tor-relays April 2014

tor-relays@lists.torproject.org

106 participants
61 discussions

Relay reading more than it writes??
by Rupert Roe 26 Apr '14

26 Apr '14

Hi All, I recently started running these two relays on raspberry Pis in the UK: http://torstatus.blutmagie.de/router_detail.php?FP=515a9887a426c1dc2bb4b9b1… http://torstatus.blutmagie.de/router_detail.php?FP=e3e6a7de02caa12ac5712884… Both of my relays seem to consistently read more from the network than they write, and I can't figure out why. Are my relays dropping loads of packets? If so is that harming the speed or reliability of the network? Why are my relays doing this when other ones seem to have a perfect read / write balance?? If anyone has any ideas why this is happening or how I could troubleshoot the issue I'd be really grateful! Thanks, Rupert

1 0

Please need urgent help with the DNS resolver of a fast exit relay
by s7r＠sky-ip.org 25 Apr '14

25 Apr '14

-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Hi, The servers from my ISP are not stable or good enough to handle the traffic for this Tor exit router. I get this in the log very often: Apr 24 15:14:07.000 [notice] Circuit handshake stats since last time: 91633/91636 TAP, 15962/15962 NTor. Apr 24 17:40:45.000 [warn] eventdns: All nameservers have failed Apr 24 17:40:45.000 [notice] eventdns: Nameserver <ip>:53 is back up Both nameservers fail and come back after 1 second, or less. I don't know what impact will this have on the exit node. Is it any problem at all? I have decided also to setup my own DNS resolver and not use the ones from ISP, so I have installed named. What I need help is, for your someone to tell me exactly how do i have to edit named.conf in order to: 1. Enable DNSSEC, for the clients who want to use it. Not make it a requirement, just enable it and prefer it over normal DNS if and when possible. 2. Be able to resolve all TLDs as described here: https://trac.torproject.org/projects/tor/wiki/doc/DnsResolver#DNSResolverSe… Now I can clearly understand the message from that post but there is no instruction anywhere about how to do it, those links for Alt Roots are broken. Is this a requirement? Who needs to resolve silly TLDs not supported by IANA / ICANN anyway? 3. Cache the records for as long as possible - my relay is already using a lot of traffic so I have to spare as much as I can. Please provide me with a good named.conf and description of settings so I can properly configure a good DNS resolver for my relay. Thank you in advance! -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.17 (MingW32) iQEcBAEBCAAGBQJTWTnUAAoJEIN/pSyBJlsRtN8IAJK8ndrb6IdW+PRpynTu5gzH /6ID3k3uO+EX1jKDSrSMzUlfaOZT0UIVXX/KKxqJSa4YQH4MMGcWfCYXkv+bdFC0 s3ABvAWOeklX5KxUwGWaEJJND+Zu4nstIcVTFpjKpbiFJ7mdzjlDVSCsZFXYBVoV tOY7amgAoQCxNsG0aBKUKeArRSJ03jcicD/92PkL8ro2IB6FItusp5Qywcp12Nhq mXEJdD8l/5jSS1epaaZJ6LzDFyyZsVKsxK8EkBxkYtblkk8WxUnkz4gXrP88cnMC rHb8gqLBvHqjLUn1fKtmJbxJ/J1qEa+2PyoJpzkh4hQxXSZ52TskWKSi0eR7j5E= =675a -----END PGP SIGNATURE-----

2 2

Exit node rejection of special IPv4 blocks
by Zack Weinberg 24 Apr '14

24 Apr '14

I'd like a sanity check on this list of special-purpose IPv4 blocks which I'm currently forbidding in the CMU exit node's policy. I'm most uncertain about denying access to multicast (224.0.0.0/4) and 6to4 router anycast (192.88.99.0/24) -- I *think* there are no scenarios where someone would actually need to get at either of those via Tor, but I could be wrong. # Reserved IPv4 addresses, sorted by RFC and then numerically reject 255.255.255.255/32:* # RFC 0919: "limited broadcast" reject 224.0.0.0/4:* # RFC 1112: multicast reject 240.0.0.0/4:* # RFC 1112: future addressing modes reject 0.0.0.0/8:* # RFC 1122: "This host" source address reject 127.0.0.0/8:* # RFC 1122: Loopback reject 10.0.0.0/8:* # RFC 1918: private use reject 172.16.0.0/12:* # " " " reject 192.168.0.0/16:* # " " " reject 198.18.0.0/15:* # RFC 2544: test environments reject 192.88.99.0/24:* # RFC 3068: 6to4 relay anycast (???) reject 169.254.0.0/16:* # RFC 3927: link-local reject 192.0.2.0/24:* # RFC 5737: documentation reject 198.51.100.0/24:* # " " " reject 203.0.113.0/24:* # " " " reject 100.64.0.0/10:* # RFC 6598: "shared space"/"carrier grade NAT" reject 192.0.0.0/24:* # RFC 6890: future special purposes TIA, zw

3 2

Bridges included in Tor Browser -- should they regen keys because of Heartbleed?
by David Fifield 23 Apr '14

23 Apr '14

I wondered whether operators of bridges that are included in the browser bundle should generate new identity keys after upgrading their OpenSSL. The argument for generating new keys is that old keys may have been compromised by Heartbleed. The argument against is that a new fingerprint will prevent existing browser bundle users from using the default bridges, because the fingerprint is built into the browser: https://gitweb.torproject.org/builders/tor-browser-bundle.git/blob/HEAD:/Bu… What I heard from some developers is that it would be good to set up new bridges with new keys (could be on the same IP address), and give the new information to the browser devs so they can put it in the bundles. Leave the old ones running for a while until usage drops off. A question is how to actually do this, running two copies of tor on the same IP. Offhand I would say that using a separate DataDirectory will be enough, but I don't know for sure. David Fifield

1 0

Grouping cloud relays running within same provider
by mr.curtis＠urssmail.org 23 Apr '14

23 Apr '14

Many people are running Tor relays on virtual servers "in the cloud", using VPS providers like Amazon EC2, Rackspace, Linode, etc. Most major VPS providers offer virtual servers in multiple geographical locations, but they are still controlled by one entity, which of course ultimately have total access to any storage (RAM and disk) of any customer VPS, easily compromising any crypto key material. I don't think it is necessarily that bad to trust VPS providers (and they often are a great way to get excellent bandwidth cheaply), but I feel it would be important to somehow make sure Tor users don't end up having circuits that all go through relays running on e.g. EC2. Same way you're supposed to group your own relays with MyFamily. Is there any way currently to do this, or are there already some safeguards in place?

5 5

Strange behaviour on Atlas output after Key rotation
by Geri 22 Apr '14

22 Apr '14

Good evening all! I just have a question regarding my relay's status on Atlas. Approx. 5 days ago i have rotated all my keys (deleted /keys dir) after Roger's advice for doing so for best security. Since then i am obersing a strange behaviour. From time to time i am checking my relay's status at the Atlas webpage which i have done after the key rotation. But now all my relays are listed twice - other than that also the old relays with the old fingersprints are still listed as "running". Is anybody aware of that strange situation? It seems that on the other Tor Status page (torstatus.rueckgr.at) the new relays are listed correctly. thanks for any advice! Cheers, Geri

2 1

Relay not gettings flags, changing IP
by Niels Hesse 21 Apr '14

21 Apr '14

I updated OpenSSL, removed my keys and restarted the Tor service on my Debian relay. Now I have been running it for 3 days and I still haven't gotten any flags and the relay is not visible in Atlas. Arm keeps saying: "[NOTICE] Our IP Address has changed from 141.101.117.220 to 141.101.116.220; rebuilding descriptor (source: METHOD=RESOLVED HOSTNAME= tor-relay.onlineprivatliv.dk)." Here's a screenshot: http://puu.sh/8hBlM/71bbcb5aff.png I am not sure what is going on here. Do you have any idea? Thanks in advance.

2 1

Announcing the removal of Tor v0.2.2.x relays
by Nusenu 21 Apr '14

21 Apr '14

Hi, as Roger mentioned in a side note [1], tor relays running Tor v0.2.2.x have been removed from the consensus (#11149) [2]. Even if relay operators with ContactInfo were contacted directly I think this information would be worthwhile to be mentioned on tpo's twitter feed and blog. This might increase the likelihood that people still running ancient tor versions get to know about it. (even if people running such old tor versions are unlikely subscribers of either news feed ;) Question arisen from looking at the relays by version graph: If you look at that graph you see that on 2014-04-08 the number of relays (in the consensus) running 0.2.2.x were about zero, and now (2014-04-21) we are back at about 170 v0.2.2.x relays. https://metrics.torproject.org/network.html#versions Why is that? Has the decision postponed/revisited due to the concurrent reduction of relays (heartbleed)? One (fast) v0.2.2.x relay as an example: https://atlas.torproject.org/#details/F499B62325DA32EEAA6451ABF0764E096C8CC… [1] https://lists.torproject.org/pipermail/tor-relays/2014-April/004362.html [2] https://trac.torproject.org/projects/tor/ticket/11149 [3] https://twitter.com/torproject

2 2

No Bridges Being Returned by Onionoo
by Matthew Dobbins 21 Apr '14

21 Apr '14

Does anyone know why no bridges are being returned by the Onionoo Service? The summary page (https://onionoo.torproject.org/summary) lists normal relays, but returns an empty bridge list. Also, a detailed bridge query (https://onionoo.torproject.org/details?type=bridge) also returns an empty list. Cheers, mjd

2 1

Sudden drop in number of active relays
by Jesse Victors 20 Apr '14

20 Apr '14

-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Hey everyone, I just checked in on https://metrics.torproject.org/network.html and noticed that there's been sudden drops in the number of relays which seems to have caused all other graphs to tank as well. It's too late for this drop to be caused by Heartbleed fixes, so what could explain this? Were these relays banned by the network because they were vulnerable to Heartbleed? Does anyone know what the deal is here? Jesse V. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.14 (GNU/Linux) Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iQF8BAEBCgBmBQJTVFMhXxSAAAAAAC4AKGlzc3Vlci1mcHJAbm90YXRpb25zLm9w ZW5wZ3AuZmlmdGhob3JzZW1hbi5uZXQxMjgyMjhENjEyODQ1OTU1NzBCMjgwRkFB RDk3MzY0RkMyMEJFQzgwAAoJEK2XNk/CC+yAM/kH/0UrCcJxEAhnAL669KuycKZD gopUNwG/sdC0khwXeQKomqYkE4BZCGgvjkDV8geoqvuSv51HJ6aq42UfaNzlCRqP phFgCZNPdAPQ+8ka4WFmhOuMjZh2V1Ylahzl/NmSXcVyaAhN3SsbhBrk6uk0goCm nHJIYdUayl3sHdPQgdaGGjI+YXqQY1Uv/UIQxXgVPTZuYlf+PuM+lMGIun55Qzvg FHjjwMlY/MUIbka9DupVkmF7q5FaDDeWOpC96JpD1o8MxKoZWDCnFPiAMWRiFNFp WL5Hc5U9pDcg524rxTewJKHv19t6HiNanQMe6o5dsvaqLyaI43X4WrZSNb/TfSQ= =9ZeT -----END PGP SIGNATURE-----

2 1

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

tor-relays April 2014