[tor-relays] About running an Exit node
krishna e bera
keb at cyblings.on.ca
Thu May 8 01:48:05 UTC 2014
On 14-05-07 10:37 AM, Tom Ritter wrote:
> On 7 May 2014 10:09, Pika ohc <pikaonthefly at outlook.com> wrote:
>> Thanks for your kindly reply. According to [1], i am still wondering if
>> it is possbile to make the minimum route path length as 1 (which default is
>> set to 3) and set Exitnodes to my server as default exit nodes in the
>> clients' torrc. Moreover, if the setting I mentioned is possible, the client
>> can send all the traffic directly to my server and ask my server(exit node)
>> to relay to the destination, where the scenario may be as the same as that
>> described on [1]. Sorry for asking the question again with your answer. And
>> looking forward to the answers. :)
>
> An exit node checks the prior node in the path, and if it is not part
> of the Tor Network, will not allow a single-hop path to be built
> through it*. This settings can be disabled on the ExitNode (that is,
> you can explicitly allow that behavior) by setting
> ExcludeSingleHopRelays.
> (https://www.torproject.org/docs/tor-manual.html.en#ExcludeSingleHopRelays)
The above option is for Tor clients to say what they will use.
I think the option relevant to a relay operator would be
AllowSingleHopExits 0
You may also want to set
RefuseUnknownExits 1
to get some level of assurance from Tor authorities that the nodes using
your exit are legit.
> I suspect that someone could trick the Exit Node by running a tor
> relay and building a SingleHop circuit through your exit node from the
> same machine running the relay - but generally speaking this is not
> something you should worry about, as it affects everyone equally.
There are historical examples of Tor clients and scripts (e.g. SOAT)
that try to build single hop circuits to test various conditions on the
network. You can also do it manually with the ARM Tor controller. The
AllowSingleHopExits 0 setting would make these harder, as the client
would have to emulate a relay well enough to fool whatever check that
option runs.
However, nothing prevents someone from operating an entry guard and a
middle node on two separate machines, and then having a client on
another computer create a circuit through them to your exit node. You
would not be able to tell that it was all from the same source. Use of
the MyFamily option is optional ;)
More information about the tor-relays
mailing list