for 30 minutes, but then I was able to block the offended IP. Within minutes of doing that the ISP said attack stop and my server was removed from mitigation. However the next day badexit tag on my exit and remains there
How long does the tag last?
So long as the Directory Authorities assign it.
I go to my other, overseas exit, a family member, to see the tag is aslo applied there to. Do family members get tarred with the same brush?
It depends on the reason for badexiting.
I have turned both into relays for the time being.
Or have I got this wrong. Is it a DNS thing? Are no some DNS providers causing issues forcing the tag? I am not using opendns.
It could be a DNS thing, I am not sure. I recently pushed a commit that leads to some exits getting that flag. I tried to contact all the relay operators beforehand (some did not have any ContactInfo set) but I got almost no reply back. For details see [1].
What's the fingerprint of your relay that got the badexit flag?
Georg
[1] https://trac.torproject.org/projects/tor/ticket/32864
Gerry
_______________________________________________ tor-relays mailing list tor-relays@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
_______________________________________________ tor-relays mailing list tor-relays@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
"btw, you need to have at least port 80 and 443 … port 80 is missing …" It there. But to a /8 area IPV4, all IPv6 I have not changed my exit policy for years. Port 80 is there, just limited to a /8 network and all IPv6 addresses port 80 allowed. 443 all there IPv4 and IPv6 Testing seems to be exiting OK, but badexit tag still there. Gerry -----Original Message----- From: tor-relays <tor-relays-bounces@lists.torproject.org> On Behalf Of niftybunny Sent: 26 March 2020 12:49 To: tor-relays@lists.torproject.org Subject: Re: [tor-relays] BadExit btw, you need to have at least port 80 and 443 … port 80 is missing … Cheers, niftybunny
On 25. Mar 2020, at 23:28, gerard@bulger.co.uk wrote:
George
Thanks
My exit, still badexit, is 51AE5656C81CD417479253A6363A123A007A2233 and I did get an email which I missed, as it is simply failing to exit, Implying my ISP was doing something before they told me. Seems to be exiting from my local port now.
-----Original Message----- From: tor-relays <tor-relays-bounces@lists.torproject.org> On Behalf Of Georg Koppen Sent: 24 March 2020 18:21 To: tor-relays@lists.torproject.org Subject: Re: [tor-relays] BadExit
Hi!
gerard@bulger.co.uk:
Oh the shame! Never had that tag on my exit before.
Sorry to hear. :(
I assume it was due to a bad boy attacking an IP, pointed out by my ISP,
and
the ISP put my server "under mitigation". I assume some filtering, which of course would have looked bad to TOR users.
I did not spot the ISP's email for 30 minutes, but then I was able to block the offended IP. Within minutes of doing that the ISP said attack stop and my server was removed from mitigation. However the next day badexit tag on my exit and remains there
How long does the tag last?
So long as the Directory Authorities assign it.
I go to my other, overseas exit, a family member, to see the tag is aslo applied there to. Do family members get tarred with the same brush?
It depends on the reason for badexiting.
I have turned both into relays for the time being.
Or have I got this wrong. Is it a DNS thing? Are no some DNS providers causing issues forcing the tag? I am not using opendns.
It could be a DNS thing, I am not sure. I recently pushed a commit that leads to some exits getting that flag. I tried to contact all the relay operators beforehand (some did not have any ContactInfo set) but I got almost no reply back. For details see [1].
What's the fingerprint of your relay that got the badexit flag?
Georg
[1] https://trac.torproject.org/projects/tor/ticket/32864
Gerry
_______________________________________________ tor-relays mailing list tor-relays@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
_______________________________________________ tor-relays mailing list tor-relays@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
My bad. Never seen this before. I there a good reason for the accept 133.0.0.0/8:80 ? niftybunny
On 26. Mar 2020, at 15:06, gerard@bulger.co.uk wrote:
"btw, you need to have at least port 80 and 443 … port 80 is missing …"
It there. But to a /8 area IPV4, all IPv6
I have not changed my exit policy for years. Port 80 is there, just limited to a /8 network and all IPv6 addresses port 80 allowed. 443 all there IPv4 and IPv6
Testing seems to be exiting OK, but badexit tag still there.
Gerry
-----Original Message----- From: tor-relays <tor-relays-bounces@lists.torproject.org> On Behalf Of niftybunny Sent: 26 March 2020 12:49 To: tor-relays@lists.torproject.org Subject: Re: [tor-relays] BadExit
btw, you need to have at least port 80 and 443 … port 80 is missing …
Cheers,
niftybunny
On 25. Mar 2020, at 23:28, gerard@bulger.co.uk wrote:
George
Thanks
My exit, still badexit, is 51AE5656C81CD417479253A6363A123A007A2233 and I did get an email which I missed, as it is simply failing to exit, Implying my ISP was doing something before they told me. Seems to be exiting from my local port now.
-----Original Message----- From: tor-relays <tor-relays-bounces@lists.torproject.org> On Behalf Of Georg Koppen Sent: 24 March 2020 18:21 To: tor-relays@lists.torproject.org Subject: Re: [tor-relays] BadExit
Hi!
gerard@bulger.co.uk:
Oh the shame! Never had that tag on my exit before.
Sorry to hear. :(
I assume it was due to a bad boy attacking an IP, pointed out by my ISP,
and
the ISP put my server "under mitigation". I assume some filtering, which of course would have looked bad to TOR users.
I did not spot the ISP's email for 30 minutes, but then I was able to block the offended IP. Within minutes of doing that the ISP said attack stop and my server was removed from mitigation. However the next day badexit tag on my exit and remains there
How long does the tag last?
So long as the Directory Authorities assign it.
I go to my other, overseas exit, a family member, to see the tag is aslo applied there to. Do family members get tarred with the same brush?
It depends on the reason for badexiting.
I have turned both into relays for the time being.
Or have I got this wrong. Is it a DNS thing? Are no some DNS providers causing issues forcing the tag? I am not using opendns.
It could be a DNS thing, I am not sure. I recently pushed a commit that leads to some exits getting that flag. I tried to contact all the relay operators beforehand (some did not have any ContactInfo set) but I got almost no reply back. For details see [1].
What's the fingerprint of your relay that got the badexit flag?
Georg
[1] https://trac.torproject.org/projects/tor/ticket/32864
Gerry
_______________________________________________ tor-relays mailing list tor-relays@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
_______________________________________________ tor-relays mailing list tor-relays@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
_______________________________________________ tor-relays mailing list tor-relays@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
Hi,
On 27 Mar 2020, at 02:00, niftybunny <abuse-contact@to-surf-and-protect.net> wrote:
My bad. Never seen this before. I there a good reason for the accept 133.0.0.0/8:80 ?
On 26. Mar 2020, at 15:06, gerard@bulger.co.uk wrote:
"btw, you need to have at least port 80 and 443 … port 80 is missing …"
It there. But to a /8 area IPV4, all IPv6
I have not changed my exit policy for years. Port 80 is there, just limited to a /8 network and all IPv6 addresses port 80 allowed. 443 all there IPv4 and IPv6
Testing seems to be exiting OK, but badexit tag still there.
The Exit flag only request one IPv4 /8 : https://gitweb.torproject.org/torspec.git/tree/dir-spec.txt#n2628 But if the network health team is testing a different IPv4 /8, then your relay might appear down. (If the DNS for the site they are testing has both IPv4 and IPv6, then the outcome will depend on their tor version and config. 0.4.3 and later will prefer IPv6 by default.) T
On 27 Mar 2020, at 20:42, teor <teor@riseup.net> wrote:
On 26. Mar 2020, at 15:06, gerard@bulger.co.uk wrote:
"btw, you need to have at least port 80 and 443 … port 80 is missing …"
It there. But to a /8 area IPV4, all IPv6
The Exit flag only request one IPv4 /8 : https://gitweb.torproject.org/torspec.git/tree/dir-spec.txt#n2628
Correction: The Exit flag only *requires* one IPv4 /8. T
teor:
Hi,
On 27 Mar 2020, at 02:00, niftybunny <abuse-contact@to-surf-and-protect.net> wrote:
My bad. Never seen this before. I there a good reason for the accept 133.0.0.0/8:80 ?
On 26. Mar 2020, at 15:06, gerard@bulger.co.uk wrote:
"btw, you need to have at least port 80 and 443 … port 80 is missing …"
It there. But to a /8 area IPV4, all IPv6
I have not changed my exit policy for years. Port 80 is there, just limited to a /8 network and all IPv6 addresses port 80 allowed. 443 all there IPv4 and IPv6
Testing seems to be exiting OK, but badexit tag still there.
The Exit flag only request one IPv4 /8 : https://gitweb.torproject.org/torspec.git/tree/dir-spec.txt#n2628
But if the network health team is testing a different IPv4 /8, then your relay might appear down.
Yep, I think that's what happened. I'll get the badexit flag removed from both of your relays and think about ways for improving our tests. Sorry for the inconvenience. (FWIW: I sent an email to the address you put into your ContactInfo. I heard that mails for Tor Project addresses repeatedly land in spam folders. Maybe that happened this time, too.)
(If the DNS for the site they are testing has both IPv4 and IPv6, then the outcome will depend on their tor version and config. 0.4.3 and later will prefer IPv6 by default.)
Not sure what Arthur is running but I am just using what Debian ships on the box I run the tests, which is currently 0.3.5.8. I guess it might be worth thinking about switching away from that. Maybe tracking and using the version Tor Browser ships is smarter? Georg
Thanks. Funny that my long time restricted IPv4 port 80 exit was noticed just now giving the bad exit tag. I suspect the hour one of my server was quarantined by my ISP may have precipitated the system to look hard. As for my single /8 for port 80, for reason not clear to me, having many ports open including 443 open to all, IPV6 open on port 80 to all, while restricting IPV4 to a single /8 stops all abuse complaints. I have been free of abuse complaints and copyright claims for two years now. I tried to offer more IPv4 /8 ranges but abuses notices soon popped up, as if traffic is being en-route by some agencies. The free-text nature of port 80 meant contents read too easily, and IPV6 still not used enough... yet. Gerry -----Original Message----- From: tor-relays <tor-relays-bounces@lists.torproject.org> On Behalf Of Georg Koppen Sent: 27 March 2020 12:40 To: tor-relays@lists.torproject.org Subject: Re: [tor-relays] BadExit teor:
Hi,
On 27 Mar 2020, at 02:00, niftybunny <abuse-contact@to-surf-and-protect.net> wrote:
My bad. Never seen this before. I there a good reason for the accept 133.0.0.0/8:80 ?
On 26. Mar 2020, at 15:06, gerard@bulger.co.uk wrote:
"btw, you need to have at least port 80 and 443 … port 80 is missing …"
It there. But to a /8 area IPV4, all IPv6
I have not changed my exit policy for years. Port 80 is there, just limited to a /8 network and all IPv6 addresses port 80 allowed. 443 all there IPv4 and IPv6
Testing seems to be exiting OK, but badexit tag still there.
The Exit flag only request one IPv4 /8 : https://gitweb.torproject.org/torspec.git/tree/dir-spec.txt#n2628
But if the network health team is testing a different IPv4 /8, then your relay might appear down.
Yep, I think that's what happened. I'll get the badexit flag removed from both of your relays and think about ways for improving our tests. Sorry for the inconvenience. (FWIW: I sent an email to the address you put into your ContactInfo. I heard that mails for Tor Project addresses repeatedly land in spam folders. Maybe that happened this time, too.)
(If the DNS for the site they are testing has both IPv4 and IPv6, then the outcome will depend on their tor version and config. 0.4.3 and later will prefer IPv6 by default.)
Not sure what Arthur is running but I am just using what Debian ships on the box I run the tests, which is currently 0.3.5.8. I guess it might be worth thinking about switching away from that. Maybe tracking and using the version Tor Browser ships is smarter? Georg
This. Port 22 especially is a nightmare. niftybunny
On 27. Mar 2020, at 16:29, Toralf Förster <toralf.foerster@gmx.de> wrote:
Signed PGP part On 3/27/20 2:17 PM, gerard@bulger.co.uk wrote:
I have been free of abuse complaints and copyright claims for two years now. Well, the main problem here fore me is to get complaints from my hoster itself b/c any open address range are abused soon for port scans -- Toralf
Hi Georg,
On 27 Mar 2020, at 22:40, Georg Koppen <gk@torproject.org> wrote:
(If the DNS for the site they are testing has both IPv4 and IPv6, then the outcome will depend on their tor version and config. 0.4.3 and later will prefer IPv6 by default.)
Not sure what Arthur is running but I am just using what Debian ships on the box I run the tests, which is currently 0.3.5.8. I guess it might be worth thinking about switching away from that. Maybe tracking and using the version Tor Browser ships is smarter?
I think any supported Tor version is ok. But yes, using the same version as Tor Browser users could be helpful. T
participants (5)
-
Georg Koppen -
gerard@bulger.co.uk -
niftybunny -
teor -
Toralf Förster