Re: [tor-relays] Amazon abuse report
Is there confusion between using the special version of Tor designed to be a bridge on Amazon's EC² which uses a limited volume of data so to stay within the free offer for the free year Amazon offers? -Original Message- From: mor...@torservers.net Sent: Mon, 28 Oct 2013 23:17:15 -0700 To: tor-relays@lists.torproject.org Subject: Re: [tor-relays] Amazon abuse report On 28.10.2013 22:10, Sanjeev Gupta wrote: Since Tor Cloud https://cloud.torproject.org/ suggests running on Amazon EC2, I am confused. Tor Cloud images are configured to act as bridges. You can run non-exit relays on Amazon EC2, but the cost are comparatively expensive. As you've found out, Amazon does not allow exit relays. If you want to run low-cost relays, I suggest you browse through the offers at lowendbox.com. If you're up for running an exit (read the Exit Guidelines first [1]), contact the ISP(s) if they're okay with that. --Moritz [1] https://trac.torproject.org/projects/tor/wiki/doc/TorExitGuidelines ___ tor-relays mailing list tor-relays@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays FREE 3D EARTH SCREENSAVER - Watch the Earth right on your desktop! Check it out at http://www.inbox.com/earth ___ tor-relays mailing list tor-relays@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
Re: [tor-relays] max TCP interruption before Tor circuit teardown?
On 2013-10-27 16:35:43 (-0700), Gordon Morehouse wrote: And, after the boot, I've simulated an aggressive host from another machine using hping, and here's the output of 'iptables -L' after fail2ban banned the host (LAN IP partly redacted to settle my paranoia): http://pastebin.com/1L62z23b That resulting ruleset will break circuits. Packets from flooding hosts won't have a chance to reach the '--state ESTABLISHED' rule since they are dropped before that, from within the fail2ban-tor-syn-flood chain. However, do you need fail2ban now that you are throttling SYNs without affecting circuits? Uncertain. I'd added it as an adjunct to the throttling, hoping a temporary placement into the DROP chain would save cycles and memory as REJECT ICMP packets would no longer be sent But you can drop packets in the SYN_THROTTLE chain instead of rejecting them, without fail2ban. Or you can accept them until a threshold is reached, then log/reject them up to a second threshold, then silently drop them. -- David Serrano GnuPG id: 280A01F9 signature.asc Description: Digital signature ___ tor-relays mailing list tor-relays@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
Re: [tor-relays] max TCP interruption before Tor circuit teardown?
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 David Serrano: On 2013-10-27 16:35:43 (-0700), Gordon Morehouse wrote: And, after the boot, I've simulated an aggressive host from another machine using hping, and here's the output of 'iptables -L' after fail2ban banned the host (LAN IP partly redacted to settle my paranoia): http://pastebin.com/1L62z23b That resulting ruleset will break circuits. Packets from flooding hosts won't have a chance to reach the '--state ESTABLISHED' rule since they are dropped before that, from within the fail2ban-tor-syn-flood chain. Thanks - I really don't understand yet with iptables how to tell in what order the chains are processed. However, do you need fail2ban now that you are throttling SYNs without affecting circuits? Uncertain. I'd added it as an adjunct to the throttling, hoping a temporary placement into the DROP chain would save cycles and memory as REJECT ICMP packets would no longer be sent But you can drop packets in the SYN_THROTTLE chain instead of rejecting them, without fail2ban. Or you can accept them until a threshold is reached, then log/reject them up to a second threshold, then silently drop them. Currently this is how it works: 1. accept to the 3/sec burst 6, then reject (iptables) 2. 4 logs of iptables reject in 75 sec = 90 sec ban (fail2ban) I'd love to do all of the above purely in iptables and eliminate fail2ban, but is it capable of maintaining state like that (e.g. the 75 second 'watch time' and 90 sec 'ban time')? This is very new to me, I've always used off-the-shelf iptables-based packages. If there are docs I should read which cover this use case without me having to read for 2 hours before I get there, I'd really appreciate a link. And I say that not to be a jerk, but because my time is stretched really really thin. Thanks for all your iptables help. You'll definitely be credited. Best, - -Gordon M. -BEGIN PGP SIGNATURE- iQEcBAEBCgAGBQJSb82hAAoJED/jpRoe7/uj/OwH/jaw/7+nkllmcmeambEDZv42 Xr1MYb/6oL22iQm1y7YmioNP4rBh2Vwp2zRSK6c/ZBkxAp9+DQnNqs2DOdeG/cC5 3KJ0ho6cRJDEQXYbRXjU10nH/fF0WHuIbGaWAy0GU3xcTWxSclfkBkk/PblMPHWi 1bqBloVnKFbSFd+I1sOSji9aguNJlmdk4GUOEbh/MFlfRm9wrhUvK4eEr88i57nR rSbUkiaZ9BSo+93IP+7JWAQkw2emPH61kUg4zonPO5sncrGPbNl5/WCVrbZlh/j0 4Lvc/v5ING401SmJSctDXgL9EUXlY1bxRIKez13tagEY3UwNw2ozNQgzMh6rApI= =y8kL -END PGP SIGNATURE- ___ tor-relays mailing list tor-relays@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
Re: [tor-relays] Amazon abuse report
On Tue, Oct 29, 2013 at 7:49 PM, I beatthebasta...@inbox.com wrote: Is there confusion between using the special version of Tor designed to be a bridge on Amazon's EC² which uses a limited volume of data so to stay within the free offer for the free year Amazon offers? Yes, to some extent. I edited the config, as I was willing to pay for the extra bandwidth, and enabled an Exit Relay. I was under the impression that this was permitted. -- Sanjeev Gupta +65 98551208 http://www.linkedin.com/in/ghane ___ tor-relays mailing list tor-relays@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
