Google Compute Engine rejected as relay?
Hi, I tried to spin up a relay on GCE a few days ago, and I found that it was outright rejected with a message like "Authdir is rejecting routers in this range". I don't have the IP handy now, but I could easily get another ephemeral IP. I thought I came across a thread saying that there was an attack on the tor network originating from GCE, and that's why it got blacklisted. I'm not finding that thread now. But is GCE going to be removed from the blacklist? I realize it's not a very economical place to run a relay. -Greg
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 I think this is from the Lizard Squad attempted (and miserably failed) sybil attack. The directory authorities will need to remove the ASN from the blacklist. T On 20/08/2015 06:00, Greg wrote:
Hi, I tried to spin up a relay on GCE a few days ago, and I found that it was outright rejected with a message like "Authdir is rejecting routers in this range". I don't have the IP handy now, but I could easily get another ephemeral IP. I thought I came across a thread saying that there was an attack on the tor network originating from GCE, and that's why it got blacklisted. I'm not finding that thread now. But is GCE going to be removed from the blacklist? I realize it's not a very economical place to run a relay.
-Greg
_______________________________________________ tor-relays mailing list tor-relays@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
-----BEGIN PGP SIGNATURE----- Version: GnuPG v2 iQIcBAEBAgAGBQJV1WnHAAoJEIC+hZxcLl/kllsP/2Oo9/rgmgEKehNTu2Bz/e5k BXSZtPGgfLN6Zn4ShO27xBfT9ZCvua/OMNU92qZse7euXolMEy6v4IZ5DFFi58P9 g8wkoxIdrZ6nej5XA+iZhp68YKqnBqwlbVf/yN/Mri/oNgZeKshJ/s0A4Qb8Lnqk 3PIkZKuk3M2RgvR3mSaQ2E64FUF05k0TFBLhE4YF9dVfNC93FXgxQTDx1c2LucpE qfDi6erVgk5o++LBQOwT8RQ9tPDB43LlhUOusWnn5t5ZNrijohJtz1jf7SEWg3Fo QTmmYlHU7fLTrI+SleU+bAWo6gfUrcgFZE31L6iFZIfWv37rMJpSyVmtnA1j1KhT xfHh7ffN8rpf0nF7Vl/6f8XQJOm1f327OBnhbh74ZE7n10vQAcAB43VhpvwXYEZl +1JMwcpPlstjpKosaVILQ8myEEdbhMXlX/2ELd++VN2Z5Y5dlYMqxu32LCCWLX0G /PN5G59w0UjY7H+2ODCVhmDFkGEInYiBVOptyGfexo4sZ+TEw8UgFv85znoB/Gtg +uiTjmuZ2lNHYXrDKAkymNtSPQBcNM8G79T5I0+eGXJAzsynAD1C6iQ0VpGWm9Vr zjdfFDDfLWBWmDBmUDMNxMjzEnndyXBu1NdHyzu83L5x4X+WsbkpSTzN4hDqUdTY Ljol6U5gVT1XJZeKQuEP =6myo -----END PGP SIGNATURE-----
On Wed, Aug 19, 2015 at 10:46 PM, Thomas White <thomaswhite@riseup.net> wrote:
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
I think this is from the Lizard Squad attempted (and miserably failed) sybil attack. The directory authorities will need to remove the ASN from the blacklist.
If that's the case, then that was a year ago. Hopefully directory authorities would be okay with removing the ban. Is there a process for requesting that? Thanks, Greg
T
On 20/08/2015 06:00, Greg wrote:
Hi, I tried to spin up a relay on GCE a few days ago, and I found that it was outright rejected with a message like "Authdir is rejecting routers in this range". I don't have the IP handy now, but I could easily get another ephemeral IP. I thought I came across a thread saying that there was an attack on the tor network originating from GCE, and that's why it got blacklisted. I'm not finding that thread now. But is GCE going to be removed from the blacklist? I realize it's not a very economical place to run a relay.
-Greg
_______________________________________________ tor-relays mailing list tor-relays@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
-----BEGIN PGP SIGNATURE----- Version: GnuPG v2
iQIcBAEBAgAGBQJV1WnHAAoJEIC+hZxcLl/kllsP/2Oo9/rgmgEKehNTu2Bz/e5k BXSZtPGgfLN6Zn4ShO27xBfT9ZCvua/OMNU92qZse7euXolMEy6v4IZ5DFFi58P9 g8wkoxIdrZ6nej5XA+iZhp68YKqnBqwlbVf/yN/Mri/oNgZeKshJ/s0A4Qb8Lnqk 3PIkZKuk3M2RgvR3mSaQ2E64FUF05k0TFBLhE4YF9dVfNC93FXgxQTDx1c2LucpE qfDi6erVgk5o++LBQOwT8RQ9tPDB43LlhUOusWnn5t5ZNrijohJtz1jf7SEWg3Fo QTmmYlHU7fLTrI+SleU+bAWo6gfUrcgFZE31L6iFZIfWv37rMJpSyVmtnA1j1KhT xfHh7ffN8rpf0nF7Vl/6f8XQJOm1f327OBnhbh74ZE7n10vQAcAB43VhpvwXYEZl +1JMwcpPlstjpKosaVILQ8myEEdbhMXlX/2ELd++VN2Z5Y5dlYMqxu32LCCWLX0G /PN5G59w0UjY7H+2ODCVhmDFkGEInYiBVOptyGfexo4sZ+TEw8UgFv85znoB/Gtg +uiTjmuZ2lNHYXrDKAkymNtSPQBcNM8G79T5I0+eGXJAzsynAD1C6iQ0VpGWm9Vr zjdfFDDfLWBWmDBmUDMNxMjzEnndyXBu1NdHyzu83L5x4X+WsbkpSTzN4hDqUdTY Ljol6U5gVT1XJZeKQuEP =6myo -----END PGP SIGNATURE----- _______________________________________________ tor-relays mailing list tor-relays@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
Hi Greg, I have forwarded the request to the relevant people. Please stand by to get an update about it as soon as possible. On 8/20/2015 5:17 PM, Greg wrote:
On Wed, Aug 19, 2015 at 10:46 PM, Thomas White <thomaswhite@riseup.net <mailto:thomaswhite@riseup.net>> wrote:
I think this is from the Lizard Squad attempted (and miserably failed) sybil attack. The directory authorities will need to remove the ASN from the blacklist.
If that's the case, then that was a year ago. Hopefully directory authorities would be okay with removing the ban. Is there a process for requesting that?
Thanks, Greg
T
On 20/08/2015 06:00, Greg wrote:
Hi, I tried to spin up a relay on GCE a few days ago, and I found that it was outright rejected with a message like "Authdir is rejecting routers in this range". I don't have the IP handy now, but I could easily get another ephemeral IP. I thought I came across a thread saying that there was an attack on the tor network originating from GCE, and that's why it got blacklisted. I'm not finding that thread now. But is GCE going to be removed from the blacklist? I realize it's not a very economical place to run a relay.
-Greg
On Wed, Aug 19, 2015 at 10:00:54PM -0700, Greg wrote:
I tried to spin up a relay on GCE a few days ago, and I found that it was outright rejected with a message like "Authdir is rejecting routers in this range". I don't have the IP handy now, but I could easily get another ephemeral IP. I thought I came across a thread saying that there was an attack on the tor network originating from GCE, and that's why it got blacklisted. I'm not finding that thread now. But is GCE going to be removed from the blacklist? I realize it's not a very economical place to run a relay.
I wonder if we wouldn't be better off with GCE remaining blocked. Cloud platforms seem quite popular among attackers -- presumably because they can quickly give you a large number of disposable machines. Naturally, there will also be benign relays running on cloud platforms. We might have to do some number crunching to ponder if the benefit of having these benign relays outweighs the potential harm of attackers being able to use GCE et al. Second, and perhaps less obvious, Google is already in a privileged position as many exit relays use Google's public DNS server as resolver. If GCE machines end up being guard relays, Google might be able to correlate some DNS requests of the Tor clients that end up selecting GCE guards. Cheers, Philipp
On Fri, Aug 21, 2015 at 1:40 PM, Philipp Winter <phw@nymity.ch> wrote:
I wonder if we wouldn't be better off with GCE remaining blocked. Cloud platforms seem quite popular among attackers -- presumably because they can quickly give you a large number of disposable machines.
Second, and perhaps less obvious, Google is already in a privileged position as many exit relays use Google's public DNS server as resolver. If GCE machines end up being guard relays, Google might be able to correlate some DNS requests of the Tor clients that end up selecting GCE guards.
Similar thoughts. Feeds into the idea about some meta metrics on relays users might select from... WOT, location, etc. Maybe they even want the cloud due to having really good pipes. There are certainly plenty of non-mega-cloud VPS/dedi's to choose from out there, even in people's local cities. Just look around, form a relationship, not a billing statement.
Thanks for the responses, s7r, Philipp, grarpamp. I can see the benefit of keeping the biggest cloud providers on the blacklist. But if that's considered to be the best practice for Tor, are Amazon and Microsoft blacklisted as well? I am actually looking into a VSP from the "good/bad ISP" list, so I will probably go with one of those. I thought I'd just try out a remote relay on GCE to start with. -Greg On Fri, Aug 21, 2015 at 11:26 AM, grarpamp <grarpamp@gmail.com> wrote:
On Fri, Aug 21, 2015 at 1:40 PM, Philipp Winter <phw@nymity.ch> wrote:
I wonder if we wouldn't be better off with GCE remaining blocked. Cloud platforms seem quite popular among attackers -- presumably because they can quickly give you a large number of disposable machines.
Second, and perhaps less obvious, Google is already in a privileged position as many exit relays use Google's public DNS server as resolver. If GCE machines end up being guard relays, Google might be able to correlate some DNS requests of the Tor clients that end up selecting GCE guards.
Similar thoughts. Feeds into the idea about some meta metrics on relays users might select from... WOT, location, etc. Maybe they even want the cloud due to having really good pipes.
There are certainly plenty of non-mega-cloud VPS/dedi's to choose from out there, even in people's local cities. Just look around, form a relationship, not a billing statement. _______________________________________________ tor-relays mailing list tor-relays@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
participants (5)
-
grarpamp -
Greg -
Philipp Winter -
s7r -
Thomas White