I'm running an exit node, yreka and have noticed as single IP address that has been connected for at least a day, probably longer, which is pushing anywhere from 3Mb to 9Mb but receives very little traffic back from my node, sub 500Kb. My traffic to this machine is going out of 443 (my ORPort) and being sent to port 50090 on the other machine. I only allow exit traffic to ports 80 and 443. So I do not think this is exit traffic. I have also checked on blutmagie and could not find the IP as a relay which would suggest that this is a TOR user and I am serving as an entry node. I have never seen such speeds for a single user. The one sided nature of the traffic and its size have my interests peaked. I just wanted to verify that this is not unusual and something that I should investigating. I did not include the IP address of the machine because I was not sure it would be in the spirit of TOR to post such information. Any feedback would be greatly appreciated.
From my understanding, this could be someone uploading a large (or many)
files via FTP or something else...
Am 19.07.2011 17:58, schrieb George Gemelos:
I'm running an exit node, yreka and have noticed assingle IP address that has been connected for at least a day, probably longer, which is pushing anywhere from 3Mb to 9Mb but receives very little traffic back from my node, sub 500Kb. My traffic to this machine is going out of 443 (my ORPort) and being sent to port 50090 on the other machine. I only allow exit traffic to ports 80 and 443. So I do not think this is exit traffic. I have also checked on blutmagie and could not find the IP as a relay which would suggest that this is a TOR user and I am serving as an entry node. I have never seen such speeds for a single user.
The one sided nature of the traffic and its size have my interests peaked. I just wanted to verify that this is not unusual and something that I should investigating. I did not include the IP address of the machine because I was not sure it would be in the spirit of TOR to post such information. Any feedback would be greatly appreciated.
tor-relays mailing list tor-relays@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
On Tue, Jul 19, 2011 at 03:58:43PM +0000, George Gemelos wrote:
I'm running an exit node, yreka
Thanks for running a fast exit relay!
and have noticed as single IP address that has been connected for at least a day, probably longer, which is pushing anywhere from 3Mb to 9Mb but receives very little traffic back from my node, sub 500Kb. My traffic to this machine is going out of 443 (my ORPort) and being sent to port 50090 on the other machine. I only allow exit traffic to ports 80 and 443. So I do not think this is exit traffic.
Agreed.
I have also checked on blutmagie and could not find the IP as a relay which would suggest that this is a TOR user and I am serving as an entry node. I have never seen such speeds for a single user.
It's still possible that it's a Tor relay -- some relays send their outbound traffic on a different IP address than the one they advertise in their server descriptor. Generally it's within the same /16 though.
The one sided nature of the traffic and its size have my interests peaked. I just wanted to verify that this is not unusual and something that I should investigating. I did not include the IP address of the machine because I was not sure it would be in the spirit of TOR to post such information.
Good idea.
Any feedback would be greatly appreciated.
If you want to play around with a new feature, you might upgrade to 0.2.2.30-rc and set the PerConnBWRate and PerConnBWBurst torrc options, e.g. to 100KB and 5MB respectively. That should make the bandwidth you provide more fair without hurting most users.
But it's still an open research question what values would be smart there, and whether setting the values is actually helpful or harmful: https://blog.torproject.org/blog/research-problem-adaptive-throttling-tor-cl... so the safest thing to do is just to ignore it.
--Roger
On Tue, Jul 19, 2011 at 12:30:34PM -0400, Roger Dingledine wrote:
If you want to play around with a new feature, you might upgrade to 0.2.2.30-rc and set the PerConnBWRate and PerConnBWBurst torrc options, e.g. to 100KB and 5MB respectively. That should make the bandwidth you provide more fair without hurting most users.
Another option would be to simply upgrade to 0.2.2.30-rc. The new branch has a feature to try harder to prevent users from using you as a one-hop proxy -- that is, you won't allow a circuit from a non-relay to exit from you.
If in fact this person is using Tor in this way (which requires a modified client), upgrading should automatically stop this behavior.
--Roger
On Tuesday 19 July 2011 11:58:43 George Gemelos wrote:
I'm running an exit node, yreka and have noticed as singleIP address that has been connected for at least a day, probably longer, which is pushing anywhere from 3Mb to 9Mb but receives very little traffic back from my node, sub 500Kb.
3 to 9 megabits per what? Do you see any corresponding outgoing traffic?
Uploading large files sounds likely to me. Another possibility is that it's running a hidden download server that a lot of people are downloading from.
Sorry I forgot the time unit, the IP is uploading 3 to 9 Mbps. The download speed is less than 500Kbps.
-----Original Message----- From: tor-relays-bounces@lists.torproject.org [mailto:tor-relays- bounces@lists.torproject.org] On Behalf Of cmeclax-sazri Sent: Tuesday, July 19, 2011 11:20 AM To: tor-relays@lists.torproject.org Subject: Re: [tor-relays] Odd activity on my rely
On Tuesday 19 July 2011 11:58:43 George Gemelos wrote:
I'm running an exit node, yreka and have noticed assingle IP address that has been connected for at least a day, probably longer, which is pushing anywhere from 3Mb to 9Mb but receives very little traffic back from my node, sub 500Kb.
3 to 9 megabits per what? Do you see any corresponding outgoing traffic?
Uploading large files sounds likely to me. Another possibility is that it's running a hidden download server that a lot of people are downloading from.
tor-relays mailing list tor-relays@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
No virus found in this message. Checked by AVG - www.avg.com Version: 10.0.1390 / Virus Database: 1518/3774 - Release Date: 07/19/11
On Tuesday 19 July 2011 14:25:48 George Gemelos wrote:
Sorry I forgot the time unit, the IP is uploading 3 to 9 Mbps. The download speed is less than 500Kbps.
You see 3 to 9 Mb/s going in one connection. Does a like amount go out another connection, or is it spread among the various connections?
I have roughly equal amount of aggregate incoming and outgoing traffic. Generally, there is slightly more aggregate outgoing versus incoming. For this particular IP, I see 3-9 Mbps incoming to my relay and 500Kbps outgoing. Since I am operating under the hypothesis that this is a TOR user and not a relay or exit destination, that means this user is sourcing a lot of data.
-----Original Message----- From: tor-relays-bounces@lists.torproject.org [mailto:tor-relays- bounces@lists.torproject.org] On Behalf Of cmeclax-sazri Sent: Tuesday, July 19, 2011 1:08 PM To: tor-relays@lists.torproject.org Subject: Re: [tor-relays] Odd activity on my rely
On Tuesday 19 July 2011 14:25:48 George Gemelos wrote:
Sorry I forgot the time unit, the IP is uploading 3 to 9 Mbps. The download speed is less than 500Kbps.
You see 3 to 9 Mb/s going in one connection. Does a like amount go out another connection, or is it spread among the various connections? _______________________________________________ tor-relays mailing list tor-relays@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
No virus found in this message. Checked by AVG - www.avg.com Version: 10.0.1390 / Virus Database: 1518/3774 - Release Date: 07/19/11
On Tue, Jul 19, 2011 at 02:20:18PM -0400, cmeclax-sazri wrote:
Uploading large files sounds likely to me. Another possibility is that it's running a hidden download server that a lot of people are downloading from.
Good point -- this could be a hidden service and you're actually seeing traffic from (to) a lot of different users.
Yet another option is that it's a bridge relay -- maybe you're seeing a lot of uploads from hundreds of people in the middle east whose traffic is aggregated at that bridge before going to a public relay.
Or the consistently high upload speed could be somebody seeding something through bittorrent.
Lots of options. And it's hard to distinguish the "obviously good" cases from the "obviously bad" ones, whatever those mean for each person.
--Roger
tor-relays@lists.torproject.org
-
Bianco Veigel -
cmeclax-sazri -
George Gemelos -
Roger Dingledine