tor-relays October 2016

tor-relays@lists.torproject.org

101 participants
61 discussions

Abuses: Suspicious botnet ramnit attack
by pa011 28 Oct '16

28 Oct '16

Hi, got the abuse below on three different exits. Anybody having any idea what to do and how to possibly to stop this in the future? Thanks Paul CERT-EU has received information regarding an infected IP belonging to your network, which may have security problems. The information regarding the problems is also included as attachments in both CSV and XML formats. All timestamps are in UTC. At this time we do not have any more information. Where: - ASN: is the Autonomous System Number; - IP: the Internet Protocol address associated with this activity; - TIME: discovery time of the malicious activity; - PTR/DNAME: PTR/DNAME record - CC: ISO 3166-1 alpha-2 two-letter country code; - TYPE: type of the security problem or threat; - INFO: provides any additional information, if available.asn|ip|time|ptr|cc|type|info|info2 ASxxxxx|xxx.xxx.xxx.xxx|25-10-2016 12:10:09Z|XX|botnet drone|Description: Ramnit botnet victim connection to sinkhole details, Timestamp : 1477397409.72, City : none, Count: 8, First Seen: 25-10-2016 12:10:09, Last Seen: 25-10-2016

3 2

Re: [tor-relays] Digital Ocean - running Exit node locked
by Tristan 28 Oct '16

28 Oct '16

Guess I'm next. My relay has been running for 3 months now. I'm doing my best to be a good neighbor though. After the first month, I got an SSH abuse, so now I reject SSH traffic. A month later I got an SQL hack attempt, and I switched to the reduced-reduced exit policy. Haven't gotten anything else yet. On Oct 7, 2016 4:34 PM, "Markus Koch" <niftybunny(a)googlemail.com> wrote: They will kick you after 2-3 months. Delete account, make new account. They will kick you after 2-3 months. Delete account, make new account. They will kick you after 2-3 months. Delete account, make new account. They will kick you after 2-3 months. Delete account, make new account. Welcome to DigitalOcean! Markus 2016-10-07 23:23 GMT+02:00 pa011 <pa011(a)web.de>: > Seems like even DO is not very much in favour of running Exits any more ? > > Anybody made the same experience - how to handle this please ? > > Thanks and Regards > Paul > > > "Hello -Although we do not specifically disallow TOR exit nodes, as the account holder you are responsible for all the traffic going through your droplet (including traffic that an exit node may generate). > > Also be aware that we do not allow some of the traffic types that come out of a typical TOR exit node (torrents, spam, SSH probes, hacking attempts, botnets, DDoS, etc). > > If you are unable to stop this sort of traffic, please reconsider running a TOR exit node as it may lead to your account suspension or termination. > > Please refer to our Terms of Service for greater detail on this issue: https://www.digitalocean.com/legal/terms/ > > Best, > > DigitalOcean Support " > _______________________________________________ > tor-relays mailing list > tor-relays(a)lists.torproject.org > https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays _______________________________________________ tor-relays mailing list tor-relays(a)lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays

6 12

Rampup speed of Exit relay
by D.S. Ljungmark 27 Oct '16

27 Oct '16

Hi all, I'm looking at some traffic patterns for my Exit relay, and I'm frankly a bit disappointed with the utilization. Currently it's running at a load average of 0.3-0.5, and CPU idle at 70-80%. We're not limited on Bandwidth (tests show that our max cap is more than safe to produce), yet, we're barely reaching 20% of our potential allocated traffic. We've reached "fast" and "guard", and got the "stable" flag as well, so in theory we ought to see traffic move a bit higher than currently. So, how do we get tor to move past 100-200Mbit? Is it just a waiting game? //D.S. -- 8362 CB14 98AD 11EF CEB6 FA81 FCC3 7674 449E 3CFC

10 21

Really bad ISP
by Lluís 27 Oct '16

27 Oct '16

Hello, I am a relay operator in Spain (or at least I try to). I am just desperate with my ISP, he is just leaving the VDSL2 connection down several times a day, taking the relay with it. Does anyone know a much more stable, tor-friendly, ISP for an Spanish user ? The following record of assigned IPs in a **single** day shows the dimension of the drama: 95.23.157.152 - Tue Oct 25 01:00:02 CEST 2016 95.23.156.52 - Tue Oct 25 07:00:02 CEST 2016 95.23.157.180 - Tue Oct 25 11:54:06 CEST 2016 188.79.227.152 - Tue Oct 25 12:20:52 CEST 2016 95.23.155.112 - Tue Oct 25 13:12:30 CEST 2016 95.23.144.75 - Tue Oct 25 13:15:19 CEST 2016 188.77.208.15 - Tue Oct 25 13:29:02 CEST 2016 95.23.159.249 - Tue Oct 25 14:00:06 CEST 2016 95.23.146.89 - Tue Oct 25 14:12:12 CEST 2016 95.23.159.163 - Tue Oct 25 14:19:21 CEST 2016 188.79.238.188 - Tue Oct 25 14:34:55 CEST 2016 188.79.237.90 - Tue Oct 25 14:36:05 CEST 2016 188.79.229.164 - Tue Oct 25 14:57:30 CEST 2016 95.23.149.124 - Tue Oct 25 15:08:51 CEST 2016 188.79.237.0 - Tue Oct 25 15:10:12 CEST 2016 188.77.213.199 - Tue Oct 25 16:28:47 CEST 2016 95.23.153.98 - Tue Oct 25 16:32:50 CEST 2016 95.23.146.46 - Tue Oct 25 16:49:03 CEST 2016 188.79.235.239 - Tue Oct 25 17:10:03 CEST 2016 188.77.215.232 - Tue Oct 25 17:20:03 CEST 2016 95.23.146.36 - Tue Oct 25 17:30:03 CEST 2016 95.23.148.238 - Tue Oct 25 18:10:03 CEST 2016 95.23.149.136 - Tue Oct 25 18:20:03 CEST 2016 188.77.211.53 - Tue Oct 25 18:50:03 CEST 2016 188.77.211.90 - Tue Oct 25 19:30:03 CEST 2016 188.79.225.153 - Tue Oct 25 20:10:01 CEST 2016 95.23.157.171 - Tue Oct 25 21:00:02 CEST 2016 188.77.212.227 - Tue Oct 25 22:00:02 CEST 2016 95.23.157.179 - Tue Oct 25 22:30:02 CEST 2016 Thanks for your assintance, Lluís

3 5

Re: [tor-relays] most (>57% cwfr) of the tor network still vulnerable to CVE-2016-8860 - update your relay!
by Alan 27 Oct '16

27 Oct '16

0.2.5.12 is the latest version from the repo. Im assuming I should pull down the source and compile it. >> Thanks for the update, my main relay was vulnerable but i've patched it now to 0.2.8.9. >> >> My Raspberry Pi is running 0.2.5.12 -- is that ok? > > If your version is from before 2016-10-17, your relay is vulnerable. > > To be sure you should be running 0.2.8.9. > > > > _______________________________________________ > tor-relays mailing list > tor-relays(a)lists.torproject.org > https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays >

4 5

cryptsetup some folders
by Petrusko 26 Oct '16

26 Oct '16

Hey all, I'm planning to customise a RPi with Raspbian already running, and using cryptsetup (LUKS) to have a partition more secure for some reasons... So the goal is to move some existing sensitive folders to this new encrypted partition. Some sym-links will be used for those directories. About Tor, if I'm not wrong, those directories can be moved to this encrypted partition : /var/lib/tor : so I'm planning to move /var... So at final, planning to move : /home /var /tmp (why not swap file ?) Any suggestions and master's thoughts are welcome :) -- Petrusko EBE23AE5

7 17

Re: [tor-relays] most (>57% cwfr) of the tor network still vulnerable to CVE-2016-8860 - update your relay!
by Alan 26 Oct '16

26 Oct '16

Thanks for the update, my main relay was vulnerable but i've patched it now to 0.2.8.9. My Raspberry Pi is running 0.2.5.12 -- is that ok? > just a reminder since most of the tor network (including some of the biggest operators) still runs vulnerable relays > > https://blog.torproject.org/blog/tor-0289-released-important-fixes > > > Since 2/3 directory authorities removed most vulnerable versions from their 'recommended versions' you should see a log entry if you run outdated versions (except if you run 0.2.5.12). > > > It is not possible to reliable determine the exact CW fraction > affected[1] due to the fact that patches were released that didn't increase tor's version number. > Therefore it is also possible that you get log entries even if you run a patched version (IMHO this hasn't been handled in the most professional way). > > > Update instructions > > Debian/Ubuntu > ============== > > make sure you use the Torproject repository: > https://www.torproject.org/docs/debian.html.en > > (you can also use the debian repository but the Torproject's repo will provide you with the latest releases) > > > aptitude update && aptitude install tor > > > CentOS/RHEL/Fedora > =================== > > yum install --enablerepo=epel-testing tor > > > FreeBSD > ============ > > pkg update > pkg upgrade > > OpenBSD > =========== > > pkg_add -u tor > > > Windows > ======== > > No updated binaries available for this platform yet. > > > > > [1] as of 2016-10-25 18:00 (onionoo data) > conservative estimate > ---------------------- > (counts only 0.2.8.9 and 0.2.9.4-alpha as patched) > 31% CW fraction patched > > optimistic estimate > ------------------- > (additionally assumes every non-Windows running 0.2.4.27, 0.2.5.12, 0.2.6.10, 0.2.7.6 that restarted since 2016-10-17 is patched): > 43% CW fraction patched > > _______________________________________________ > tor-relays mailing list > tor-relays(a)lists.torproject.org > https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays >

2 1

33C3 Voucher
by pa011 26 Oct '16

26 Oct '16

Anybody holding a Voucher for 33C3 in Hamburg at the End of December? More than happy to get hold of it :-) Paul

2 1

Research project - comparing abuse complaints on Tor exits to those of regular ISPs
by dguthrie＠posteo.net 24 Oct '16

24 Oct '16

Hi folks, I am looking to research what proportion of Tor traffic across a Tor exit is "legitimate"/regular internet traffic, by comparing abuse complaints on Tor exits to those of regular ISPs. I think this is an interesting project because it is illegal to analyse traffic on the exit node without amounting to a wiretap, so this is a good way to get some idea about what traffic is comparable to regular internet traffic. I am aware that some people on this list run small ISPs. I am asking a favour that you might be able to send me a sample of abuse complaints over several months, or at least and some idea of how many complaints you recieved. I would need to know what type of complaint they were (torrenting vs more serious complaints), and the volume of traffic that passed through your network. My public key is posted below. Thank you, Duncan Guthrie 4096R/16BD5A5D 425A BEE8 24BB 7665 7FDC F7B6 8767 0301 16BD 5A5D

6 6

Re: [tor-relays] IP address change
by balbea16 24 Oct '16

24 Oct '16

Hi TimTNX for your fast response. I'm afaid, that I have to stay with my current ISP. However, from time to time he keeps my IP address unchanged for up to 4 days. Mike -------- Ursprüngliche Nachricht -------- Von: teor <teor2345(a)gmail.com> Datum: 24.10.16 14:34 (GMT+01:00) An: tor-relays(a)lists.torproject.org Betreff: Re: [tor-relays] IP address change > On 24 Oct. 2016, at 23:12, balbea16 <balbea16(a)gmx.de> wrote: > > Hi There > My ISP changes my IP address about every 24 hours. It takes 10 minutes until my tor server recognises this, and an hour until all usual connections are reestablished. How can I speed this up? The tor directory authorities vote on relays every hour. There is no way to speed this up. > Does it help to use a DNS? No, Tor uses your IP address. > To pay for a static address is not an option. > Any ideas? Thank you. Mike I'm sorry, this is just how Tor is designed. But you are still contributing to the network. You could try renting a cheap server in a data centre. Most of them offer static IP addresses. Tim T -- Tim Wilson-Brown (teor) teor2345 at gmail dot com PGP C855 6CED 5D90 A0C5 29F6 4D43 450C BA7F 968F 094B ricochet:ekmygaiu4rzgsk6n xmpp: teor at torproject dot org ------------------------------------------------------------------------------ _______________________________________________ tor-relays mailing list tor-relays(a)lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays

1 0

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

tor-relays October 2016