[tor-relays] [OT] ExcludeNodes no longer working

Jacob Appelbaum jacob at appelbaum.net
Tue Sep 11 17:12:06 UTC 2012 

Hi Scott,

It is nice to see you posting again, I had wondered where you had gone.

Scott Bennett:
>      I know this really belongs on tor-talk, but I haven't been subscribed
> to it for a long time now.  Sorry if posting this here bothers anyone.


Seems like a fine place to discuss relay problems, which is what it
sounds like, no?

>      Back in early July, I upgraded from 0.2.3.13-alpha to 0.2.3.18-rc.
> I immediately ran into problems with a python script that honors the
> http_proxy environment variable, which I normally have set to the localhost
> port for privoxy, which, in turn, connects to tor's SOCKS port.  I couldn't
> really see what was going wrong, but using arm to ask for a new identity
> seemed to help sometimes to get a circuit that worked.  Sending tor a
> SIGHUP instead also seemed to work about as often.

If you use 0.2.2.x - what happens?

>      A bit over a week ago, I switched to 0.2.3.20-rc, and the problem
> still occurs.  However, 0.2.3.20-rc now also emits a new message from time
> to time, the most recent occurrence of which is
> 
> Sep 06 06:02:45.934 [notice] Low circuit success rate 7/21 for guard TORy0=753E0B5922E34BF98F0D21CC08EA7D1ADEEE2F6B.
> 

That is an interesting message - I wonder if the author of that message
might chime in?

> Wondering whether such circuit-building failures might be related to the
> other problem, I began a little experiment:  each time I saw a "Low circuit
> success rate" message, I added the key fingerprint of the node in question
> to my ExcludeNodes list in torrc and sent tor a SIGHUP.
>      The problem is still occurring, though, and when I look at the
> circuits involved, they all seem to have at least one of the excluded
> nodes in them, usually in the entry position.  So my question is, what
> changed between 0.2.3.13-alpha and 0.2.3.18-rc (or possibly 0.2.3.20-rc)
> in the handling of nodes listed in the ExcludeNodes line in torrc?  And
> is there anything I can do to get the ExcludeNodes list to work again
> the way it used to work?
>      Thanks in advance for any relevant information.
> 

It seems that there are two issues - one is that a guard is failing to
build circuits, the other is that you can't seem to exclude them. I have
to admit, I'm more interested in the former... Is there a pattern to the
failures? That is for the 7 successes for that node, did you see
anything interesting? Were say, the nodes that worked somehow in the
same country as that guard? Or perhaps were the other failed circuits
all seemingly unrelated to the guard?

As far as the ExcludeNodes - did you set StrictNodes at the same time?
Are you also a relay?

All the best,
Jacob

More information about the tor-relays mailing list