
Running a Tor Exit Node for Fun and E-mails - esnard
https://blog.daknob.net/running-a-tor-exit-node-for-fun-and-e-mails/
======
DominoTree
It's much more fun to run an exit node and inspect the traffic using tools
like the dsniff suite and Suricata.

Back in the day, 90% of the traffic I would see was just people trying to
brute force Hotmail accounts via POP3, but occasionally I'd sniff the
credentials for an IRC-based C2 for a botnet, and I'd log in and wreck the
thing.

~~~
DaKnOb
Well, it's fun to do this and learn from that, however in an exit node it's
not something I'd want to do. People use Tor to surf the web anonymously
(mostly) and have some privacy. There are certainly exit nodes that do this,
and it has been proven by blog posts in the past, however the more nodes that
don't engage in such activities, the better for the network overall.

~~~
nxzero
Would it be possible for Tor to detect sniffing by seeding the traffic with
poison pills that ratted out anyone doing this in bulk?

~~~
j3097736
Yes, see
[http://www.cs.kau.se/philwint/spoiled_onions/](http://www.cs.kau.se/philwint/spoiled_onions/)
and [http://www.leviathansecurity.com/blog/the-case-of-the-
modifi...](http://www.leviathansecurity.com/blog/the-case-of-the-modified-
binaries)

~~~
nxzero
Makes you wonder why Tor doesn't replicate this and send the nodes ghost
traffic, poison pills, block the IPs, etc.

~~~
makomk
Last I heard, there was basically one guy handling all reports of malicious
exit nodes, and I couldn't even get him to do anything about the ones very
obviously intercepting traffic to Bitcoin wallets and injecting code that
stole people's money

~~~
pjc50
People are communicating with bitcoin wallets _without_ end-to-end encryption?

------
hrunt
The article keeps making reference to the types of users on the Tor network:

> The majority of Tor traffic is legitimate users accessing the web
> anonymously, through insecure networks like Public WiFi, etc.

> Finally, just like with everything else, we have malicious users. [...] That
> last, tiny portion of users is the primary reason people don't run more Exit
> Nodes.

> Despite malicious users being the minority of Tor users, as an absolute
> number, there are many of them.

Where are the facts that form the basis of these statements? I've seen studies
about geographic and network demographics, and there was the disputed study
about how much Tor traffic was related to child-porn, but has someone done a
study on how many users are engaging in abusive behavior through Tor exit
nodes?

Regardless of the number of users, a better question may what percentage of
the traffic is abusive? It doesn't matter if a minority of the users are
abusive if the majority of the traffic is abusive.

Tor administrator's tendency to dismiss abusive conducted through their exit
nodes as "that's just the way it is to protect anonymity" reminds me of
Twitter's early lack of action against abusive verbal attacks on its service.
Tor's anonymity is analogous to Twitter's free speech, but in both cases,
abuse of those freedoms defines the need for some practical protections in
order to maintain them.

~~~
ryanlol
Tor really sucks for sending abusive traffic, it's slow and blacklisted by
everyone (IME mostly due to problematic users, rather than "hacking" and
such).

Luminati for example offers a much better service, as do the hundreds of
thousands of routers offering unauthenticated SSH tunneling around the world.
Way better speeds, and no blacklists.

> Tor's anonymity is analogous to Twitter's free speech, but in both cases,
> abuse of those freedoms defines the need for some practical protections in
> order to maintain them.

This sounds worryingly like a call to weaken Tor, I really hope it's not.

~~~
andai
What is this mysterious ubiquitous "unauthenticated ssh tunneling"?

~~~
ryanlol
I never really tracked down what exactly causes the vulnerability, but it's a
rather common bug in various SSH implementations (millions of affected
devices). Dropbear is the most commonly affected.

I guess easiest way to demonstrate it is like this:

    
    
      debug1: Next authentication method: password
      root@117.243.179.217's password:
      debug1: Authentication succeeded (password).
      Authenticated to 117.243.179.217 ([117.243.179.217]:22).
      debug1: channel 0: new [client-session]
      debug1: Entering interactive session.
      debug1: Sending environment.
      debug1: Sending env LANG = en_US.UTF-8
      debug1: Sending env LC_CTYPE = en_US.UTF-8
      login failed: please enter correct username and password
      Login:
    

Notice how for the initial login attempt the SSH server itself will accept any
password, but subsequently the login is handled by the binary set as the login
shell? After the initial "failed" login attempt you can freely open as many
SSH tunnels as you please. You can most likely get RCE from here

------
techsupporter
I really want to like running a Tor exit node but I'm tired of my IP address
being blacklisted to hell and back "just because Tor exit node." (To say
nothing of affecting my neighbors since many of those lists take out the /24
because they can't see that I only have a /27.) I don't mind dealing with
e-mailed complaints but I do mind having my e-mail and other outbound
connections arbitrarily blown to smithereens.

His take on it is interesting since I hadn't considered putting my money
proverbially where my mouth is and signing up for an inexpensive but
standalone service elsewhere. I'll probably give this a whirl.

~~~
arkadiyt
It's pretty much the only way to do it - even running a relay node on your
home network gets you blacklisted (which is frustrating since absolutely zero
malicious traffic originates from your IP). In addition to the reasons you
mentioned, some people have had surprise 6am home visits from law enforcement
for running exit nodes (though it was heartening to read that the author has
not had any bad encounters with LE).

~~~
techsupporter
> even running a relay node on your home network gets you blacklisted

Yeah, that was a fun week when I naively stood up a Tor not-an-exit relay on
my home Internet connection and 40% of the Internet turned into "go away" or
"enter CAPTCHA to proceed" madness.

> some people have had surprise 6am home visits from law enforcement for
> running exit nodes

Oh, right. And I even live in Seattle[0] so best not to do that.

0 -
[http://www.thestranger.com/slog/2016/03/30/23885710/police-g...](http://www.thestranger.com/slog/2016/03/30/23885710/police-
go-on-fishing-expedition-search-the-home-of-seattle-privacy-activists-who-
maintain-tor-network)

~~~
DaKnOb
There are some providers who "buy" their blacklists from other companies that
specialize in that. They essentially get a list of X IP Addresses / Subnets
and they blindly block them. Providers compete to generate the "largest
blocklist" with "the most bad guys", and therefore end up adding any IP
Address they can find. Tor has been used by criminals at least once, therefore
any address related to it _must_ be bad, right?

~~~
pricechild
Neustar is one of those providers and they obviously don't want to talk to
anyone.

I'm not sure who Amazon Video uses, but they also block relays, not just exit
nodes.

------
mcherm
I don't wish to deal with the headaches involved in running a Tor exit node
(despite this article's claim that the headaches are less than one might
expect). I wonder if there is a way to contribute money to help those who ARE
willing to invest the effort to run these nodes?

~~~
SCHiM
You could just buy a vps and install tor there. I imagine it wouldn't take 30
minutes to set it up for life. For very low costs too, a 1tb of traffic goes
for about 5$ with some memory and 1 core.

~~~
x0
You'd have to be very wary about where you do that though, most VPS hosts
don't mind relays but don't allow exit nodes, some allow both and some allow
neither.

Speaking from experience, DigitalOcean and Vultr seem to be cool with relays.

~~~
ktta
Careful with cloud hosting which don't offer unlimited bandwidth. Although DO
doesn't _really_ charge for bandwidth (right now) it can at any moment it
choses.

------
kiallmacinnes
Since no one else seems to have mentioned it, am I the only one who noticed
this?

> ... as well as tcp/179, which is used by BGP, and I wanted to avoid the
> exploitation of a particular vulnerability in KeyWeb ;-)

That sounds... Dangerous. Did KeyWeb allow all customers to inject BGP routes?
View full BGP tables? Something else?

------
datenwolf
Regarding the saturation of free socket ports. I see that KeyWeb gives you 2
IP addresses per vServer (and IPv6 enabled, which I assume means a whole /64).
Wouldn't it have been easier to configure Tor to bind to only a single IPv4
address and use the other one for administrative login? As far as I understand
the Linux network stack, port exhaustion happens on a per-address base. So
even if Tor (or anything else) exhausts all the connection ports for one
address you should still be able to get back in via the other address.

------
tehlike
I wonder if there is some nonprofit where donations would go to increasing
exit nodes in Tor. Sounds like a fun thing to do.

i'd certainly put some, and get matching probably.

~~~
iancarroll
[https://torservers.net](https://torservers.net) :)

~~~
tehlike
Very good pointer - thanks. i will be supporting them, i was having fun with
relay nodes before (and ran one for a couple weeks).

------
tmikaeld
We where a keyweb customer for years, using it for email and crm for many
clients. When we asked to add corporate VPN to make it more secure and reduce
abuse, they didn't allow it in their dFlat bandwidth terms.

So now they accept Tor exit nodes but not corporate VPN?

Just... Wow.. Talk about priorities.

------
jordigh
Hasn't Tor failed to meet its goal so far? With only 900 exit nodes, it's
totally feasible to block them all, which is exactly what China has done. If
Tor isn't usable for hopping over the GFW, it hasn't yet fulfilled its true
potential, has it?

~~~
AgentME
Hiding the fact that you're using Tor isn't one of the main goals of Tor.

~~~
jordigh
"Tor provides a gateway to the free Internet, bypassing most mediums of
censorship that may be imposed by someone, like for example oppressive
regimes."

People sure seem to believe that getting around censorship is one of the main
goals, though.

~~~
AgentME
Tor does have private bridges into the network that you can request access to,
which is their solution to this issue.

------
pilif
_> I was never contacted by any law enforcement agency_

Not yet. Good luck trying to prove to law enforcement that it wasn't you
downloading child porn. And even if they believe you, the can still arrest you
as accessory. See
[https://www.techdirt.com/articles/20140701/18013327753/tor-n...](https://www.techdirt.com/articles/20140701/18013327753/tor-
nodes-declared-illegal-austria.shtml)

No. Until judges start seeing Tor node operators as ISPs, this is way too much
hassle.

~~~
mrswag
Assuming you pay for your hosting in whatevercoins and only connect to it over
TOR, you aren't at risk, right?

~~~
icebraining
If you bought your coins in a traceable way, I wouldn't bet on that.

------
jayess
You can run an exit node that only allows port 80 and 443 traffic. A lot safer
and a lot less bandwidth usage. I ran a server for a couple of years and not
once got a complaint.

~~~
nbraud
The Reduced Exit Policy goes in that direction:
[https://trac.torproject.org/projects/tor/wiki/doc/ReducedExi...](https://trac.torproject.org/projects/tor/wiki/doc/ReducedExitPolicy)

It's basically a documented exit policy (i.e. the configuration stating which
outbound traffic you accept to carry) that aims to minimize the potential for
abuse while still allowing useful things.

------
fatman13gg
I remembered an article on motherboard about a guy's house raided by FBI for
running an exit node. Now that article rendered a 404. Not sure if publicly
claiming to run an exit node is safe.

------
setheron
If its that cheap and the bandwidth is limited by the exit nodes, why don't we
just spin up 1000 exit nodes ? I'd like to use Tor more if it was a bit
speedier.

~~~
lucb1e
> why don't we just spin up 1000 exit nodes?

People are scared by some horror stories. Terrorism in the traditional sense
of the word, as done by a government, is what is happening here: raid a few
people and the whole community backs off. I have to admit that it makes me
more hesitant too.

> I'd like to use Tor more if it was a bit speedier.

It's more than just having enough bandwidth. Tor picks random servers to relay
through. Say you are in silicon valley and want to connect to Gmail via Tor.
Tor might, in a really bad case, choose a server in Germany, Japan and South
Africa. Now your traffic has to travel from the US to Germany to Japan to
South Africa and to the US again. Limited by the speed of light (light is
slow), that takes a while -- probably almost a second for a single round-trip.
Connecting via HTTPS will suck and online shooter games are out of the
question, no matter whether you have 56kbps or 180gbps available.

In most cases it's a lot better than this, but it remains random chance. I
used Tor daily for a few months and often didn't notice any difference between
normal WiFi and Tor, but sometimes it was also a bit annoying.

~~~
matt_wulfeck
I would say many people are put off by the morality of it. Sure you're helping
people in oppressive regimes avoid censorship, but you're also helping scum in
a way many people aren't comfortable with or want to be connected with.

~~~
lucb1e
Maybe, but this is actually the first time I've heard that point of view. I'm
not saying nobody thinks that, I just haven't heard it before.

~~~
orly_bookz
Really?

TOR interests me but I'd never run an exit node because I'm assuming one of
three things is gonna come out of it: dissidents, criminal activity, or spook
traffic (it was literally made by and for naval intelligence /the CIA).

You can make an ethical argument for the first one but I still don't want any
of those three running out of my machines...

------
micro_softy
Apologies for being stupid but this does not make sense to me:

    
    
      while [ true ];do ssh user@62.141.55.117; sleep 0.1; done
    

Is this the same as writing:

    
    
      while test true; do ...; done
    

Then this would also work:

    
    
      while [ false ]; do ...; done
    

But if the plan is to use the keyboard e.g. INT to stop this loop, why test
anything? One could just write:

    
    
      while :; do ...; done

~~~
yuubi
For a vaguely similar use case (repeat till host is up) I once wrote

    
    
        until ssh ...; do sleep 5; done
    

which stops looping once a connection succeeds.

~~~
micro_softy

      while :;do ssh ... && break; sleep 5; done

~~~
yuubi
Why? That reminds me of the

    
    
        while(1) {
            if (condition)
                break;
            ...
        } 
    

stuff I've seen too much of and can't explain, instead of just
while(!condition) { ... }.

~~~
micro_softy
I'm not much of C programmer but I think it's an approximation of an infinite
loop.

    
    
       for(;;){
             if(condition) break;
       }

~~~
yuubi
Yes, that looks exactly analogous, but my question is why people don't use the
perfectly good built-in conditional termination in a while or for loop and
instead add on an if statement.

(Also, I don't understand why a for(;;) loop is more attractive than a
while(1) loop.)

------
doozler
I would be really interested in setting up an exit node and doing my part to
help people with privacy and other issues get access to an open internet.
Where would be the best place to start? I'm afraid that I'm not quite as
technically advanced as the Author of the article so setting up the auto email
responders and such would be difficult - can you just ignore the emails?

~~~
DaKnOb
Hey, it's the Author here.. You don't have to be very technical with that..
There are plenty of tutorials, some are "official" in the Tor Project website,
and some not. Unfortunately you have to reply to these e-mails otherwise they
may follow up or see that you never reply and follow other means of contacting
you. Truth be told, I don't know. I've just read some info on their website.

------
mirimir
> The next, and probably last, thing is the CPU. It is not very important, but
> it's good to have more cores, especially for higher speed relays.

As far as I know, tor daemon is still single-threaded.

With multiple cores, you can run multiple tor daemons. But then there's a
maximum of two instances per IP.

------
Grollicus
5€ / Month for 50MB/s? No way thats fair to the other customers..

~~~
dx034
If the provider accepts it for 8 months without even sending a warning, I
don't see a problem.

~~~
UVB-76
The only reason they won't have cancelled the service is because they haven't
done proper customer profitability analysis.

There is absolutely no way a customer running a Tor exit node with ~50Mbps
traffic 24/7 on a €4,90pm server is sustainable.

~~~
humpdinger
A lot of small providers offer truly "unmetered" bandwidth packages at low
cost because for whatever reason they have contractually overprovisioned their
bandwidth. They lose nothing by giving away unused bandwidth they have already
paid for. Once they attract enough business to consume that bandwidth these
deals go away.

------
Scarbutt
Why does torproject.org make it so hard to find tor standalone?

~~~
mintplant
Because most users should be encouraged to just use the Tor Browser Bundle
rather than, say, trying to make Tor work with their existing browser.

torproject.org -> Download Tor -> View All Downloads -> [Your Platform] ->
Expert Bundle

