Hey tor-relays,
The past few months, since I upgraded my net connection to 1Gbps, I've hit the top 40 fastest relays and the top 20 fastest exit nodes, peaking to over 17 MB/s. I've always prided the fact that my ISP, CondoInternet in Seattle, has been very welcoming of my reduced exit node. In the past, the malicious activity hasn't been "too much" for my ISP--examples here: http://yawnbox.com/1461--but now they want me to shut it down. What are my options?
Forwarded email:
Final Warning Notice - IP address 216.243.58.198
I am writing you regarding the repeated abuse complaints that we're receiving for your IP allocation. While we at CondoInternet are all for an open and unmolested with Internet experience for our customers as it was one of our founders' primary reasons for starting CondoInternet, your Tor node has generated a disproportional amount of abuse and legal complaints compared to the rest of our customers. We are asking that you remove the Tor node from your CondoInternet connection or to please switch to an alternative service provider by July 15th 2013.
We very much appreciate you being part of the CondoInternet family and do apologize for any inconvenience this change may cause you. Please feel free to contact me directly if you have any questions.
Sincerely, Operations Manager CondoInternet
A brief "whois" on the IP 216.243.58.198 reveals that the abuse address is listed as CondoInternet.
Does anybody have experience getting an IP allocation so that the abuse address is listed differently?
I have little experience, but perhaps this is a way out of this problem if condo's problem is the number of abuse complaints and the time it takes them.
Regards,
malaparte
Hey tor-relays,
The past few months, since I upgraded my net connection to 1Gbps, I've hit the top 40 fastest relays and the top 20 fastest exit nodes, peaking to over 17 MB/s. I've always prided the fact that my ISP, CondoInternet in Seattle, has been very welcoming of my reduced exit node. In the past, the malicious activity hasn't been "too much" for my ISP--examples here: http://yawnbox.com/1461--but now they want me to shut it down. What are my options?
Forwarded email:
Final Warning Notice - IP address 216.243.58.198
I am writing you regarding the repeated abuse complaints that we're receiving for your IP allocation. While we at CondoInternet are all for an open and unmolested with Internet experience for our customers as it was one of our founders' primary reasons for starting CondoInternet, your Tor node has generated a disproportional amount of abuse and legal complaints compared to the rest of our customers. We are asking that you remove the Tor node from your CondoInternet connection or to please switch to an alternative service provider by July 15th 2013.
We very much appreciate you being part of the CondoInternet family and do apologize for any inconvenience this change may cause you. Please feel free to contact me directly if you have any questions.
Sincerely, Operations Manager CondoInternet
-- Chris Sheats yawnbox@gmail.com _______________________________________________ tor-relays mailing list tor-relays@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
On 7/9/2013 9:03 PM, hack@riseup.net wrote:
A brief "whois" on the IP 216.243.58.198 reveals that the abuse address is listed as CondoInternet.
Does anybody have experience getting an IP allocation so that the abuse address is listed differently?
I have little experience, but perhaps this is a way out of this problem if condo's problem is the number of abuse complaints and the time it takes them.
It's my understanding that very few (and by very few I don't know or have ever heard of any) who will SWIP (change the abuse contact) an IP for anything under a /28 allocation. If one would SWIP a single IP, it'd probably require a very expensive bandwidth package.
I've thought quite a bit about pooling resources and getting a /28 from a provider, and then assigning those IPs as secondary IPs on cheap VPS providers, and then routing the traffic via encrypted IPSEC/GRE tunnels. But the /28 would have to be advertised in a single location, because people won't do BGP routes for single IPs (or maybe even /28s).
So if the /28 was registered in a datacenter in Chicago, all exit traffic would go to that datacenter (bad) then be shipped to the real Tor node in say Europe (slow), and then do the 3-hop Tor path. So I eventually gave up on that idea.
But my networking kung-fu is not as strong as others, so maybe via multicast or anycasts tricks this could work?
-tom
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
On 07/10/2013 01:38 AM, Tom Ritter wrote:
On 7/9/2013 9:03 PM, hack@riseup.net wrote:
A brief "whois" on the IP 216.243.58.198 reveals that the abuse address is listed as CondoInternet.
Does anybody have experience getting an IP allocation so that the abuse address is listed differently?
I have little experience, but perhaps this is a way out of this problem if condo's problem is the number of abuse complaints and the time it takes them.
It's my understanding that very few (and by very few I don't know or have ever heard of any) who will SWIP (change the abuse contact) an IP for anything under a /28 allocation. If one would SWIP a single IP, it'd probably require a very expensive bandwidth package.
I've thought quite a bit about pooling resources and getting a /28 from a provider, and then assigning those IPs as secondary IPs on cheap VPS providers, and then routing the traffic via encrypted IPSEC/GRE tunnels. But the /28 would have to be advertised in a single location, because people won't do BGP routes for single IPs (or maybe even /28s).
So if the /28 was registered in a datacenter in Chicago, all exit traffic would go to that datacenter (bad) then be shipped to the real Tor node in say Europe (slow), and then do the 3-hop Tor path. So I eventually gave up on that idea.
But my networking kung-fu is not as strong as others, so maybe via multicast or anycasts tricks this could work?
A /28 SWIP only works for the name of the ip addresses, not the nameservers. The parent ip space would still be listed and the rDNS would have to be delegated from the provider nameserver.
Persistant complainants will always CC the upstream of the ip space anyway.
A /24 would be better as you could shield the upstream a tiny bit more.
Multi/anycast, at least using BGP, require the assistance of the ISP.
- -- Marina Brown
-tom _______________________________________________ tor-relays mailing list tor-relays@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
Chris Sheats:
Hey tor-relays,
The past few months, since I upgraded my net connection to 1Gbps, I've hit the top 40 fastest relays and the top 20 fastest exit nodes, peaking to over 17 MB/s. I've always prided the fact that my ISP, CondoInternet in Seattle, has been very welcoming of my reduced exit node. In the past, the malicious activity hasn't been "too much" for my ISP--examples here: http://yawnbox.com/1461--but now they want me to shut it down. What are my options?
Is their problem the amount of work they have to do because of the abuse and legal complaints? Then offer to handle them directly.
The best way to do so is to become the contact address for the IP. With your Regional Internet Registry, the process is usually called SWIP [1]. The issue you might run into is that SWIP is only available for a minimum of 8 IPv4 addresses. So they might charge you more and you might have to switch to a new IP address.
You probably should switch to a non-exit policy while negociating. If you and CondoInternet are not able to find a process where you could handle abuses directly, fast non-exit relays with good bandwidth are still a very useful contribution to the network! (and they would not get any legal complaints)
[1] https://en.wikipedia.org/wiki/SWIP
Hope you'll sort it out!
Lunar:
Chris Sheats:
Hey tor-relays,
The past few months, since I upgraded my net connection to 1Gbps, I've hit the top 40 fastest relays and the top 20 fastest exit nodes, peaking to over 17 MB/s. I've always prided the fact that my ISP, CondoInternet in Seattle, has been very welcoming of my reduced exit node. In the past, the malicious activity hasn't been "too much" for my ISP--examples here: http://yawnbox.com/1461--but now they want me to shut it down. What are my options?
By "reduced", were you using the ReducedExitPolicy? This would eliminate the bittorrent complaints. It sounds like you were, but I wanted to confirm (and your node is no longer in the consensus :/).
https://trac.torproject.org/projects/tor/wiki/doc/ReducedExitPolicy
Is their problem the amount of work they have to do because of the abuse and legal complaints? Then offer to handle them directly.
The best way to do so is to become the contact address for the IP. With your Regional Internet Registry, the process is usually called SWIP [1]. The issue you might run into is that SWIP is only available for a minimum of 8 IPv4 addresses. So they might charge you more and you might have to switch to a new IP address.
You probably should switch to a non-exit policy while negociating. If you and CondoInternet are not able to find a process where you could handle abuses directly, fast non-exit relays with good bandwidth are still a very useful contribution to the network! (and they would not get any legal complaints)
Yes, I want to emphasize the value of being a high capacity non-exit relay. I want to investigate various types of padding for Website Traffic Fingerprinting and correlation, and I think that if we end up having more Guard bandwidth than Exit bandwidth, we can write parameters into the consensus that instruct clients to use this extra capacity for padding: https://trac.torproject.org/projects/tor/ticket/7028
Did they shut you down entirely, even forbidding non-exit for some reason? Or did you decide to move to a new ISP that supports exits?
Mike-
On Thu, Jul 11, 2013 at 8:43 AM, Mike Perry mikeperry@torproject.org wrote:
Lunar:
Chris Sheats:
Hey tor-relays,
The past few months, since I upgraded my net connection to 1Gbps, I've hit the top 40 fastest relays and the top 20 fastest exit nodes, peaking to over 17 MB/s. I've always prided the fact that my ISP, CondoInternet in Seattle, has been very welcoming of my reduced exit node. In the past, the malicious activity hasn't been "too much" for my ISP--examples here: http://yawnbox.com/1461--but now they want me to shut it down. What are my options?
By "reduced", were you using the ReducedExitPolicy? This would eliminate the bittorrent complaints. It sounds like you were, but I wanted to confirm (and your node is no longer in the consensus :/).
https://trac.torproject.org/projects/tor/wiki/doc/ReducedExitPolicy
Yes, I followed the ReducedExitPolicy exactly. In a follow-up email response, I informed my ISP that I stopped my Tor service on this node, and they mentioned two things: BitTorrent-legal complaints, and HTTP/S SQL injections.
Is their problem the amount of work they have to do because of the abuse and legal complaints? Then offer to handle them directly.
The best way to do so is to become the contact address for the IP. With your Regional Internet Registry, the process is usually called SWIP [1]. The issue you might run into is that SWIP is only available for a minimum of 8 IPv4 addresses. So they might charge you more and you might have to switch to a new IP address.
You probably should switch to a non-exit policy while negociating. If you and CondoInternet are not able to find a process where you could handle abuses directly, fast non-exit relays with good bandwidth are still a very useful contribution to the network! (and they would not get any legal complaints)
Yes, I want to emphasize the value of being a high capacity non-exit relay. I want to investigate various types of padding for Website Traffic Fingerprinting and correlation, and I think that if we end up having more Guard bandwidth than Exit bandwidth, we can write parameters into the consensus that instruct clients to use this extra capacity for padding: https://trac.torproject.org/projects/tor/ticket/7028
Did they shut you down entirely, even forbidding non-exit for some reason? Or did you decide to move to a new ISP that supports exits?
I turned Tor off voluntarily, and have been planning on reconfiguring my node for relay-only traffic. In previous correspondence, I asked if there were any other Tor Exit's on their network, and they said no. So this isn't a good precedent for TorProject/Seattle volunteers considering that they provide 100 and 1000 Mbps service.
-- Mike Perry
tor-relays mailing list tor-relays@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
Chris Sheats said:
this isn't a good precedent for TorProject/Seattle volunteers considering that they provide 100 and 1000 Mbps service.
But are not the only ones [0]. Their position regarding TOR remains to be seen.
Chris Sheats:
Mike-
Is their problem the amount of work they have to do because of the abuse and legal complaints? Then offer to handle them directly.
The best way to do so is to become the contact address for the IP. With your Regional Internet Registry, the process is usually called SWIP [1]. The issue you might run into is that SWIP is only available for a minimum of 8 IPv4 addresses. So they might charge you more and you might have to switch to a new IP address.
You probably should switch to a non-exit policy while negociating. If you and CondoInternet are not able to find a process where you could handle abuses directly, fast non-exit relays with good bandwidth are still a very useful contribution to the network! (and they would not get any legal complaints)
Yes, I want to emphasize the value of being a high capacity non-exit relay. I want to investigate various types of padding for Website Traffic Fingerprinting and correlation, and I think that if we end up having more Guard bandwidth than Exit bandwidth, we can write parameters into the consensus that instruct clients to use this extra capacity for padding: https://trac.torproject.org/projects/tor/ticket/7028
Did they shut you down entirely, even forbidding non-exit for some reason? Or did you decide to move to a new ISP that supports exits?
I turned Tor off voluntarily, and have been planning on reconfiguring my node for relay-only traffic. In previous correspondence, I asked if there were any other Tor Exit's on their network, and they said no. So this isn't a good precedent for TorProject/Seattle volunteers considering that they provide 100 and 1000 Mbps service.
Yeah, this is the flip side to my suggestion of switching to non-exit.. In terms of advocacy for Tor, it may be more important to send them a message by taking your business elsewhere.
I guess it all depends on how expensive their service is, and if you would keep using it anyway for other purposes.
How much does the service cost? And you only get 1 dedicated IP at 1Gbit, or do you get more?
Note that only 1 IP means you can only run 2 Tor instances on that, and even with AES-NI, each Tor instance probably caps out at about 300Mbit at most. Without AES-NI, you probably could only push 100-150Mbit per Tor instance...
Lunar-
On Wed, Jul 10, 2013 at 12:26 AM, Lunar lunar@torproject.org wrote:
Chris Sheats:
Hey tor-relays,
The past few months, since I upgraded my net connection to 1Gbps, I've hit the top 40 fastest relays and the top 20 fastest exit nodes, peaking to over 17 MB/s. I've always prided the fact that my ISP, CondoInternet in Seattle, has been very welcoming of my reduced exit node. In the past, the malicious activity hasn't been "too much" for my ISP--examples here: http://yawnbox.com/1461--but now they want me to shut it down. What are my options?
Is their problem the amount of work they have to do because of the abuse and legal complaints? Then offer to handle them directly.
It appears to be the complaints themselves. When I asked about Open Knowledge Foundation America (I maintained this node on behalf of OKFA) handling complaints directly, my ISP responded that the IP space is shared responsibility between them and me, and that I/OKFA could not retain sole responsibility.
The best way to do so is to become the contact address for the IP. With your Regional Internet Registry, the process is usually called SWIP [1]. The issue you might run into is that SWIP is only available for a minimum of 8 IPv4 addresses. So they might charge you more and you might have to switch to a new IP address.
You probably should switch to a non-exit policy while negociating. If you and CondoInternet are not able to find a process where you could handle abuses directly, fast non-exit relays with good bandwidth are still a very useful contribution to the network! (and they would not get any legal complaints)
[1] https://en.wikipedia.org/wiki/SWIP
Hope you'll sort it out!
-- Lunar lunar@torproject.org
tor-relays mailing list tor-relays@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
tor-relays@lists.torproject.org
-
Chris Sheats -
hack@riseup.net -
Jason Self -
Lunar -
Marina Brown -
Mike Perry -
Tom Ritter