Hello!

There has been some confusion among relay operators about how we deal with bad relays and who is actually making decisions and how the overall process is working. Even though we don't have a document yet to point to for answering all those questions (more on that below) we thought it could be useful to give a status update to the relay community and outline possible next steps.

One of the tasks in the network health area is to make sure bad relays are found and excluded from the network. This should happen according to transparent criteria which help relay operators to understand both expectations and processes. Ideally, a document containing those criteria would give operators some insight at how we arrived at those as well.

Unfortunately and as I said above, we are not at a point yet where we have written up that document. However, that does not mean that removing relays from the network is arbitrary currently. Rather, we have some rules of thumb and some unwritten guidelines which still seem to be worth sharing at this point to help relay operators better understand what is going on in the bad relay detection world.

A bad relay is one that either doesn't work properly or tampers with users' connections. This can be either through maliciousness or misconfiguration. We are relying on some scanners that check for common issues to find those relays and on volunteers that spot things beyond what our scanners target.

To give you some examples of issues we are concerned about:

a) Tampering with exit traffic b) Running HSDirs that harvest and probe .onion addresses c) Issues with resolving DNS queries on exit relays d) Flooding the network with relays to deanonymize users e) Running outdated Tor versions ...

Now, how do we detect maliciousness vs. misconfiguration and what do we do about both?

There is behavior that we think is clearly malicious like tampering with exit traffic or trying to harvest and probe .onion addresses. In those cases we outright reject relays. In the past we thought relays that tampered with exit traffic could still be useful as non-exit relays and they got the BadExit flag. But it turned out that a bunch of those had other, more subtle, misbehavior and thus we decided to be on the safe side and just reject those malicious relays nowadays.

For behavior that could either be malicious or the result of a misconfiguration (like missing MyFamily settings) things get messier.

Means for contacting relay operators (e.g. a meaningful ContactInfo entry) are very important in cases where misconfiguration can play a role. We usually contact operators in that case (if possible) to figure out what is going on and help them getting their configurations right. That means there is no outright force removal of relays that e.g. did not have their MyFamily configuration set up properly (we know it can be tricky). That approach is successful in a lot of cases and helps us build a relationship to operators which is worthwhile as well. However, in cases where we don't get a reaction or are getting confident that the intentions of the operator are malicious we'll reject the relay(s) to protect our users.

All those activities mentioned above are coordinated on the bad-relays list, which is private and used by members of the team to discuss cases and keep each other in the loop.

As to next steps: yes, we need to sit down finishing that document with all the criteria we are concerned with giving some rationale for each of them. Alas, there is no timeframe for getting this work done. But once we are there we'll consult tor-internal and the tor-relays list for input and make changes as needed.

I hope this helps to clear some things up. I am happy to answer questions/reply to concerns on and off-list should there be some.

Georg