tor-relays September 2013

tor-relays@lists.torproject.org

95 participants
83 discussions

Reimbursement of Exit Operators
by Moritz Bartl 18 Sep '13

18 Sep '13

Hi, tl;dr: We want to start reimbursing exit operators end of this month. Partner orgs, please sign the contract! Everyone else, consider becoming a partner. --- In July last year, Roger announced that BBG was interested in funding fast exits. [1] The initial discussion on the mailing list continued into August. If you're interested, you should consult the archive for the various points raised. Since then, we've been discussing that topic on and off. It matched with my plans to turn torservers.net into a platform for many organizations, instead of just one single entity that runs too many exit relays, so I agreed to take the lead. I posted a status report of some sort on this list in April this year. [2] The Wau Holland Foundation agreed to be one of the organizations willing to handle the money and pass it on to other entities, be it single operators or organizations. Both Torproject and Wau Holland Foundation checked with their lawyers to see if this turns into a problem about liability, and it looks like it does not. We're open for more organizations to join in to manage the reimbursement process, but this is what we've got for now. In parallel, we've seen a growing number of organizations that were created to turn donations into exit bandwidth. [3] Two issues with reimbursements, that were also mentioned in Roger's initial posting, are that (1) you don't want to drive away all the volunteers, and (2) you don't want to become dependent on (a single or a handful of) sponsors. These are difficult issues, and I want to strongly encourage everyone to keep contributing to the network. We really need you, and we need more of you! The second issue, dependence on funders, is on the one hand a harder one, but on the other hand (in my opinion) a less relevant one. If structures die and nodes have to be shut down because a funder backs off, so be it. We hopefully don't change the picture too much in comparison to the "unfunded times of today". The reimbursement process does not guarantee a money stream, and the amounts are set on a month-to-month basis, to encourage recipients to plan only short-term, and only make contracts based on the money they have, disregarding what they may or may not receive in the future. The current "bucket" is the one-time BBG money, and it currently does not look like they will restock it. It might sound scary, but to satisfy the tax authorities (and to show that it is a [hopefully] fair and transparent process), the Wau Holland Foundation needs to have partners sign a contract. The contract does not limit the partners abilities or restrict what they do, it only defines the reimbursement process. The way we want to start doing it now is not set in stone, and hopefully now that we finally start handing out money it will encourage further discussion around it. We want to refine the process over time, but it looks like we just have to try with what we have now and learn from our mistakes. Please don't be too hard with your criticism or you will emotionally hurt me. I'm all ears. :-) We want to reimburse based on the throughput per exit relay and organization. To strengthen network diversity, we came up with the plan to also factor in the location of the relays. There is a maximum amount any entity can receive so we hopefully don't grow big monsters. The contract [4] specifies that there is a monthly amount, currently set to $3500, split amongst all recipients (whom I started calling "torservers partners"). The recipient share is calculated from the throughput per relay * country factor, and the maximum amount per month per partner is 500 Euro. The Wau Holland Foundation can currently only reimburse via wire transfer. The country factors can change over time, and are currently derived from the total exit probability of that country. We can and should refine this. Changes of these factors do not require new contracts. Note that since the total amount of $3500 will be handed out every month, as long as we have less than 6 entities signing the contract, each entity will receive their maximum share of 500 Euro. I don't really like the idea of a fixed monthly total handed out like that, but that's what the lawyers and tax authorities signed off for Wau Holland Foundation. It seems to be costly to re-evaluate such contracts, so this is what we will stick to for now via WHF. Technically, the monthly shares and the country factors are calculated using a tool written by Lunar^^ (big thanks!). [5] You can find an example report at [6] (not the correct numbers, but you'll get the idea). This monthly report will be sent to all partners, and once they signed the contract they will simply get their monthly share. As stated at the top, we want to start reimbursing this month. Please let me know if you have any questions. We have a mailing list that is public and read-only where we send important announcements, and require every participant to be on and actually read. We have another mailing list that is also read-only for the public, but people of the participating organizations can post and discuss everything around Torservers.net and reimbursements. [7] The process to become a "partner" for now requires that I "know you". So, if you're interested in becoming a partner, start social interaction with me. I see that as a bad bottleneck, and I hope we can somehow get rid of it in the future. I generally prefer "organizations" over single persons, because (1) in most countries it seems to be really inexpensive and easy to set up organizations and (2) the process of setting up such entities includes that you gather enough people around you, so chances are you will continue even if one of you drops out. If you want to discuss, I prefer the tor-relays mailing list and our IRC channel, #torservers on irc.oftc.net. I also explicitly want to invite every partner to join that channel. --Moritz [1] https://lists.torproject.org/pipermail/tor-relays/2012-July/001433.html [2] https://lists.torproject.org/pipermail/tor-relays/2013-April/001996.html [3] http://www.torservers.net/partners.html [4] [fill out + send back via pgp-encrypted and signed mail to me] plain: https://www.torservers.net/misc/2013-07-19_TorExit_en.txt fancy: https://www.torservers.net/misc/2013-07-19_TorExit_en.ott german: https://www.torservers.net/misc/2013-07-19_TorExit_de.ott [5] git clone https://people.torproject.org/~lunar/exit-funding.git [6] https://www.torservers.net/misc/reimburse-output-2013-07.txt (set encoding to Unicode) [7] https://lists.torproject.org/pipermail/tor-relays/2013-May/002138.html

6 6

Traffic shaping on exit nodes (appeasing automated network monitoring systems)
by Philip Paeps 17 Sep '13

17 Sep '13

I had a less-than-amusing conversation with my ISP this week about how my Tor exit node was performing "network scans". As far as I can tell, their definition of "network scan" comprises anything from "knocking on the same port on every machine in a /8" to "creating lots of legitimate connections to the same port in a /8". Obviously, their network monitoring system is too trigger-happy, but there is nothing I can do about that. Do other relay operators have traffic-shaping solutions that make legitimate (and not-so-legitimate) Tor traffic look less like network abuse? I've reconfigured my exit to be a non-exit for the time being. I'm more than happy to be an exit (and field genuine abuse complaints), but I'd prefer not to trigger automated network abuse monitoring systems (too often). Any tips? My node is running FreeBSD with ipfw and dummynet, if someone happens to have ready to copy/paste settings. ;-) Philip -- Philip Paeps Senior Reality Engineer Ministry of Information

1 0

Creating circuits to myself?
by Niles Rogoff 16 Sep '13

16 Sep '13

I was using arm when I noticed this line: 173.79.154.243 --> 173.79.154.243 (us) Purpose: Ags=is_internal,need_capacity, Circuit ID: 5 4.0m (CIRCUIT) That's my IP, and it showed the exit node as the same as my node. There are currently three circuits both originating *and* exiting at my node. I am using Tor 0.2.3.25 (recommended) on Windows 7. My fingerprint is 1E598CDB9BBC751D753146D880B326952886D73B

2 2

tor bridge
by 封添 15 Sep '13

15 Sep '13

i'm tian.please give me list of tor bridge .

2 1

Appropriate bandwidth limits for my home relay
by Nick 15 Sep '13

15 Sep '13

Hi all, After running my relay for a bit on my home connection I found that Tor would happily consume all the bandwidth available, which (coupled with the number of connections overwhelming my home router, I suspect) caused my internet connection to be unusable for other things. So I set the RelayBandwidthRate and RelayBandwidthBurst values to 20 KBytes, as 20KBytes/s is a reasonable amount of bandwidth I can spare (total upload bandwidth on the connection is around 50KBytes/s). However now atlas.torproject.org shows an average of only around 0.5 - 1.5 Kbytes/s usage, and says the advertised bandwidth is 10 Kbytes/s. Should I increase the RelayBandwidthRate value to more than I can comfortably provide, on the basis that it isn't likely to all be used? Or should I just relax and let the network use my relay as little as it likes? Sometime quite soon my home internet connection will get much faster; I'm aware the relay is of questionable value at present bandwidth levels, but they should increase in not too long. Thanks, Nick

2 2

Relay
by Jonathan W 15 Sep '13

15 Sep '13

I am about to run a relay, but I don't want it using more than 1000GB a month. I prefer to manage this using the *BandwidthRate** *but I don't know the math* *to constrain it over a 1000GB a month. * * I also want to relay the directory. Is there a way to also use vidalia to interface? I'll be relaying on a linux (ubuntu) server remotly, and I'm using a windows system to set it all up. I'll be using SSH to shell in, but I'd love to use vidalia. Thanks, Jon

4 7

How to add the MyFamily line.
by Ignoramus Americanus 14 Sep '13

14 Sep '13

Would someone spell out how to include the MyFamily comment in the torrc file, please? What is needed more? Exits, bridges, non-exit relays or hidden bridges? -- Ignoramus Americanus ignoramus(a)operamail.com -- http://www.fastmail.fm - Or how I learned to stop worrying and love email again

4 4

Re: [tor-relays] tor-relays Digest, Vol 32, Issue 29
by rotpoison throngnet 14 Sep '13

14 Sep '13

Hey guys - I have been tracking the clickfraud botnet that is hitting exposed Privoxy service on Tor exit nodes since early this year. I call it Rotpoi$on, and recently I have been working with at least one of the security teams for the advertisement networks being leveraged for the clickfraud, as my time allows. You can read more about some collective findings on Rotpoi$on here: https://b.kentbackman.com/tag/rotpoion FYI, LUDICROUS2U is my Tor exit node. I started purposely running Tinyproxy on port 8118, configured such that it will forward directly to the advertiser networks with a specific markup indicating fraud as well as the original client IP in the X-header. Now, if every exit relay operator that has a Tor-injecting Privoxy service open instead replaced it with a similar "tainted" proxy on port 8118, it might quickly reduce the attractiveness of exit relays for "fraud service" by the Rotpoi$on throngnet. Recently I changed my exit relay IP address and for a week now Rotpoi$on hasn't hit. I have changed my IP address at least a dozen times over the last year. The time that it takes for my exit relay to again be hit on port 8118 (at times additionally 3128--Squid port) has varied considerably. This makes me think that the perpetrators are more or less manually adding the list of exit relays into their click fraud operation (script?). For a while I was under the presumption that the massive uptick of Tor clients as recently announced by the Tor Project was sign that the Rotpoi$on perpetrators were starting to inject their fraudulent clicks into Tor the "legitimate" way, meaning with a Tor client. This corresponded with a reduction in port 8118 hits to my exit relay. But alas, communication with one of the advertisement network security reps does not suggest a massive corresponding increase in click fraud originating from Tor exit relays in general. So I am at a loss how to explain exactly what is going on, other than the fact that the perpetrators are still paying for a lot of leased Windows servers whose actual effectiveness at generating a significant clickfraud revenue streams seems limited and even silly, according to some other researcher's comments. On Sat, Sep 14, 2013 at 2:00 AM, <tor-relays-request(a)lists.torproject.org>wrote: > Send tor-relays mailing list submissions to > tor-relays(a)lists.torproject.org > > To subscribe or unsubscribe via the World Wide Web, visit > https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays > or, via email, send a message with subject or body 'help' to > tor-relays-request(a)lists.torproject.org > > You can reach the person managing the list at > tor-relays-owner(a)lists.torproject.org > > When replying, please edit your Subject line so it is more specific > than "Re: Contents of tor-relays digest..." > > > Today's Topics: > > 1. Tor 0.2.4.17-rc on arch armv6 (Lukas Erlacher) > 2. Re: Sent open privoxy port warning (Luther Blissett) > 3. Re: Sent open privoxy port warning (Luther Blissett) > > > ---------------------------------------------------------------------- > > Message: 1 > Date: Fri, 13 Sep 2013 15:13:18 +0200 > From: Lukas Erlacher <l.erlacher(a)gmail.com> > To: tor-relays(a)lists.torproject.org > Subject: [tor-relays] Tor 0.2.4.17-rc on arch armv6 > Message-ID: > <CAJWOhv-pxwHnqy6-bLojr66cGWg=0ee=HhO_WuNb9N= > PAw5mtw(a)mail.gmail.com> > Content-Type: text/plain; charset=ISO-8859-1 > > Hello to everyone with arm hardware and arch linux, > > I just set up Tor 0.2.4.17-rc on a raspberry pi and I want to share > what I did just to create a piece of documentation that might be > helpful for others. > I got tor-git from the AUR[1], modified it to fetch 0.2.4.17-release > instead of master, and built it according to the aur[2] and > pkgbuild[3] instructions. > > Here is what I did: > > 1) Backup torrc, fingerprint, and private key of my tor node > 2) Read up on AUR and PKGBUILD > 3) pacman -R tor tor-socks > 4) pacman -s base-devel > 5) Download and extract the AUR > 6) Carefully inspect the AUR package, especially PKGBUILD and tor.install > 7) Modify the PKGBUILD file with _branch=release-0.2.4 and > pkgver=0.2.4.17.rc.0 > 8) makepkg -s > 9) pacman -U tor-git-0.2.4.17.rc.0-1-armv6h.pkg.tar.xz > 10) mv /etc/tor/torrc /etc/tor/torrc.tor-git.sample > 11) mv /etc/tor/torrc.pacsave /etc/tor/torrc > 12) systemctl tor start > > That's it. Run "tor --version" and it should tell you that it's a git > build of 0.2.4.17-rc. > > You will have to rebuild the package for every update you want to get! > > As per The Arch Way, Please familiarize yourself with pacman, the AUR, > and PKGBUILD before attempting this! > > Absolutely no warranties given. The AUR can seriously damage your system! > > Best Regards, > Luke > > [1] https://aur.archlinux.org/packages/tor-git/ > [2] https://wiki.archlinux.org/index.php/AUR > [3] https://wiki.archlinux.org/index.php/PKGBUILD > > > ------------------------------ > > Message: 2 > Date: Fri, 13 Sep 2013 12:52:35 -0300 > From: Luther Blissett <lblissett(a)paranoici.org> > To: tor-relays(a)lists.torproject.org > Subject: Re: [tor-relays] Sent open privoxy port warning > Message-ID: <1379087555.555.10.camel@tagesuhu-pc> > Content-Type: text/plain; charset="utf-8" > > On Wed, 2013-09-11 at 12:35 -0700, Aaron Hopkins wrote: > > I sent the following warning to the listed e-mail address of 14 of the 19 > > Tor nodes I found that accepted connections on port 8118, some of which > > bounced. > > > > If any of you run or know how to get in touch with the operators of the > > nodes DaJoker, FawkesSwissBlade, LUDICROUS2U, RaspberryPI, pangu, > > mouseHouse, tornonym, or 75.137.122.118, I'd appreciate if you could pass > > this along. > > > > Thanks! > > > > -- Aaron > > > > --- > > > > I noticed your Tor node _ with an IP of _ is one of 19 nodes that accepts > > connections publicly on TCP port 8118, which is the default port for > > Privoxy. I suspect this might be a configuration mistake. > > > > I'm investigating this because my tor node "tordienet" has received > millions > > of HTTP proxy requests to port 8118 per day for months. The requests > appear > > to come from a botnet running on roughly 1500 IPs, and seem to be > > advertising click-fraud related. From the discussion in July on the > > tor-relays(a)lists.torproject.org mailing list (archive at > > https://lists.torproject.org/pipermail/tor-relays/), this appears to be > true > > of many nodes. > > > > Port 8118 is the default port for Privoxy, which comes bundled with Tor > but > > is meant to provide an HTTP proxy for you and your local users to browse > > through and is not designed to be offered as a public service. If you > don't > > use Privoxy, would you mind shutting it down? Or if you do, can you > move it > > to a different port and/or only allow your own IPs to connect to it? > > > > I'd be happy to provide more information or help you with the > configuration > > changes if I can. > > _______________________________________________ > > tor-relays mailing list > > tor-relays(a)lists.torproject.org > > https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays > > Hello Aron, > > Sometime ago I noticed similar behavior from a series of IP numbers > which mostly were inside limestonenetworks IP range and searched for > polipo (port 8123). I sent an email alert to its admins, but received no > answer whatsoever. I also sent to this malling list and some others, but > since my mail wasn't registered I think it bounced. I'm copying it > bellow. In case this is of any help. > > Also, wouldn't this be the case for a "routine security alert" on tor > blogs? > > ************************** > > Hello dear companions, > > Two days ago one of my tor exit nodes experienced something I'm now > calling "limestonenetworks DDoS on polipo" ( $WAN_IP:8123 ), since all > packets in the storm were flowing from a range of 514 different IP > addresses, all of them inside limestonenetworks IP range and targeting > port 8123 on my tor exit node WAN IP. > > Before the packet storm, I could observe a huge increase on attempts to > access my WAN domain through tor. I couldn't relate IP addresses from > this first raise to those responsible for the actual packet storm nor > could I identify some useful pattern there, but they were all coming > from port 9001 and increased just some hours before the storm, so I'm > guessing they are related somehow. > > Also, throughout the storm, one of my log files got corrupted with some > unreadable bin garbage. I do not know if it was intended/targeted > exploit, but I'm reworking secrets and trying to figure out what is this > binary. > > Here is a sample line of a WAN attempt: > > Aug 13 16:50:22 $USER user.warn kernel: [DROP INVALID WAN] : IN=vlan2 > OUT= MAC=xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx > SRC=77.56.151.190 DST=xxx.xxx.xxx.xxx LEN=52 TOS=0x00 PREC=0x00 TTL=43 > ID=38787 DF PROTO=TCP SPT=40888 DPT=9001 SEQ=289854459 ACK=41163 > > Here is a sample line of packet storm: > > Aug 13 20:39:14 $USER user.warn kernel: [hammer] : IN=vlan2 OUT= > MAC=xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx > SRC=74.63.216.60 DST=xxx.xxx.xxx.xxx LEN=52 TOS=0x00 PREC=0x00 TTL=48 > ID=20269 DF PROTO=TCP SPT=1757 DPT=8123 WINDOW=65535 RES=0x00 SYN URGP=0 > OP > > The attack persisted for at least three hours and left this binary (hex > represented): > > 0000000 0000 0000 0000 0000 0000 0000 0000 0000 > * > 0000b90 0000 0000 0000 0000 0000 0000 2067 3331 > 0000ba0 3220 3a30 3135 303a 2034 6174 6567 7573 > 0000bb0 7568 7520 6573 2e72 6177 6e72 6b20 7265 > 0000bc0 656e 3a6c 5b20 6168 6d6d 7265 205d 203a > 0000bd0 4e49 763d 616c 326e 4f20 5455 203d 414d > 0000be0 3d43 3030 323a 3a31 3732 663a 3a61 6464 > 0000bf0 343a 3a34 3030 313a 3a35 3966 323a 3a61 > 0000c00 6639 643a 3a39 3830 303a 3a30 3534 303a > 0000c10 3a30 3030 333a 2034 5253 3d43 3132 2e36 > 0000c20 3432 2e35 3232 2e31 3031 2037 5344 3d54 > 0000c30 3831 2e39 3833 322e 3533 322e 3035 4c20 > 0000c40 4e45 353d 2032 4f54 3d53 7830 3030 5020 > 0000c50 4552 3d43 7830 3030 5420 4c54 343d 2038 > 0000c60 4449 313d 3335 3431 4420 2046 5250 544f > 0000c70 3d4f 4354 2050 5053 3d54 3932 3635 4420 > 0000c80 5450 383d 3231 2033 4957 444e 574f 363d > 0000c90 3535 3533 5220 5345 303d 3078 2030 5953 > 0000ca0 204e 5255 5047 303d 000a > 0000ca9 > > Attached is the list of participating IP addresses, line by line, with > the count of packets received. The attacker started sending something > like 4 packets per second and increased to over than 9000!!! - just > kidding, over 30 per second. > > JSYK, I welcome any comments. >

1 0

Sent open privoxy port warning
by Aaron Hopkins 13 Sep '13

13 Sep '13

I sent the following warning to the listed e-mail address of 14 of the 19 Tor nodes I found that accepted connections on port 8118, some of which bounced. If any of you run or know how to get in touch with the operators of the nodes DaJoker, FawkesSwissBlade, LUDICROUS2U, RaspberryPI, pangu, mouseHouse, tornonym, or 75.137.122.118, I'd appreciate if you could pass this along. Thanks! -- Aaron --- I noticed your Tor node _ with an IP of _ is one of 19 nodes that accepts connections publicly on TCP port 8118, which is the default port for Privoxy. I suspect this might be a configuration mistake. I'm investigating this because my tor node "tordienet" has received millions of HTTP proxy requests to port 8118 per day for months. The requests appear to come from a botnet running on roughly 1500 IPs, and seem to be advertising click-fraud related. From the discussion in July on the tor-relays(a)lists.torproject.org mailing list (archive at https://lists.torproject.org/pipermail/tor-relays/), this appears to be true of many nodes. Port 8118 is the default port for Privoxy, which comes bundled with Tor but is meant to provide an HTTP proxy for you and your local users to browse through and is not designed to be offered as a public service. If you don't use Privoxy, would you mind shutting it down? Or if you do, can you move it to a different port and/or only allow your own IPs to connect to it? I'd be happy to provide more information or help you with the configuration changes if I can.

2 2

Tor 0.2.4.17-rc on arch armv6
by Lukas Erlacher 13 Sep '13

13 Sep '13

Hello to everyone with arm hardware and arch linux, I just set up Tor 0.2.4.17-rc on a raspberry pi and I want to share what I did just to create a piece of documentation that might be helpful for others. I got tor-git from the AUR[1], modified it to fetch 0.2.4.17-release instead of master, and built it according to the aur[2] and pkgbuild[3] instructions. Here is what I did: 1) Backup torrc, fingerprint, and private key of my tor node 2) Read up on AUR and PKGBUILD 3) pacman -R tor tor-socks 4) pacman -s base-devel 5) Download and extract the AUR 6) Carefully inspect the AUR package, especially PKGBUILD and tor.install 7) Modify the PKGBUILD file with _branch=release-0.2.4 and pkgver=0.2.4.17.rc.0 8) makepkg -s 9) pacman -U tor-git-0.2.4.17.rc.0-1-armv6h.pkg.tar.xz 10) mv /etc/tor/torrc /etc/tor/torrc.tor-git.sample 11) mv /etc/tor/torrc.pacsave /etc/tor/torrc 12) systemctl tor start That's it. Run "tor --version" and it should tell you that it's a git build of 0.2.4.17-rc. You will have to rebuild the package for every update you want to get! As per The Arch Way, Please familiarize yourself with pacman, the AUR, and PKGBUILD before attempting this! Absolutely no warranties given. The AUR can seriously damage your system! Best Regards, Luke [1] https://aur.archlinux.org/packages/tor-git/ [2] https://wiki.archlinux.org/index.php/AUR [3] https://wiki.archlinux.org/index.php/PKGBUILD

1 0

← Newer
1
2
3
4
5
6
7
8
9
Older →

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

tor-relays September 2013