Re: [tor-relays] High speed Relays/Exit nodes
> Dennis Ljungmark: >> Hi, >> We're currently running 6 different 100-200Mbit relay/guard nodes, and >> are looking at some issues moving on towards high performant exit nodes. >> >> There are some administrative issues ( needing another IP block due to >> the RIPE registration, our ISP doesn't want their name on the exit nodes >> that we are responsible for ) >> which are generally minor ( are being resolved anyhow ) and then the big >> stumbling block. >> >> Right now, with iptables modifications ( raw tables hacks to disable >> conntrack, bucket increases, following the general best practices ) our >> firewall is running at high amounts of CPU, but coping. However, once we >> start introducing Exit Nodes into this equation, things turn sour. >> >> So, since we do not want to trust only routing level separation between >> Exit Nodes and internal networks, we're going to have to invest into new >> hardware that can cope with this. Before this, we tried Ingate firewalls, >> and they weren't capable of coping with the load of guard nodes. >> >> ( The traditional "linux box in front" doesn't quite cut it due to >> networking hardware in most cases. ) >> >> So, >> in summary, when you get to the point of actively dealing with 8-900Mbps >> of Tor traffic ( on top of normal users and others) what hardware is needed >> to cope with firewalling? >> > > Hey Dennis, > > What hardware are you using? In general iptables/netfilter should be > able to handle more than 200Mb without any trouble at all. > > I wonder if your network card is an issue? What CPUs are you using? What > versions of OpenSSL and other relevant software are in use? > > All the best, > Jacob > Also tweaking a few sysctls and playing around with txqueuelen will help. See https://www.torservers.net/wiki/setup/server. I'll add some more stuff to the high bandwidth part of that page in a minute, also. I've done some more tweaking towards gbit that certainly helped, which I haven't documented yet. Julian signature.asc Description: Message signed with OpenPGP using GPGMail ___ tor-relays mailing list tor-relays@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
Re: [tor-relays] Call for discussion: turning funding into more exit relays
Am 25.07.2012 um 21:31 schrieb delber: > On Mon, Jul 23, 2012 at 05:14:44PM -0400, Andrew Lewis wrote: >> $100 is not going to cut it most likely, even for only 100 mbit >> traffic only. Most providers are really antsy about spam/DMCA reports, >> and aren't willing to deal with it for that cheap. I'd suspect that >> you are looking at the $150-$200+ range, at least in my experience. > > We are a small group of people trying to setup something like > torservers.net in France. We already made quite a bunch of contacts with > a small amount of french ISP to ask them about hosting Tor exit relays. > The list is long and we are not over yet. But here is what we know as > today. Je l'aime! > > We already have ruled out the three major cheap hosting providers: OVH, > Gandi and Dedibox. All of them are listed as bad ISPs on GoodBadISPs as > prohibiting relays in their ToS. What is fun is that exit nodes running > on their french IPs still account for 2.3353% of total P_exit (out of > 2.6573% for all french exit nodes). You can still go do it and try... but I suppose its not a good idea, once you run a relay big enough, with a policy that is open enough. > > We have approached some other big commercial ISPs. It was not a formal > inquiry, but they did not look very happy at the idea of hosting exit > nodes. You can also take a look at our wiki at torservers.net/wiki/. There is a list of ISPs that we've been in contact with, about Tor. We only run nodes with a small number of them. Thats also on our page/wiki. And Please, document your ISP contact, so that others don't have to redo that. > > What we have found though, is that several smaller (not-for-profits or > coops) ISPs would be happy to help the Tor network, provided there is a > clear legal boundary. Something that our not-for-profit would create. > The downside is that they are small, so the cost of their bandwidth is > between a monthly 3€ and 10€ (when it is not even more) for each Mbps > (95%ile). But they would stand in case of trouble. And some of them have > an economic interest as using more bandwidth would lower their overall > cost per Mbps. Cool! There are also some of those, in Germany. Check them out, too. I don't know how cool they will be about Tor, or how much money they'll charge, though. > > One of them is willing to sponsor some of the bandwidth, and it looks > like a good place to start an initial set of nodes. But even with their > sponsoring, $100/month will not cover hosting+bandwidth expenses. True, but I think that you cannot expect Torproject or its sponsor to cover all of your costs. There are many, who are willing to give money to sponsor Tor nodes and they are the ones, who make sure, that the operators stay independent and diverse by giving their money or effort. > > It might be something desirable though. If external funding does not > cover all the costs, then we will have to campaign for other donations. > A good habit, as it makes it more likely that at least some of the nodes > would survive in case the external funding stops. If money to kick this off is your problem I'm sure you'll find someone who will give it to you. Without a good sole like that, torservers wouldn't exist, either. > > -- > delber If you have any questions, or if we can help you guys in any way or want to stay in contact just write me an email at this address or julian [at] torservers.net. Would be great! slightly ot: Serez-vous au Congress cet hiver? Ce serait bien de vous y rencontrer et boire une biere ou mate. - Same applies to everyone else who will be there. Julian signature.asc Description: Message signed with OpenPGP using GPGMail ___ tor-relays mailing list tor-relays@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
Re: [tor-relays] Call for discussion: turning funding into more exit relays
I largely agree with Sam, I just want to make some additions, here. > On Mon, Jul 23, 2012 at 2:58 PM, Roger Dingledine wrote: >> Open questions we need to decide about: >> >> 1) What exactly would we pay for? >> > > As you said, reimbursing users for hosting is probably the best idea > here, however, we also don't want to get in the situation where users > feel that they _must_ be reimbursed to run an exit relay. What happens > if the sponsors funding dries up in a year and no one wants to donate > bandwidth anymore? > > Perhaps only registered companies should be sponsored — as much as I > hate to limit the scope of the project, I think this (might) prevent > abuse to a certain extent. Individuals who wanted to run an exit relay > of their own could still do so, they would just have to use some of > the money to form an LLC (or whatever their countries equivalent is if > the scope of this project extends outside of the US). This gives them > a bit more of an incentive to separate their Tor node form their > personal server/computing resources (in the form of limited > liability), which they should probably be doing anyways. Please don't forget non profits, like 501(c)3, under which probably many hackerspaces in the US fall or the german e.V., like Zwiebelfreunde e.V., who run torservers.net. In general this is the right direction to go. I think organizations are most likely to be the most reliable partners for this, and they are easy enough to establish. Organizations have their own accounting, usually donations to them are tax deductible, and they are normally run by more than one person, which allows for a certain scalability by sharing work. Overall, this gives them, and you more transparency and I think, that makes stuff like 501(c)3 or whatever equivalent in any other other country near perfect for everyone involved in this. > >> I think we should aim to constrain ourselves to talking about >=100mbit >> exits >> > > I disagree; as others have said, lots of 10mbit relays will do as much > for the network as a few 100mbit relays. Most peoples use case is > simply checking email, browsing the web, reading news, etc. which > don't necessarily need a huge 100mbit relay. I disagree again. We're on the verge of cheap,affordable 10GBit (as in torservers has just gotten an offer for unlimited traffic 10GBit for $750 with SWIP from a hoster who seems Tor friendly). This means, that 100mbit is getting cheaper and cheaper, as does GBit. 100mbit already comes at a price diadvantage compared to gbit, we don't nead to start on cost-effectiveness of 10mbit, not to mention that many people in the west could run 10mbit nodes from home by now. > >> 2) Should we fund existing relays or new ones? >> > > It's probably not wise to distinguish between the two. If you only > fund new relays, you may see a lot of old relays shut down (and then > restarted as "new relays" to get funding). So you might as well just > sponsor both. More thoughts on this in a bit. Exactly. > >> - Should we prefer big collectives like torservers, noisetor, CCC, >> dfri.se, and riseup (which can get great bulk rates on bandwidth and are >> big enough to have relationships with local lawyers and ISPs), or should >> we prefer individuals since they maximize our operator diversity? I think >> "explore both approaches" is a fine first plan. >> > > "Explore both approaches" sounds good; I think we'll find that > operator diversity leads to a healthier (more anonymous) network. > Again, I lean towards small guys that will run a few nodes at > different data centers, but not Sole proprietorship's. Maximize diversity, definitely, but do the organizations approach at the same time. Counting in hackerspaces and the existing organizations running Tor nodes should give enough diversity for a start, while going organizations only will (hopefully) encourage more people to establish organizations around Tor. > >> - For existing relays who pay for hosting… > > Picking a certain monthly transfer target might solve this; so > existing relays that are fast could apply for aid, and it would give > slower relays incentive to speed up. The challenge then becomes, where > do we set this cutoff? I'm inclined to think it could be kept > relatively low and still be very beneficial for the network. > > >> the Tor network must not end up >> addicted to external funding. So long as everybody is running an exit >> relay because they want to save the world, I think we should be fine. >> > > This is the core of the entire discussion. We might also consider only > funding relays in areas where we need the diversity by taking into > account… > >> There's network diversity (AS / upstream network topology), organization >> and operator diversity, jurisdictional (country) diversity, funding >> diversity, data-center diversity, and more. >> > > …this stuff. > >> >> 7) How do we audit / track the sponsored relays? >> >> How should we ch
Re: [tor-relays] Call for discussion: turning funding into more exit relays
Hi Roger, list > > I want to draw your attention to a thread I've started on the tor-relays > list: > https://lists.torproject.org/pipermail/tor-relays/2012-July/001433.html > > In short, we have a funder who wants to sponsor more and faster Tor > exits, and we're brainstorming about how to use the money in a way that > makes the network stronger but also doesn't screw up the "community" > side of the Tor relay operator community. The first step is collecting > facts about the current fast Tor exit relays. Awesome! > > It would be great if you could join the conversation and give us your > perspective (either on the tor-relays list or in private, whichever > you prefer). I really want to make sure the current relay operators are > included in the decisions. > > Also, if you are interested in sharing, it would be great to learn > (separated by exit relay if you run more than one): > > - What do you currently pay for hosting/bandwidth, and how much bandwidth > do you get for that? This differs a lot, please all keep in mind, that we get supported by some of our hosters through cheaper pricing, etc. I'll try to point that out. nforce.nl 565€ for 100TB outbound traffic on GBit, inbound is free and a second node sponsored by them. 2 Tor nodes running on each axigy $199 for unmetered GBit (currently down due to law enforcement). This price is half of their regular rate. limehost/voxility 104€ for unmetered, shared GBit Three Tor nodes running on it Our 100mbit nodes are actually all sponsored. One by psilo.fr, four by defaultroute.net > > - Is it a stable hosting situation? For example, how do they handle > abuse complaints so far? We currently only use hosters, that SWIP IPs to us, as we've not made good experiences otherwise. All of our current hosters are very tolerant when it comes to abuses and can be considered stable (not counting in technical difficulties that we've had with one node). > > > - Is your hosting situation one where it could make sense for us to > reimburse your bandwidth costs? (Some people have a deal through their > employer, friend, etc where they don't pay for hosting.) For some of our nodes it would make sense, for others not so much. The problem we face as a non profit is, that while we get lots of donations not all of them (and especially not the larger ones, as those usually are one-time) are plannable. So essentially this would be a great opportunity for us (assumibg, that this would run uninterrupted for more than a year) to get a larger amount of long term plannable funding. > > - Are you in a position to get more bandwidth if you pay more? At what > rates? We're most interested in sponsoring >=100mbit relays. Depends on what you mean. In the sense of getting more servers: Yes, definitely. For the sake of diversity it is hard to estimate, though, as nearly every ISP has a different pricing and different reliability. It would probably be hard to find another hoster in the limehost/voxility pricerange, but I think that somewhere in between axigy and nforce is certainly doable for GBit, which would give 2-3 Tor nodes. > > - Do you have other locations in mind where you would run another exit > relay if you didn't have to pay for it? Definitely. As I've mentioned in my other email, we've got an offer for 10GBit unmetered@750€, which is kind of sweet spot performance/buck wise and I guess, that it could handle 8-12 Tor nodes performance wise to satisfy the pipe. It would be a large number of high performance nodes run by just one operator, though, so I'm unsure if it really is that great idea :-( If we're not doing that we'll look into getting at least one other gbit node, though. > > - What else should we be asking here? :) One question, that immediately came to my mind was: How will this affect other donors? Only time will tell, I guess and I hope that people will realize, that it is just an additional incentive to get operators to run reliable, fast nodes. What about legal stuff? We haven't had legal problems, so far. We're operating out of germany and have a cool lawyer, but what about others? How do they tackle the legal situation, what about covering the financial burden, if they get in legal trouble over Tor. In other words: Do we need a Tor legal fund to go with operator funding or will the community be willing/committed/able to absorb the risks. Julian > > Thanks! > --Roger > """ > > ___ > tor-relays mailing list > tor-relays@lists.torproject.org > https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays ___ tor-relays mailing list tor-relays@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
Re: [tor-relays] How to Run Torservers.net
> Am Mittwoch, 11. Juli 2012, 14:33:55 schrieb Moritz Bartl: >> 6) Be quick in answering abuse. We receive a very small number of >> complaints, given that we run high bandwith nodes. I am actually >> still surprised how few complaints we get. Roughly 80% are >> automated reports, which we ignore, and for the rest it is >> usually good enough to send our default template. See >> https://www.torservers.net/wiki/abuse/templates and >> https://www.torservers.net/wiki/abuse/dmca >> > Can you tell how many abuse messages you receive per week? > > Regards Short answer: ~110 of which we ignore 105 Long answer: About 15 automated abuses from MediaSentry, Icecat, IP-Echelon and the likes per day, which we used to automatically answer, but don't bother about, any more. Then there are celepar.pr.gov.br and SpamCop from whom we receive the occasional email and an average of 4-5 regular, "legit" abuse mails/calls per week. Those are not evenly distributd however! There are certain "abuse peaks" where we get a lot followed, usually, by getting none for some time. I also have a feeling (needs confirmation by me sitting down and plotting our abuses) that it has been getting less abuse mails over the last year. Overall those add up to ~110 abuse mails a week of which 105 are automated and belong to senders who apparently don't care about what we do/don't care about getting an answer at all/don't react in any way, like MediaSentry who weren't even reachable by phone. There are of course, also legit automated abuse mails - I've once had a wonderful conversation with a guy who apparently also hosts a Tor node after one of his system's ids sent an email to us, which I replied. Then there are those few abuses from real people. Those can be anything from Police inquiries from all over the world, Interpol, Companies, normal People. Regular subjects frange from Spam and DDoS to hacked mail accounts and stuff like that. Every few months there is stuff like harrassment, threats and credit card fraud. There have however also been police inquiries about terrorism and murder. Gladly those have been non-recurring, unique events though and I hope it stays that way. So about those automated abuses. We took that seriously in the beginning, answering them, trying to establish contact, explain what we do. Usually people on the other end were like "We don't care", so we started ignoring them and yeah, they really don't care and also won't stop sending stuff. There have been a few noteworthy exceptions though, like a guy whom I've had a conversation with after answering an email from his IDS. Turned out, he hosted a Tor node himself. So sending a template answer that explains Tor and stuff once or twice to automated mails can't be wrong, but afterwards its probably okay to just start ignoring them, if there's no reaction. Abuses from real people - Important. Answer! We have templates for the standard situations, otherwise we write specific responses. We try to answer within 24h, which works 98% of the time. Often these inquries also result in conversations, some short, some long, some people just wanting more info, some being supportive of what we do and some very emotional (usually in a negative way). Some even resulted in hate mails for months. There are a few unfortunate ones, however. I speak English, German and a little French, as does everyone else answering abuses at Torservers, so whenever an email in any other language comes in we usually ask to resend the request in one of those three languages, else we have to ignore it. Julian ___ tor-relays mailing list tor-relays@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
Re: [tor-relays] How to Run Torservers.net
Actually I can offer to publish a bunch of those abuse mails if there is interest. Just need to find some time to polish them a little- anonymize stuff and maybe make some pretty statistics. Julian -- Diese Nachricht wurde von meinem Android-Mobiltelefon mit K-9 Mail gesendet. Julian Wissmann schrieb: They usually say that they are ;-) and very often there are 10-15 identical Mails. -- Diese Nachricht wurde von meinem Android-Mobiltelefon mit K-9 Mail gesendet. Geoff Down schrieb: On Wed, Jul 11, 2012, at 02:33 PM, Moritz Bartl wrote: > Roughly 80% are automated reports, which we ignore, How do you decide which are automated? GD -- http://www.fastmail.fm - Accessible with your email software or over the web _ tor-relays mailing list tor-relays@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays ___ tor-relays mailing list tor-relays@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
Re: [tor-relays] How to Run Torservers.net
They usually say that they are ;-) and very often there are 10-15 identical Mails. -- Diese Nachricht wurde von meinem Android-Mobiltelefon mit K-9 Mail gesendet. Geoff Down schrieb: On Wed, Jul 11, 2012, at 02:33 PM, Moritz Bartl wrote: > Roughly 80% are automated reports, which we ignore, How do you decide which are automated? GD -- http://www.fastmail.fm - Accessible with your email software or over the web _ tor-relays mailing list tor-relays@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays ___ tor-relays mailing list tor-relays@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
Re: [tor-relays] What to do about icecat.biz abuse compla ints?
Hi Steve, we get a lot of those, too. We've talked to them about what we do about half a year ago and asked them to consider to stop sending dozens of abuses to us each day. As they didn't seem to be okay with Tor, though, they said they wouldn't stop sending those, so we started just filtering and ignoring them. Julian Wissmann -- www.torservers.net > I often get abuse complaints from icecat,biz saying that a "RIP > attempt" was seen from the IP address of my exit node. Apparently > this involves too many connections in a given period of time. > > I've tried to contact them but get no answer from the e-mail > address included in the abuse reports. The Administrator listed in > the icecat.biz whois says he just provides the network and can't > provide any info about the company or who to contact within it. > > The abuse reports each say that my IP address will be blacklisted > for a week. Fine with me. I'd just as soon they blacklist it > forever but as they are unresponsive to e-mail communication I > can't tell them that. > > Short of turning my exit node into a middle node, what can I do > about these frequent abuse reports? > > > ___ tor-relays mailing > list tor-relays@lists.torproject.org > https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays ___ tor-relays mailing list tor-relays@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
