Exit relay is apparently being used to attack other servers
Hello, I’m running an exit relay (fingerprint: 5793CB9E1F5BAD3D5DA6C4158E16067D80CD8A2E) on a Linode VPS right now, and so far they’ve been really fantastic with dealing with a couple of DMCA notices that were sent to them. However, in the last week, I received notice from them that my server is attacking multiple sites around the web. Their suggestion was to go through my logs and remove the offending user, which is obviously unhelpful advice as I don’t keep any logs on my relay’s users. I’d like to keep running the exit relay, but I’m not really sure how to best go about mitigating these sorts of threats and don’t want Linode to shut down the entire server. Any suggestions are very much welcomed. Thanks, trillium
On Sun, 14 Jun 2015, at 06:03 AM, trillium wrote:
Hello,
I’m running an exit relay (fingerprint: 5793CB9E1F5BAD3D5DA6C4158E16067D80CD8A2E) on a Linode VPS right now, and so far they’ve been really fantastic with dealing with a couple of DMCA notices that were sent to them. However, in the last week, I received notice from them that my server is attacking multiple sites around the web. Their suggestion was to go through my logs and remove the offending user, which is obviously unhelpful advice as I don’t keep any logs on my relay’s users.
I’d like to keep running the exit relay, but I’m not really sure how to best go about mitigating these sorts of threats and don’t want Linode to shut down the entire server.
Any suggestions are very much welcomed.
Thanks, trillium
Linode are not a good host for exits. See https://trac.torproject.org/projects/tor/wiki/doc/GoodBadISPs#US1 -- Carlin
I experienced the same thing with LInode and decided to take down my relay and move it to SolarVPS. Multiple exchanges with Linode support led me to believe they didn't understand how tor worked or they were covering their ass. I had previously let them know I was running an exit and they responded by thanking me for the head's up. James On Sat, Jun 13, 2015 at 11:03 AM, trillium <trillium@riseup.net> wrote:
Hello,
I’m running an exit relay (fingerprint: 5793CB9E1F5BAD3D5DA6C4158E16067D80CD8A2E) on a Linode VPS right now, and so far they’ve been really fantastic with dealing with a couple of DMCA notices that were sent to them. However, in the last week, I received notice from them that my server is attacking multiple sites around the web. Their suggestion was to go through my logs and remove the offending user, which is obviously unhelpful advice as I don’t keep any logs on my relay’s users.
I’d like to keep running the exit relay, but I’m not really sure how to best go about mitigating these sorts of threats and don’t want Linode to shut down the entire server.
Any suggestions are very much welcomed.
Thanks, trillium
_______________________________________________ tor-relays mailing list tor-relays@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
Trillium, I hope this advances your knowledge. A couple of days ago one of my exits was threatened with suspension for being 'blacklisted'. The VPS business gave me this (below) and was happy when I blocked the ports. It is more limiting of TOR but the exit survived. " Listing on the Sectoor TOR DNSBL indicates that this IP address is a tor node or a subnet (/24) containing a tor node. This listing does not indicate that your IP address has been blacklisted by Sectoor, as this list also contains subnets that contain a tor node. The subnet listing is not designed to block connections, but rather for use as a scoring mechanism. Your IP will only be blacklisted if it is the tor node itself and listed by Sectoor Exitnodes. Sectoor TOR DNSBL lists every IP address which is known to run a tor server and allow their clients to connect to one of the following ports: Port 25 Port 194 Port 465 Port 587 Port 994 Port 6657 Ports 6660-6670 Port 6697 Ports 7000-7005 Port 7070 Ports 8000-8004 Port 9000 Port 9001 Port 9998 Port 9999 More information about SECTOOR can be found at their website: http://www.sectoor.de/tor.php Robert
Thanks all for the help. I think I may try to move the exit relay over to SolarVPS or another VPS. It’s just a bummer because the relay was advertising ~6-7MB/s bandwidth and using a fair amount of it before people decided to use it for attacks, so I felt like I was contributing to the community. -trillium
On Jun 13, 2015, at 8:36 PM, I <beatthebastards@inbox.com> wrote:
Trillium,
I hope this advances your knowledge. A couple of days ago one of my exits was threatened with suspension for being 'blacklisted'. The VPS business gave me this (below) and was happy when I blocked the ports. It is more limiting of TOR but the exit survived.
" Listing on the Sectoor TOR DNSBL indicates that this IP address is a tor node or a subnet (/24) containing a tor node. This listing does not indicate that your IP address has been blacklisted by Sectoor, as this list also contains subnets that contain a tor node. The subnet listing is not designed to block connections, but rather for use as a scoring mechanism. Your IP will only be blacklisted if it is the tor node itself and listed by Sectoor Exitnodes.
Sectoor TOR DNSBL lists every IP address which is known to run a tor server and allow their clients to connect to one of the following ports:
Port 25 Port 194 Port 465 Port 587 Port 994 Port 6657 Ports 6660-6670 Port 6697 Ports 7000-7005 Port 7070 Ports 8000-8004 Port 9000 Port 9001 Port 9998 Port 9999 More information about SECTOOR can be found at their website: http://www.sectoor.de/tor.php
Robert
_______________________________________________ tor-relays mailing list tor-relays@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
Am 14.06.2015 um 22:35 schrieb trillium:
Thanks all for the help. I think I may try to move the exit relay over to SolarVPS or another VPS. It’s just a bummer because the relay was advertising ~6-7MB/s bandwidth and using a fair amount of it before people decided to use it for attacks, so I felt like I was contributing to the community.
Instead you might wanna try to restrict the exit a bit, it is common practice to disallow connections to some ports. Maybe have a look at the details of the attack, Linode should give them to you. Based on the services that are attacked it might be good to block these ports if reasonable. Also contacting the complaining party might be a good idea in some cases. greetings yl
On 06/14/2015 10:35 PM, trillium wrote:
Thanks all for the help. I think I may try to move the exit relay over to SolarVPS or another VPS.
I think it's a very good approach to hunt new providers on platforms like lowendbox.com, ask them whether they are okay with exit relays, and then try them out. If you run into problmes, avoid the temptation of concentrating too much capacity on the small number of known friendly ISPs, but rather hunt down the next "possibly friendly" ISP. Don't forget to add your experiences including date to the wiki [1]. It is plain stupidity when a provider asks you to remove your IPs from a simple DNSBL that lists Tor relays. In these cases, maybe you can relay them to people like us at torservers.net for "expert opinion" on the matter? In dealing with "hacking attempt" complaints, if your ISP doesn't understand how little influence you have on these quite usual Internet activities which are basically just background noise [2], what may help is if you tell them that you have successfully blocked the attacks (by blacklisting the respective IPs to your ExitPolicy), and will continue to do so in a responsive way in the future. We at Zwiebelfreunde have basically stopped dealing with automated reports. But, we did so only after a few years of "training our ISPs" by being very polite and fast in dealing with complaints. And, dedicated machines make a difference. Maybe pool your money with other Tor relay fans, similar to what I did? Especially since a fast relay currently helps the network more than a lot of small ones. [1] https://trac.torproject.org/projects/tor/wiki/doc/GoodBadISPs [2] http://krebsonsecurity.com/2015/05/whos-scanning-your-network-a-everyone/ -- Moritz Bartl https://www.torservers.net/
participants (6)
-
Carlin Bingham -
I -
James Moore -
Moritz Bartl -
trillium -
yl