[tor-relays] Questions to ask exit node providers

s7r s7r at sky-ip.org
Sun Nov 18 00:11:27 UTC 2018

F67 Group wrote:
> We are thinking of running a Tor Exit Node. Does anybody have a list
> of questions to ask before purchasing a VPS or colocation? I came up
> with some basic questions:
> - Do you allow a Tor exit node? [with explanation]

Yes, I allow Tor exit nodes. I have been doing this for the last 5 years
with no pause, exception where I was kicked off from datacenters because
of too many abuse complaints. I only worked with datacenters where I
have explained in advance what I am doing, they said it's OK but after
some time they couldn't take it any more.

I have used virtual servers at start, then dedicated servers so the
hoster's wont complained about shared resources usage policy (but this
still didn't make the abuse complaints go away).

So I woke up one day really mad on these hosters and purchased one class
of /24 provider independent IPv4 addresses (from someone who wanted to
sell them) and a /48 IPv6 (from my RIR) and an AS number (from my RIR)
and contracted 2 upstream providers with BGP, 1 gbps links.

This means that now the abuse complaints are sent directly to my
company, as I have provider independent resources. There is no other ISP
involved, the upstream ISPs I have contract with just rented me the
fiber optik cable+ bgp sessions + bandwidth, but they don't see any
abuse complaints at all. All come to me. Note that these are provider
independent addresses. There are also provider aggregate addresses which
are about 6-7 times cheaper at allocation, that appear under your usage
when someone runs whois over them, you are allowed to set an abuse
mailbox but that is ignored most of the cases, because, at least at
RIPE, the abuse-c field is of the ORG field that OWNS the IP space,
which is not you if the resources are provider aggregate - I had such
setup for some 2 years and the owner took them back finally.

> - What are the policies for handling abuse complaints?

I allow all ports except 25, so I get so many bittorrent alert spam from
IP  Echelon Compliance that I am thinking to sue them for consuming my
mail server's bandwidth.

I look over all abuse complaints I receive as quickly as possible and as
careful as possible. I do not reply to spam, automated emails that are
not sent by humans and do not include a valid reply-to email address.
Like the ones sent from no-reply@ , blackhole@, root@ and whatever
(fail2ban, automated firewall scripts, other kind of protections that
simply count unsuccessful authentications, etc).

I do reply to every single abuse complaint sent by a human, or one which
clearly requires something to be communicated back (not ALERT: there is
a virus in your network, or to whomever it may concern kind of emails).
All the emails that were sent by humans (or even law enforcement people)
to which I replied and explained what Tor is, how it works and why I
cannot technically help them (not that I don't want to) clearly
understood, thanked me for the reply and never heard back from them
again. I have even convinced one concerned person that had his email
account abusively accessed via a Tor exit to run an exit himself, he was
thrilled with the idea and he actually runs one (helped with
instructions how to setup, etc).

These are very rare. 99% of abuse complaints received do not require
reply and are simply spam or notifications/alerts/whatever. They still
consume small of my time to look over them and mark them as such, make
sure no reply is required for each individual email received. I have
trained my assistant at the office to do this as I have less and less
free time and she seams to be handling it quite good ;)

> - How much uplink bandwidth do you provide?

I do not throttle via torrc config or upstream router the bandwidth,
except the CPU is the bottleneck in my config. I am using an older box
with a CPU that has AES-NI instruction set but pushes like 350 mbps in
and 350 mbps out (full duplex) constantly with its usage at 99% - 100%.
On one core... other cores are not used. I am using NUMCpus 6 in my
torrc but it only rotates the used core, so I am having 100% on core1,
then 100% on core3, then 100% on core 6, but not all the time 20% on all
cores as it should for example. This is another topic, another problem.

So around 350 mbps download, 350 mbps upload, on average all the time
(unmetered traffic).

> Any other questions one should ask?

In addition to what niftybunny said, with current code architecture we
have in core Tor, it's kind of a waste of resources to have a box with
hexa core CPUs or high grade server CPU's with many CPU cores that are
better used for making virtual machines on them. Tor would make better
use of a single core CPU with higher frequency and AES-NI.

So if you have can overcloak a single core CPU to over 4 GHz and AES-NI
it's better and can push more bandwidth than my 3 GHz hexa core.

RAM requirements are more normal, and easier to find in any server
setup. I have 16 GB of RAM for example, and the bottleneck is my CPU.

Thanks for your interest to run exits. I assure you it will make you
addicted, it's quite fun and nice. What I recommend:
- don't go with VPS or shared resources, go for collocation or dedicated;
- try to not choose a datacenter that is full of Tor exits,or an AS
number that has so much exit consensus weight;

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 488 bytes
Desc: OpenPGP digital signature
URL: <http://lists.torproject.org/pipermail/tor-relays/attachments/20181118/bd170738/attachment.sig>

More information about the tor-relays mailing list