F67 Group wrote:
We are thinking of running a Tor Exit Node. Does anybody have a list of questions to ask before purchasing a VPS or colocation? I came up with some basic questions:
- Do you allow a Tor exit node? [with explanation]
Yes, I allow Tor exit nodes. I have been doing this for the last 5 years with no pause, exception where I was kicked off from datacenters because of too many abuse complaints. I only worked with datacenters where I have explained in advance what I am doing, they said it's OK but after some time they couldn't take it any more.
I have used virtual servers at start, then dedicated servers so the hoster's wont complained about shared resources usage policy (but this still didn't make the abuse complaints go away).
So I woke up one day really mad on these hosters and purchased one class of /24 provider independent IPv4 addresses (from someone who wanted to sell them) and a /48 IPv6 (from my RIR) and an AS number (from my RIR) and contracted 2 upstream providers with BGP, 1 gbps links.
This means that now the abuse complaints are sent directly to my company, as I have provider independent resources. There is no other ISP involved, the upstream ISPs I have contract with just rented me the fiber optik cable+ bgp sessions + bandwidth, but they don't see any abuse complaints at all. All come to me. Note that these are provider independent addresses. There are also provider aggregate addresses which are about 6-7 times cheaper at allocation, that appear under your usage when someone runs whois over them, you are allowed to set an abuse mailbox but that is ignored most of the cases, because, at least at RIPE, the abuse-c field is of the ORG field that OWNS the IP space, which is not you if the resources are provider aggregate - I had such setup for some 2 years and the owner took them back finally.
- What are the policies for handling abuse complaints?
I allow all ports except 25, so I get so many bittorrent alert spam from IP Echelon Compliance that I am thinking to sue them for consuming my mail server's bandwidth.
I look over all abuse complaints I receive as quickly as possible and as careful as possible. I do not reply to spam, automated emails that are not sent by humans and do not include a valid reply-to email address. Like the ones sent from no-reply@ , blackhole@, root@ and whatever (fail2ban, automated firewall scripts, other kind of protections that simply count unsuccessful authentications, etc).
I do reply to every single abuse complaint sent by a human, or one which clearly requires something to be communicated back (not ALERT: there is a virus in your network, or to whomever it may concern kind of emails). All the emails that were sent by humans (or even law enforcement people) to which I replied and explained what Tor is, how it works and why I cannot technically help them (not that I don't want to) clearly understood, thanked me for the reply and never heard back from them again. I have even convinced one concerned person that had his email account abusively accessed via a Tor exit to run an exit himself, he was thrilled with the idea and he actually runs one (helped with instructions how to setup, etc).
These are very rare. 99% of abuse complaints received do not require reply and are simply spam or notifications/alerts/whatever. They still consume small of my time to look over them and mark them as such, make sure no reply is required for each individual email received. I have trained my assistant at the office to do this as I have less and less free time and she seams to be handling it quite good ;)
- How much uplink bandwidth do you provide?
I do not throttle via torrc config or upstream router the bandwidth, except the CPU is the bottleneck in my config. I am using an older box with a CPU that has AES-NI instruction set but pushes like 350 mbps in and 350 mbps out (full duplex) constantly with its usage at 99% - 100%. On one core... other cores are not used. I am using NUMCpus 6 in my torrc but it only rotates the used core, so I am having 100% on core1, then 100% on core3, then 100% on core 6, but not all the time 20% on all cores as it should for example. This is another topic, another problem.
So around 350 mbps download, 350 mbps upload, on average all the time (unmetered traffic).
Any other questions one should ask?
In addition to what niftybunny said, with current code architecture we have in core Tor, it's kind of a waste of resources to have a box with hexa core CPUs or high grade server CPU's with many CPU cores that are better used for making virtual machines on them. Tor would make better use of a single core CPU with higher frequency and AES-NI.
So if you have can overcloak a single core CPU to over 4 GHz and AES-NI it's better and can push more bandwidth than my 3 GHz hexa core.
RAM requirements are more normal, and easier to find in any server setup. I have 16 GB of RAM for example, and the bottleneck is my CPU.
Thanks for your interest to run exits. I assure you it will make you addicted, it's quite fun and nice. What I recommend: - don't go with VPS or shared resources, go for collocation or dedicated; - try to not choose a datacenter that is full of Tor exits,or an AS number that has so much exit consensus weight;