I've been running a node since 2003. I first started off running a node in Xen on a server at a colocation datacenter with an un-metered line. The dual Xeon kept up with the demands fairly well. I ran it with the default exit policy with open irc ports. Things went smoothly for many months until my ISP called. The Abuse Department said my IP was reported in a mass irc bot attack against DalNet. I spent some time on the phone explaining Tor, explaining how it's an anonymizing proxy, and how it's used for good in the world. I highlighted that of the megabits of bandwidth it provided 7x24 for many months, this was the first issue. They asked that I block irc ports, and all would be well. I modified the exit policy to block irc ports.
Many more months passed without issue. Apparently, given the lax bandwidth controls, many other customers ran Tor exit nodes as well. The ISP updated their Terms of Service, and notified all of us that running any proxy was now in violation of the ToS. This meant I was at risk of disconnection. I switched to a non-exit configuration. I ran this way for months. I knew full well I was violating the ToS. If I was disconnected, it was my fault. Then the ISP was bought; and the new owners demanded I shut off my Tor node or be disconnected. It was fun while it lasted.
Running a Tor Exit, one week in
I changed the config to the default exit policy with irc blocked. About a month later, the DMCA Notice bots hit. And boy, they hit like hourly. I setup a procmail recipe to pull the company and supposed infringing content out of their emails and stuff them into a response template based on The Tor DMCA Response Template. After about 3 weeks of this, I switched back to non-exit mode for a month or so. No one asked me to do this, I just felt nervous; or perhaps it was the chilling effect of the notices. And then I switched back to default minus irc exit configuration.
I ran an exit node for a few months at kind-of cheapo ISP in Germany. The first notice from the ISP came after approx. 2 weeks. Some "nice" guy used Tor for credit card fraud. Dealing with the ISP was no problem, the police was another story (after a 2-page email explaining everything in detail they acknowledged that we don't have any logs). Although everything ended well, it is not that much of an pleasant event, when the police calls in the middle of the night. Since then I run only a middle node because I just can't afford to deal with the police every few days (I am still a student and in serious trouble when something like this happens).
I am trying to run a node on a Toshiba Portege M400 running Gentoo Linux amd64. I'm running the latest vanilla kernel 2.6.25-rc8 and jdk-1.6.0.05.When I try to run your client it is unable to load libavetanaBT.so."Could not load own library /tmp/abt74884/libavetanaBT.so."It then tries to find the library in my path, but obviously fails because it isn't there...I don't know why it is unable to load the library as it is where it is looking... and the permissions seem to be sane. Is the library compatible with amd64? I have tried to compile avetanaBT separately but it does not compile on 64bit systems.
I gave up running an exit node. I guess I spook easily! A year or so agomy ISP forwarded me a DMCA notice from Universal or something, after running as an exit node for a few weeks. I told them i was running a tor exit node. They said, that's fine, but you still have to follow the TOS which make me responsible for the use of my server, hence I am liable to my ISP. I like my ISP a lot so turned off being an exit node. Too much potential hassle.
But a security researcher and Tor node operator going by Nusenu told The Record this week that it observed a pattern in some of these Tor relays with no contact information, which he first noticed in 2019 and has eventually traced back as far as 2017.
The final thing that happened was what I expected. Abuse e-mails started pouring in. Despite malicious users being the minority of Tor users, as an absolute number, there are many of them. In addition to that, the more time the relay is running, the more traffic is going through, and therefore the more e-mails you get, statistically speaking.
In general, the experience of running a Tor Exit Node has been fun, and I was never contacted by any law enforcement agency, nor had anything negative happen to me in relation to that. The KeyWeb staff were very helpful and I recommend running an exit node or two there as well. The entire thing did not consume a lot of time and it certainly helped people out there, using Tor.
Using a behavior-based approach, network defenders can uncover suspicious Tor activity by searching for the operational patterns of Tor client software and protocols. Transmission Control Protocol (TCP) and User Datagram Protocol (UDP) ports commonly affiliated with Tor include 9001, 9030, 9040, 9050, 9051, and 9150. Highly structured Domain Name Service (DNS) queries for domain names ending with the suffix torproject.org is another behavior exhibited by hosts running Tor software. In addition, DNS queries for domains ending in .onion is a behavior exhibited by misconfigured Tor clients, which may be attempting to beacon to malicious Tor hidden services.
Note that all of this works without running any entry, relay, or exit nodes. Therefore the only requests that we see as a result of this feature are the requests that were headed for us anyway. In particular, since no new traffic is introduced, Cloudflare does not gain any more information about what people do on the internet.
Some of the best stories in infosec come from the red teams doing penetration tests. This week, [Federico Lago] shares some stories and tips from a recent successful pentest. The single best tip in the write-up is to try scanning ports while specifying the source port as a commonly used port. Apparently many firewalls are misconfigured to allow incoming traffic from these ports, when the intention was to allow outgoing traffic.
Ars told us about FritzFrog, a new Linux botnet client that spreads through poor SSH password policy. The technical report by Guardicore, has the juicy details and the indicators of compromise. You might want to check your servers for an added ssh authorized key, binaries running from nonexistent locations, and a listening socket on port 1234.
EFF has long encouraged students and professors to support the Tor project by running a relay on campus. Universities are supposed to be places where exploration and research of new and controversial topics should be encouraged, where freedom of speech and thought should flourish. Although it saddens us that research of any topic in and of itself has become a suspicious activity, it would be tragic if students stopped exercising their First Amendment rights and stopped exploring freedom-enhancing software tools. Anonymity is one way to more freely explore information online.
There are plenty of reasons why a university may have reservations about running a Tor relay or exit node on campus. We discuss those concerns as well as ways to address potential risk in part two of this post.
For years, students and professors have been running Tor exit and relay nodes on college campuses. Whether part of a research project or as an independent, activist-minded contribution to the Tor project, these instances of Tor have helped to make the network more robust and diverse.
Take the nodes set up at University of Pennsylvania, for example, where students maintain multiple Tor relays. Or consider the Tor exit node a student was running a few years ago under his desk in a dorm room at Princeton.
In Utah, Jesse Victors, a computer science graduate student at Utah State University is running four relays and two exit nodes at the university as part of his ongoing graduate research into online anonymity tools. He also assists new Tor users in discussion forums and even hosted a Reddit AMA to share his experiences earlier this year.
There are a lot of reasons why a university might be concerned about having Tor traffic exit from their network. In a following post, we offer tips on how to get the conversation started on campus and things to think about when running Tor. It is very important to understand the risks as well as ways to lessen those risks; all of this is discussed in part two of this Deeplink.
So it seems that running a non-exit node would have only benefits (not considering the increased traffic caused by this; assuming Tor does not have any exploitable security vulnerabilities in the relay code to compromise the relaying computer).
Three weeks ago, a security researcher uncovered a Tor exit node that added malware to uncompressed Windows executables passing through it. Officials with the privacy service promptly shut down the Russia-based node, but according to new research, the group behind the node had likely been infecting files for more than a year by that time, causing careless users to install a backdoor that gave attackers full control of their systems.
Yes, which is why it is NOT recommended to run tor relays on a home connection. This time it was just a harmless online game, the fun stops when your bank blocks you and completely locks your accounts. My PayPal account got onto a watchlist once maaany years ago (2011 or 2012?) because I was logging in ONCE from the same IP as one of my middle relay. I was getting asked some very interesting questions and it took me weeks and a lot of effort to get my account back at all.
Alerts from different sources might take different amounts of time to appear. For example, alerts that require analysis of network traffic might take longer to appear than alerts related to suspicious processes running on virtual machines.
This attack model was brought to light towards the end of 2016 by a team of six researchers, who presented their findings at the Black Hat Europe 2016 security conference in November and the 33rd Chaos Communication Congress held last week. 2ff7e9595c
Comments