Posting to the forums and Tor filtering

spil

Developer
I picked up a notice that we're blocking Tor relay and entry nodes on the forums: https://twitter.com/UnaClocker/status/4 ... 6621025281.

  • Are we blocking Tor nodes?
  • Are we blocking a specific type of Tor node (entry-, relay-, exit-)?
  • How/what are we using to block Tor nodes?
  • (Why do we want to block Tor nodes?)

I browsed around and the Tor project lets you easily find the list of exit nodes so there shouldn't be a problem black-listing exit-nodes only, using e.g. https://check.torproject.org/cgi-bin/To ... .20.54.209.
 
An admin will be able to tell you more, but if I remember correctly we block Tor exit nodes because they are a notorious source of spam and other cybernastiness.
 
It's not about the exit nodes but about the relay nodes that are blocked. From the source:
@freebsd I think your forum host is taking the TOR relay list and blacklisting them. Killing your target audience, I'd say.
I'll try and elicit some more information from UnaClocker as well.
 
It's a shame that arseholes have to abuse such services and ruin them for everyone else. :(
 
We do not target TOR nodes explicitly. However, TOR nodes that show up in blacklists dealing with forum abuse will be blocked by us (using an automated import). Unfortunately, the correlation between TOR nodes and any Internet abuse is quite high (understatement). All we do is defend against abuse for the benefit of the forums. That's all there is to it.
 
DutchDaemon said:
We do not target TOR nodes explicitly. However, TOR nodes that show up in blacklists dealing with forum abuse will be blocked by us (using an automated import). Unfortunately, the correlation between TOR nodes and any Internet abuse is quite high (understatement). All we do is defend against abuse for the benefit of the forums. That's all there is to it.

Sorry didn't intend to insinuate that you were said person, I meant the cybercriminals who abuse the service, just wanted to clarify that. :)
 
Not perceived as such, just clarifying. Some TOR node owners have a sense of entitlement, like they're liberating Mandela from jail. Well, if Mandela's liberators were spamming forums, they'd be blacklisted.
 
Forum seems to block also relay nodes. Had one running for couple of weeks, could not access this forum using my ISP provided dynamic IP. Tried to connect over ordinary web browser, without using any (including Tor) proxies.

Does it mean, that TOR relay nodes "leak" ? How else would this forum receive spam from my IP? Relay node is supposedly just one of several links between exit node and user.
 
I don't know how their IPs get on blacklists. If they do, they end up in ours.
 
Just like any other IP address if they are found to be sending spam email or engage in other suspicious activities the address is blacklisted. It doesn't matter if the address is part of the TOR network or not, the spamtraps will treat the addresses equal and it's a major hassle to start diffrentiating between valid and non-valid traffic coming from those addresses, if not impossible even. Don't get on the blocklist if you can avoid that.
 
I used to run a pair of TOR relays, in response to the first EFF TOR Challenge around June 2011. At the time they ran on my Ubuntu servers (10.04). Then, about a year and half ago, I went to a pair of FreeBSD servers (I will have to see about doing the upgrade to 9.3 soon). And, I continued to run those relays, until September.

When I first set these up, they were limited exit relays. (the Challenge initially was for relays or bridges, where only relays would get counted and they didn't detail how to set up non-exit relays.) But, I soon found myself blocked for Freenode, which doesn't allow exit node IPs to connect to them if any exits would allow connecting to their systems (which includes HTTP), but they do run a hidden service for TOR access and encourage people to run relays to provide bandwidth for users to reach their hidden service.

After some Google searches, I found out the, now obvious, step to make non-exit relays. Earlier this year I found myself blocked by a site, they said they block any TOR relay, since non-exit relays make it possible for exit relays to abuse their site. So, I blacklisted them.

But, more and more sites started blocking IPs of non-exit relays, so I finally decided to stop running TOR relays on my servers (in September, they came back briefly after a reboot, but now they won't). I still have a separate TOR running, so I'll have the option to use it (or to check out the Facebook hidden service :)).

Along the way I did launch a bridge instance in AWS. Initially on the free tier, but I continued to run it (costs around $21/month). On Saturday, I replaced it with a more recent AMI configured as an obfsproxy bridge spot request instance. The old AMI was Ubuntu 10.04 based, and the new AMI is Ubuntu 12.04. I had thought of trying to use FreeBSD, but thought the Tor-Cloud images would be faster to get up and running. They weren't, as TOR and other packages weren't installed (which also meant there were a lot of configurations I didn't save from the old instance), so I spent a lot more time this weekend on it than I had planned.

I will see how that works. Perhaps I'll consider resurrecting my relays this way. Perhaps I'll use FreeBSD in AWS for something else (though there might be a better non-EC2 way to deploy it).

The Dreamer.
 
A recent BSD Now episode (63? I forget the exact number) mentioned that > 80% of TOR nodes run on Linux, which is a serious concern. If there was a serious issue affecting Linux (like, say, shellshock :)) then virtually all of TOR could be taken off line. As they noted in the show, Verisign runs the .com root servers off a mix of Linux/FreeBSD/Solaris so that a platform-wide issue doesn't affect the root serving. So more BSD-based nodes would help TOR in the sense of providing more survivability.

I've never run an exit relay because exit relays bring legal hassles, or require hosting in expensive places. I run several Free- & OpenBSD TOR relays on KVM VPSes for $5/month each. I don't have the cash to run an exit node so I do what I can with relays. As a side note, I usually compile my own rather than run the package, as the package is always months behind and is marked as obsolete (not surprising - it's the same on OpenBSD as well).

EC2, because of the way bandwidth is priced, is one of the most expensive places to host a TOR relay.
 
Hmm, well, at this point TOR is a hobby/interest for me...but if I wanted to go to the next level and try exit relays again it would likely be in the form of pay someone else to run it....think it was something like if you donate $50/month you can name an exit relay. I'm still haven't reached the point of going from $65/year to $100/year to EFF (I gave is strong consideration this year, but didn't.)

Finding spot request seems to work fine for my TOR bridge, and monthly charge seems to be around $3/month. Which reflects that the bulk of the cost for running the bridge has been CPU and disk charges. Not sure if doing a non-exit relay would result in more traffic or not. When I first started, there was lots of traffic, such that the default config of 10GB/week quotas would be exhausted in less than a day. Now it feels like it would take months to reach 10GB. Thinking I might look at going ahead with resurrecting my relays, though not sure if FreeBSD is really the way I want to go. Though I have automated poudriere to run (more or less) 2 daily bulk runs. Its basically two different sets of options, the primary difference being one with X11 & DOCS set and one with them unset, or servers vs workstations. I got through the other options now and then to pick the ones I want, like at work where IPv6 is banned I build bind with 'filter-aaaa' enabled. Though not sure I want to open up my home computer to providing packages for my EC2 instances.

OTOH, I was caught off guard on needing to rebuild all my packages for 9.3 before upgrading to 9.3....which means the 3 (down from 4) FreeBSD systems I take care of at work haven't made it to 9.3 yet (one 9.2 and two 9.1) My poudriere server at work hadn't reached the same level of automation as my home one (almost gave up on reaching automation, especially when 3.1's atomic repository implementation differed from how I was doing it (w/zfs snapshots)) And, I'm still working on getting my workstation at home stable again.

On the most part the Ubuntu images take care of themselves.... unattended-upgrades is configured to update everything and reboot as necessary (either when it wants to, or when I permit it). Hadn't really looked to see about an equivalent for non-Ubuntu systems (namely FreeBSD and CentOS), but - for reasons other than unattended TORs in the cloud - I should. Like what's it say when you stumble across a machine with an uptime of 3092 days?

I once ran into a server, where a sysadmin had repurposed a dev server into a temporary production server (to do maintenance on the hardware, which he set aside and forgot until over a year after he had quit.) By making all the system config changes without touching any files, and using tmpfs.... It had an uptime of over 2 years, when it was hit with patches and vanished on reboot. I think that's why & when we stopped doing routine patching of everything. The loss of the server pretty much stopped everything in the datacenter, its now an ha pair and everything should be configured to know about a backup server in another building.

But, these days the push is for everything to be on Ubuntu, unless there's some valid reason not to (namely Oracle), and get rid of all the Sun/Oracle hardware.

The thing I would miss the most once this is all done, is ZFS.

The Dreamer.
 
Back
Top