Tips for Running an Exit Node

Updated 06/30/2010: Mention Reduced Exit Policy, ISP Shopping Tips, and Abuse Response Templates
Updated 08/30/2010: Update exit policy with svn, git, hg, Kerberos, remote admin panels, IRC, others
Updated 01/12/2011: Suggest creation of LLC for large exit nodes, provide links to ARIN forms and process.
Updated 02/25/2015: Torservers.net abuse templates URL has changed.
Updated 01/02/2018: Sample Tor exit notice URL has changed.

I have noticed that a lot of new exit nodes have recently appeared on the network. This is great news, since exit nodes are typically on the scarce side. Exits usually occupy 30-33% of network by capacity, but are currently at a whopping 38.5% (156 MBytes/sec out of 404 total).

However, I want to make sure that these nodes stay up and don't end up being shut down due to easily preventable abuse complaints. I've run a number of exit nodes on a few different ISPs and not only have I lived to tell about it, I've have not had one shut down yet. Moreover, I've only received about 4 abuse complaints in as many years of running exit nodes. This is in stark contrast to other node operators following a more reactive strategy. I'm convinced this is largely because I observe the following pro-active guidelines. This guide is primarily US centric. Operators in other countries may have slightly different best practices (such as registering with RIPE and not ARIN).

1. Inform your potential ISP(s)
In general, running an exit node from your home Internet connection is not recommended, unless you are prepared for increased attention to your home. In the USA, there have been no equipment seizures due to Tor exits, but there have been phone calls and visits. In other countries, people have had all their home computing equipment seized for running an exit from their home internet connection. So you will need to find a good colo and save your home connection for bridge or middle node use. Plus, bandwidth will be much cheaper in a colo center anyway.

Pick an ISP you can trust, and let them know exactly what is going on. A good first email is to ask them if they have an AUP you can read if you can't find one online. You should also ask them if they can provide the services mentioned below in this document, such as additional IP addresses, SWIP, and reverse DNS, and if these services might cost extra.

In a follow up email, you should explain Tor to them, and why it is important to the Internet, the world, and to you, their potential customer. Giving them links to our Tor Users, Tor Overview, Tor Legal FAQ and Tor Abuse FAQ is typically immensely helpful. Mentioning China and the current conflict in Iran are also likely to be helpful. If your ISP is your University, you may also want to peruse this set of recommendations specific to dealing with University administrators.

If your ISP does not approve, all is not lost: you can look into running a middle node, or a much less visible bridge node. It is better to learn this up front, rather than have your Internet connection shut down on you without warning. Exit bandwidth is often scarce, but any node is better than no node.

2. Get a separate IP for the node. Do not route your own traffic via this IP. Having a separate IP allows your ISP to more easily recognize that abuse complaints and DMCA notices can be forwarded to you to be quickly responded to with a boilerplate response, as opposed to cutting off your Internet access or providing your personal information to the copyright cartels.

3. Get recognizable Reverse DNS for this IP
Setting a good reverse DNS name for your exit IP helps to prevent knee-jerk reactions from sysadmins and DoS kiddies alike who run into bad apples coming from your node IP. Something like tor-exit.yourdomain.org or tor-proxy-readme.yourdomain.org is the best bet.

4. Set up a Tor Exit Notice
Once you have a good reverse DNS name, you should put some content there that explains what Tor is for those who see the name and try to visit it via http. If you run your DirPort on port 80 with Tor 0.2.1.x or newer, you can use the Tor config option "DirPortFrontPage" to display a notice explaining that you are running an exit node. A sample one is provided in contrib/operator-tools/tor-exit-notice.html in the source distribution. This way, when someone sees tor-proxy-readme.yourdomain.org in their logs, they hopefully will get the hint and read the notice before flaming you. Be sure to update the contact info and other places marked with FIXME in the notice.

5. Get ARIN registration (if possible)
If you can get your ISP to SWIP your IP block to display a contact and abuse email that you control, this can go a long way to reducing aggravation that they may feel from dealing with the occasional abuse complaint, because the vast majority of the few complaints that are still made will go to you instead of them.

Having your own SWIP allocation is so important to your success that it is worth specifically offering to pay the ISP extra for it if they initially refuse. RWHOIS is another possibility, but it should be considered a second choice, since most people just check the SWIP record.

To get a proper SWIP record, you should first create an account at ARIN and create POC handles and the ORG IDs for yourself. You must then get your ISP to submit a resource request template that references your POC handles and ORG IDs.

Templates at ARIN change periodically, so some ISPs may be reluctant to do the paperwork for you if it means changing their submission scripts. Again, offering to pay for this service is a good idea, if they initially stall or refuse.

6. Consider a Reduced Exit Policy
If your node is in the USA, you should consider using a reduced exit policy. Excessive bittorrent abuse over Tor unfortunately means you will likely receive a deluge of DMCA abuse complaints. We (including the very smart lawyers at the EFF) believe Tor nodes qualify as transmission providers under DMCA 512(a), not 512(c). This makes them exempt from "notice and takedown" procedures, including the need to issue "putback" responses. The EFF has even prepared a template response for improper DMCA 512(c) takedown notices that you can use.

However, your ISP may see things differently. If the abuse complaints are arriving in their staff's inbox, they may just want them to stop coming so they do not have to spend resources dealing with them, regardless of their merit. If they still won't provide SWIP registration, you can try a reduced exit policy. Other operators have had great success with using a reduced exit policy consisting of ports 20-23, 43, 53, 79-81, 88, 110, 143, 194, 220, 443, 464-465, 543-544, 563, 587, 706, 749, 873, 902-904, 981, 989-995, 1194, 1220, 1293, 1500, 1723, 1863, 2082-2083, 2086-2087, 2095-2096, 3128, 3389, 3690, 4321, 4643, 5190, 5050, 5222-5223, 5900, 6666-6667, 6679, 6697, 8000, 8008, 8080, 8087-8088, 8443, 8888, 9418, 9999, 10000, and 19638. In fact, the operator of 4 of our fastest exit nodes has reported that after switching to this policy from the default, the bittorrent DMCA complaints ceased immediately.

With that list, the only abuse complaints you should see will come from occasional comment spam (ports 80 and 443), email spam to misconfigured email servers (port 465 and 587 are supposed to be for authenticated SMTP only), and misconfigured NNTP servers (port 563 is authenticated NNTPS). You may want to review Moritz Bartl's abuse complaint template set, as well as the Tor Abuse Template set, and the Tor Abuse FAQ for information on how to handle these rare cases, when they do come up.

7. Rate limit and optionally QoS your node
I've recently conducted some measurements that showed that nodes that used Tor's BandwidthRate config option to set a limit slightly below their actual capacity were much more reliable than those that did not. Along these lines, it may also be useful to use this Linux-based QoS script to prioritize your Tor IP traffic below other traffic on your machine. Similar QoS can also be achieved via DDWRT, openwrt and of course via commercial routers. If you do use QoS other than that script, you should ensure that you provide Tor with a reasonable minimum bandwidth so that it does not starve when you do other things. Somewhere between 33 and 50% of your connection is a reasonable minimum value.

8. Consider creating an LLC to run your node
If you are a high capacity exit node operator, you should consider forming an LLC or similar corporate entity for several reasons.

First, as a high capacity exit node, you may wish to collect donations from others who are unable to run exits themselves but would still like to support the effort. Creating a separate entity with a separate bank account is a really wise idea once outside money becomes involved.

Second, corporate entities provide you with some level of shielding against headaches. Typically, you are required to list a legal representative to act on your behalf to accept legal service and to answer complaints (an Agent for Service of Process). In the United States, this point of contact is the only public piece of information you are required to give anyone about your corporate entity. This point of contact doesn't have to be you, and organizations exist to provide this service at nominal fees ($50/yr). This means that if someone decides to pay a visit, they are visiting this publicly listed legal point of contact, as opposed to your home.

Third (but related to the above), a corporate entity immediately implicitly signals that you are legally savvy and not easily intimidated by empty legal threats. For example: for some reason, some companies see legal threats as better solutions to crawling abuse than say, implementing a captcha. No one has yet brought suit against any Tor operator, but having a corporate entity as that operator tells any potential trigger-happy litigants that you are not likely to be easy pickings.

In the US, the cost of setting up an LLC with good privacy protections is between $100-$1000/yr, depending upon the state you incorporate in and the services you contract from independent providers (such as preparing and filing the paperwork for you, and phone+mail forwarding). States that have laws that make this process easy are Nevada, New Mexico, Wyoming, Montana, and to a lesser extent Delaware. States to avoid include Massachusetts and California (though the latter cannot be avoided if your ISP is also in California -- you must pay a $900 'franchise fee' to CA if you do most of your business there, regardless of incorporation).

You do not have to be a resident of a state to incorporate there. In fact, in most of the states listed above, you do not even have to be a US citizen. It is also never too late to switch your existing exit nodes from your personal control into the hands of a newly formed LLC. All you need to do is inform your ISP, and have the newly formed LLC begin paying the bill from its bank account.

We do not want to recommend specific services here, because we have not personally used them all, but full-service remote incorporation services for those states are easy to find on the web.

That's it! Happy operating!

Because this post was written years before this first seizure. And the seizure wasn't because it was a Tor exit, it was because the IP showed up in some log file for some site they were investigating. Meaning, ICE didn't target Tor exit nodes, they were trolling for IP addresses and this exit node was caught up in it.

Right. But there was a reason that the Tor Exit was caught up in it, and having any reason at all to get caught up in legal issues is an unacceptable risk to some.

Anonymous

September 23, 2011

Permalink

Been running a tor exit node on an unencrypted wifi bridged to my home 5 city blocks from me. still up and running after 1 year.

seemed like a good use for an old laptop and an extra alpha card and a cheap outdoor panel antenna

after i wiresharked 1k of user names and passwords i stopped logging and just left the thing on.

#lowhangingfruit

Anonymous

September 30, 2011

Permalink

been tr yin to run relay for a month but all i get is a message ( NO UPNP FOUND )
i am stuck please help !!!

Anonymous

November 04, 2011

Permalink

Hi.
Please explain the implications of running anti-virus and/or internet security applications.

Every now & then I get notified by mine that tor is accessing such content. I'm glad that my security software catches these, but there are two portions to this:

* I my AV/IS stops this, it never gets to the recipient?
* If this is visible to my AV/IS, it's visible to my OS. Therefore, if my AV/IS doesn't catch it, surely I could still be compromised?

Anonymous

November 18, 2011

Permalink

seemed like a good use for an old laptop and an extra alpha card and a cheap outdoor panel antenna

after i wiresharked 1k of user names and passwords i stopped logging and just left the thing on.
shopping

Anonymous

December 04, 2011

Permalink

Congrats,

Tor is only used for child porn, piracy and credit card fraud.
This whole project offers nothing but a method for criminals to subvert protection.

The law is catching up to the internet; this was not the original intention of darpa. You're causing great harm to the economy.

This goes before the NCIC board soon; I would suggest you don't run exist nodes in North America. Your isp's will be served under the Protect IP act that looks like it will pass. Hence you will be breaking a federal mandate for infustructure protection.

Peace through superior firepower - an unnamed government employee.

Dear Anonymous/Congrats,

Well, it's certainly refreshing to know that I am (apparently) a pirating, credit-card-stealing child pornographile ... boy, are there going to be a few surprised people who know me!

Tempted as I am to resort to name-calling & labeling, I shall not do so in your case .... it's just not worth the effort.

I use Tor (surprise surprise) because I don't especially enjoy being tracked, analysed or otherwise presumed guilty of something, simply because I am online. I also GPG encrypt my email and access many things in the most secure manners feasible. Am I a criminal or a terrorist ? No, not even a bit. But I do have a reasonable expectation of privacy ... basically, unless you have solid grounds to suspect me of illegal activity, then the contents of my "Hi Mom, how's it going?" emails are none of your business (nor of Government, Federal Agencies, Google, DCMA and anyone else feeling some bizarre 'right' to see what's there).

Help for the congenitally stupid, please ... how do you qualify your statement "You're doing great harm to the economy."? I await a response with some interest (but not a lot of hope - please prove me in error here...).

BTW, being a Government employee does not mean you are obliged to check your intelligence and ethics in at the door ... there is still scope for being human. The Borg are not yet in complete control ...

Peace through superior means - an unnamed Human Being.

Dear Congrats/Anonymous,

Forgive one more question - please explain in Simplified Plain English what you mean by "subvert protection" ....

Whose protection? Subversion how? Help! I am a Bear of Little (and rapidly shrinking) Brain ...

Yours in Piracy, Fraud and Pornography.

You sir, make me proud to be an American. If you are concerned with credit card companies profits, join the club... There are plenty of people in Washington lobbying congress that (are paid to) share your concern. If you are worried about stopping kiddy porn (I still don't understand the correlation between anonymity and the production of said brand of porn- but call me crazy), go volunteer as a big brother for some poor kids, or join one of the many organizations that actually fight child abuse without censoring everyone and everything. Studies have shown that focusing on at risk children or even abused children mitigates the risk of abuse much more effectively than prosecuting pedophiles AFTER THE CRIME HAS BEEN COMMITTED.
Lastly, although I believe people who have the time to post stuff like this in places like this are simply trolls (that are usually paid by some trade group that advocates for a certain industry), maybe you can ask your bosses or yourself to enlighten us on how anonymity decreases profits for media companies. Every study I have seen that was compiled by a neutral observer cannot show a correlation between anonymity and loss of profits... I'll be holding my breath waiting for a response. Troll

Anonymous

December 18, 2011

Permalink

Thank you for all of these comments. Not to play Mr. Censor, but for the purpose of trying not to arise suspicion or ire from government officials, from the community, or even defy my own personal ethics; is there a way to have a TOR exit but still "filter" sites or content for Ethically or more importantly Legally wrong subjects like child porn or illegal content sharing?

My understanding is that you can do a fair bit to reduce the chances and frequency of abuse of your TOR exit (with reference to your desie to be able to filter legally/ethically suspect traffic) ... but, much like the USPS or any other carrier service (digital or otherwise), all you can do is reduce incidence/likelihood.

I am as yet unaware of any way to definitively stop the bad-apple traffic. Aside from just not having TOR. Or the ol' InterWeb ...

Of course you can filter in- and out- bound traffic on an ExitNode, but you would or you should get a BadExitNode flag if you do that. The main purpose of tor is to provide annonymity and fight censorship.
If you start looking at the traffic than you are only one step to censor it.
Who decides what is worth to censor and what is not?
Would you like to try e.g. 10 ExitNodes until you find one that says "ok i won't filter your traffic"? I ExitNode Operators start to do such a thing than the whole purpose of using Tor is gone. There is a strict "don't look at and don't touch the traffic" rule.

Anonymous

January 26, 2012

Permalink

Este blog é uma representação exata de competências. Eu gosto da sua recomendação. Um grande conceito que reflete os pensamentos do escritor. Consultoria RH

Anonymous

March 09, 2012

Permalink

Anonymous "Censor"

If you want to attempt block access to unsavory destinations and decrease chances of trouble, you could try running filtering software such as Peer Block. AFAIK this would still allow use of tor for more most purposes. As for a bad exit node flag, i have no idea if that will happen or not. Cheers, A New Relay Runner.

Anonymous

March 10, 2012

Permalink

This seems like too much trouble for what it's worth to be honest. The amount of friggin configuration required outside of the box is just unbelievable....

Not worth it me thinks; especially if I'm going to possibly be served DCMA notices!!!

Anonymous

March 16, 2012

Permalink

ICE didn't target Tor exit nodes, they were trolling for IP addresses and this exit node was caught up in it.
True. My thoughts exactly.
-Forex Brokers