Tips for Running an Exit Node with Minimal Harassment
I have noticed that a lot of new exit nodes have recently appeared on the network. This is great news, since exit nodes are typically on the scarce side. Exits usually occupy 30-33% of network by capacity, but are currently at a whopping 38.5% (156 MBytes/sec out of 404 total).
However, I want to make sure that these nodes stay up and don't end up being shut down due to easily preventable abuse complaints. I've run a number of exit nodes on a few different ISPs and not only have I lived to tell about it, I've have not had one shut down yet. Moreover, I've only received about 4 abuse complaints in as many years of running exit nodes. This is in stark contrast to other node operators following a more reactive strategy. I'm convinced this is largely because I observe the following pro-active guidelines.
1. Inform your ISP
This is the most important rule for running a long-lived exit node, especially if you have your choice of ISP. Pick an ISP you can trust, and let them know exactly what is going on. Explain Tor to them, and why it is important to the Internet, the world, and to you, their customer. Giving them links to our Tor Users, Tor Overview, Tor Legal FAQ and Tor Abuse FAQ is typically immensely helpful. Mentioning China and the current conflict in Iran are also likely to be helpful. If your ISP is your University, you may also want to peruse this set of recommendations specific to dealing with University administrators.
If your ISP does not approve, all is not lost: you can look into running a middle node, or a much less visible bridge node. It is better to learn this up front, rather than have your Internet connection shut down on you without warning. Exit bandwidth is often scarce, but any node is better than no node.
2. Get a separate IP for the node. Do not route your own traffic via this IP
While it may be tempting to mix in your traffic with your node's exit traffic for cover, this is best avoided. Having a separate IP allows your ISP to more easily recognize that abuse complaints and DMCA notices can be forwarded to you to be quickly responded to with a boilerplate response, as opposed to cutting off your Internet access or providing your personal information to the copyright cartels.
3. Get recognizable Reverse DNS for this IP
Setting a good reverse DNS name for your exit IP helps to prevent knee-jerk reactions from sysadmins and DoS kiddies alike who run into bad apples coming from your node IP. Something like tor-exit.yourdomain.org or tor-proxy-readme.yourdomain.org is the best bet.
4. Set up a Tor Exit Notice
Once you have a good reverse DNS name, you should put some content there that explains what Tor is for those who see the name and try to visit it via http. If you run your DirPort on port 80 with Tor 0.2.1.x or newer, you can use the Tor config option "DirPortFrontPage" to display a notice explaining that you are running an exit node. A sample one is provided in contrib/tor-exit-notice.html in the source distribution. This way, when someone sees tor-proxy-readme.yourdomain.org in their logs, they hopefully will get the hint and read the notice before flaming you. Be sure to update the contact info and other places marked with FIXME in the notice.
5. Get ARIN registration (if possible)
If you can get your ISP to SWIP your IP block to display a contact and abuse email that you control, this can go a long way to reducing aggravation that they may feel from dealing with the occasional abuse complaint, because the vast majority of the few complaints that are still made will go to you instead of them.
6. Rate limit and optionally QoS your node
I've recently conducted some measurements that showed that nodes that used Tor's BandwidthRate config option to set a limit slightly below their actual capacity were much more reliable than those that did not. Along these lines, it may also be useful to use this Linux-based QoS script to prioritize your Tor IP traffic below other traffic on your machine. Similar QoS can also be achieved via DDWRT, openwrt and of course via commercial routers. If you use do QoS other than that script, you should ensure that you provide Tor with a reasonable minimum bandwidth so that it does not starve when you do other things. Somewhere between 33 and 50% of your connection is a reasonable minimum value.
That's it! Happy operating!
ISP port scanning
Thanks so much for this post. I was running an exit node a few days ago and ended up using ~20GB in 24 hours! I had to shut it down because my ISP (Comcast, bastards) was checking my ports and seemed to be cutting me off, as the traffic on my circuits dropped WAY off.
Re: ISP port scanning
If comcast cut you off entirely because of the volume of traffic, you can rate limit to help with that problem:
https://wiki.torproject.org/noreply/TheOnionRouter/TorFAQ#LimitBandwidth
In fact, I'd recommend that all Tor relays add in rate limiting, for the reason that Mike gives in this blog post.
Probably not port scanning, but if so:
Yeah, it's likely you weren't discovered by port scanning and more likely by the total bandwidth use. However, if you're sure that is port scanning, you can put your Tor server on an unused high-numbered port (check /etc/services for blank ranges) and then customize your firewall rules to DROP as opposed to REJECT packets to your unused port ranges on your machine. DROP rules greatly increase the time it takes to port scan your machine, because scanner's packets need to be retransmitted many times to differentiate between normal packet loss and DROP rules. Also, choosing an infrequently used port will often completely escape scanners' notice, because they typically scan frequently used ports to save time. You probably also want to disable your DirPort in this case too, as that is plain text http, often contains strings that say "Tor" and easily seen by filters at *your* ISP.
There are also rumors that some of Iran is blocking port 443, so putting your Tor server on strange ports is actually helpful for that too.
Note this likely only makes sense for middle and bridge nodes. Exit nodes will be so noisy you'll eventually get some sort of abuse complaint if you don't follow Mike's steps (and possibly sometimes even if you do, it sounds like).
ISP & GO
The rationale here is understandable, but #1 & 2 appear to have the undesirable side effect of making exit point surveillance by Government Organizations easier, assuming that the ISP in question is colluding with them (frequently the case, and in many nations, mandated by law or regulation). Is my conclusion in error? This might be less of a problem if a TOR user could whitelist or blacklist specific exit point countries (this rests on a presumption that authorities in Venezuela, for example, would likely be relatively uninterested in issues that are locally "sensitive" in Iran, for another example, and vice versa). Is there any tool in TOR that allows this? I do understand that the trade-off for wide use of such a capability would be a potential net reduction of bandwidth in an already constrained network.
Exits are already listed in the public directory
Exits are already listed in the Tor directory that clients use, which is public. The Tor project also provides a DNSRBL with Tor exit nodes to prevent incorrect blocking of Tor nodes that do not actually exit: https://www.torproject.org/tordnsel/
So the additional threat of government monitoring is not really a valid argument.
However, it might be the case that your ISP doesn't figure it out until you till them, but that will only last until your first abuse complaint if you are running an exit.
Another (diversionary) tactic..
Another useful tactic might be to register your reverse DNS domain name with a top level country code that is not the same as the jurisdiction for your IP address. It might be the case that the "copyright cartels" (lol) and others will give up if they see a .se domain name, or similar :)
A simple exit strategy
We've run an exit node in the past. Currently not running, will be again soon, I hope...
We had an excessively simple strategy for reducing entanglements: being based in the US, we only allowed exit to IP space delegated to Europe, Asia, etc.
Reducing the chances that any local TLA would want to come knocking is a good thing.
That's what I'm talking about
Excessively simple perhaps, but arguably effective, for parties at both ends of the pipe. Now if there was a mechanism for clients in a given location to select an exit node that only exited to IP space in some defined elsewhere, a user in that location could have a little bit more comfort (never guaranties!) in his or her privacy.from the snooping noses of das Heimatland Sicherheit and ilk.
>We had an excessively simple strategy for reducing entanglements: being based in the >US, we only allowed exit to IP space delegated to Europe, Asia, etc.
Choosing an exit node
Re the subject and previous comments. Apparently this is possible, see TOR FAQ 3.15. However, it is not recommended, for several reasons. In that same FAQ item, there is a reference to using Blossom for this purpose. Has anyone here tried this? Is it possible to just run the Blossom client service that allows this option with an existing TOR client, or are the two clients mutually exclusive? Also, my intent was not to hijack this thread; it might be best if someone could fork this into a separate topic.
Re: A simple exit strategy
Our non-US exit strategy was the outgrowth of an idea that seems to have been largely ignored by Tor developers.
IPv4 space is largely (not completely reliably) delegated to entities called Regional Internet Registries (RIR's) in large swaths. The RIR is then responsible for passing out space to the entities in its region. There are entanglements, such as multinationals, or legacy delegations, but in large part, you can wave your hands a bit and know that any IP address between 77.0.0.0 and 95.255.255.255 is handled by the European RIR, RIPE, IP addresses between 110.0.0.0 and 126.255.255.255 are handled by Asia Pacific's APNIC, etc. You can fairly readily break down large chunks of space by RIR based on the first octet, sorting unknown or mixed use stuff into a different category.
This means that it would be fairly easy to generate "buckets" that roughly categorize IP space. Tor nodes could be separated into each of these buckets, and you could have a rough idea that you'd likely be crossing political boundaries anytime you went from one bucket to another, simply because most countries do not exist in multiple geographic regions.
So you categorize Tor nodes into buckets while indexing them: this is a 256-entry database plus a half page of code.
Now, you can do things with that data. Rather than just "randomly" picking Tor nodes for a circuit, you could prefer a first hop outside your own bucket, a second hop in neither of those buckets, and a completely random third hop. So when your US-based PC goes to Amsterdam for the first hop, Taiwan for the second, and ends up exiting in Canada, you've done a lot to make it more difficult for any one country to track back to you.
Perhaps we don't have to worry about this in the US, but looks like the Iranians do.
Getting back to the previous comment, however ----
For those of you who would like to allow exit to non-local space, I suggest looking at
http://www.iana.org/assignments/ipv4-address-space/
Determine your own RIR (ARIN, APNIC, etc) and then generate a list of prefixes that are served by *other* RIR's. Allow exit to those prefixes. For example, a host in America can probably more safely offer exit to 41.*, 51.*, 58-62.*, etc.
network attacks running TOR
I am running a TOR Bridge here in Darwin Australia for the Nedanet i am under constant heavy network hacking attacks originating in china you name it and there trying it !! I think a good tip for anyone running Tor is to make sure you have a better than average firewall setup ... i also run a DMZ from the router to a locked down linux box ... i have noticed also no network scanning or attacks from iran .... makes me wonder if China helps Iran with their IT security ?
Be prepared...
If you are dealing with a box that is running other services besides Tor, simply assign it a second IP and firewall in a manner that puts on the the Tor service on that IP and disallow anything else.
Worked for me.
An Unexpected Phone Call from CableOne
I've followed mikeperry's advice and sent my ISP a heads-up, suggested URLs and all. And, somewhat to my surprise, instead of some e-mail boilerplate in 48-hours or so, I got a phone call from "Steve" in within three hours. Suffice to say, 1) I shall call him tomorrow and ask him to respond exclusively via e-mail from now on, as I'm severely deaf, and 2) determine what level of service I can can be to Tor which is within the ambit of CableOne's AUP, savvy?
To wit: "This is to inform you that given the situation in Iran (and of course, China!) I shall be running Tor exit node kencf0618 mostly but not entirely from midnight to 5 a.m. I'm still tweaking my settings with your AUP in mind, as it is not my intention to degrade anyone's service. https://www.torproject.org/torusers.html.en https://www.torproject.org/overview.html.en https://www.torproject.org/eff/tor-legal-faq.html.en https://www.torproject.org/faq-abuse.html.en
Submission Date: 6/29/2009 2:43:39 PM"
I rather suspect that inasmuch as I had for a day or so checked off everything on Vidalia's exit node configuration, "Steve" shall play the Moral Panic card. My usage was 1.5G in in March, 3.0 in in April, and 2.4 in May, but 8.0 in June due to Tor, so I figured that I might've raised a red flag somewhere.
Any and all advice would be appreciated. Basically, I want a stable state of whatever it is I can get away with re Tor within my ISP's AUP. Think Venn diagram.
Thanks, folks!
special build to help iran?
hi there,
is it possible to have a special build only allowing my exit node for clients originating in china, iran etc.? unfortunately i don´t know very much about this software but am unwilling to hassle with problems from my isp. right now i´m running only in bridge mode.
i think there might be a lot more people out there like me that would install a special iran package without having to think about it anymore
ftd
re: special build to help iran?
This wouldn't work. The exits don't know where the client resides. If this was possible, it would quickly turn the users into a special set which may be easier to track down. Fragmenting the Tor network into a series of partitions makes everyone less anonymous.
See "Anonymity Loves Company" at http://freehaven.net/anonbib/cache/usability:weis2006.pdf
Help Desk Follies
Despite the local CableOne tech telling me in the morning that Tor wasn't a problem and that bandwidth wasn't an issue (especially between midnight and noon), that afternoon I came home after work to a nasty DMCA take-down notice and a frozen ISP account. I could receive mail, but that was it, and so perforce had to deal with the sanction by phone... Apparently someone had sent a bit torrent through my machine. Some game... I'm no gamer.
Well! I steered everyone and their dog to the EFF's legal boilerplate, but it was only today that I finally reached someone who knew what they were talking about, Tech No. 2, and he informed me that Tor on a residential account was in itself a no-no. And by then I no longer had the nous to contest the matter. I had acted in good faith & received bad information, and that was that. Time to move on. (He was very interested in the identity of Tech No. 1!)
You learn by doing. Knowing then what I know now, I probably would have stuck with a humble relay or bridge node and stayed under the radar. Parse your TOS's and AUP's well!
A Bridge Relay on CableONE
A local CableONE executive has admitted that their AUP is deliberately vague, but inasmuch as he hasn't told me what of Tor if anything I can run, I am currently running a bridge relay on occasion. My reading of their AUP is that so long as I'm not degrading anyone's service or doing anything illegal, I'm good. If I'm wrong, there's always Qwest!
I truely believe what you
I truely believe what you did say here because I read most of the things you write.
But sometimes it just doesn't work for me.
more on avoiding exit points by jurisduction
"Our non-US exit strategy was the outgrowth of an idea that seems to have been largely ignored by Tor developers."
I may yet have to try that strategy. I thought I had found a viable alternative by using the "excludeexitnodes" directive in torrc, but experimentation indicates that even after paring the excluded jurisdictions down to just one, the directive is still ignored more often than honored in the interests of building what tor considers to be a viable network. That is not a complaint, just a results report from one experiment. More to follow.
re: more on avoiding exit points by jurisduction
Did you set ExitNodes {country code} and StrictExitNodes 1? Also, was there an exit node that allowed exit to the ports you wanted at the time?
Hmmm...
I may have taken the documentation of "StrictExitNodes" in the manual too literally, as it mentions its use only in conjunction with "ExitNodes", not "ExcludeExitNodes" (and yes, I do have that one coded correctly :-) Thank you, that is worth a try. Be right back...
tactic change
Unfortunately my first impression was correct. Using "StrictExitNodes 1" with "ExcludeExitNodes {XX}" produces a log message "[Warning] StrictExitNodes set, but no ExitNodes listed." Of course there is an obvious, if ludicrous alternative - use "StrictExitNodes 1" with "ExitNodes", passing the entire list of country codes except those to be excluded. I've already coded the list (good thing that wasn't tedious :-) It occurs to me to wonder if ExitNodes/torrc will accept an 800 char parameter string (246 each ISO 3166-1 alpha-2 codes x 4 chars [code + comma + space]). I further wonder just how rigorously that part of teh code has been tested for bounds checking and buffer overflows :-0 I will learn at least some of those answers, I believe...
revert, revert, revert
No joy. With 238 country codes specified on ExitNodes, the log message is "[Notice] Have tried resolving or connecting to address '[scrubbed]' at 3 different places. Giving up." Restoring the redacted country codes and/or changing "StrictExitNodes 1" to "StrictExitNodes 0" produces the same message. Evidently it is choking on too long a parameter string, or the process is timing out while it attempts to process it (probably the latter). I needed to try it though - thanks for the help. I'm back to "ExcludeExitNodes {XX}" - at least Tor takes that one "under advisement" :-)
i believe all that you post
IP and firewall in a manner that puts on the the Tor service on that IP and disallow anything else.
DiskOnModule
2.5” IDE Flash
Thank you
Thank you, you answered the question I have been searching for which was whether or not to place keywords when blog commenting. mirc . chat . cinsel sohbet. cinsellik sohbet . http://www.hayda.net/
Another useful tactic might
Another useful tactic might be to register your reverse DNS domain name with a top level country code that is not the same as the jurisdiction for your IP address. It might be the case that the "copyright cartels" (lol) and others will give up if they see a .se domain name, or similar :)
auto insurance
Post new comment