Policy on Running Tor Exit Nodes

What is the policy on running a Tor exit node (http://www.torproject.org/) on ones Linode?

Like most technologies, Tor can be used for both good and bad purposes. Some of the good purposes, from the website:

"Tor is a network of virtual tunnels that allows people and groups to improve their privacy and security on the Internet. …

Individuals use Tor to keep websites from tracking them and their family members, or to connect to news sites, instant messaging services, or the like when these are blocked by their local Internet providers. … Individuals also use Tor for socially sensitive communication: chat rooms and web forums for rape and abuse survivors, or people with illnesses.

Journalists use Tor to communicate more safely with whistleblowers and dissidents. Non-governmental organizations (NGOs) use Tor to allow their workers to connect to their home website while they're in a foreign country, without notifying everybody nearby that they're working with that organization."

However, it's also possible to abuse Tor. Those engaged in malicious computer attacks may use Tor to hide their identity. The end result is that harmful traffic can, in some cases, emerge from a Tor exit node. The administrator of the exit node has no control over this.

I hope it's OK to run a Tor exit node on my Linode, but I would also understand if that's a headache Linode.com would rather not deal with.

Thanks for your time, and I look forward to your answer.

12 Replies

I can't comment on whether or not it's against the AUP to run an exit node. However, it would seem that this could generate a ton of traffic - if you're not careful, you could easily go way over your monthly alloted bandwidth. I'm not sure if the tor daemon has a means of setting bandwidth speed/transfer limits, but it's something to think about.

-erik

In simple terms:

We don't explicitly restrict you from running a tor exit node, but we have had clients running one that end up getting a lot of AUP violations (because of attacks/scans coming out of their node).

Eventually, we'd run tired of handling these and ask you to knock it off :)

-Chris

Yea, I got a notice. By default, unless you specify a more restrictive exit policy people can and will your node for doing Vulnerability scans. So open port 80 at your own risk.

Sorry to ask a somewhat selfish (and ignorant) question… But could someone running a tor exit node on their linode affect other linodes on that machine? If it were used for something malicious, could there be repercussions for the other linodes on that machine? Somehow it sounds a little risky in a shared environment, but I know very little about it…

@xerbutter:

If it were used for something malicious, could there be repercussions for the other linodes on that machine?

A Tor exit node is more likely to generate a lot of complaints about abuse like port scanning - that makes work for Linode - than cause harm to other customers. At worst, Tor abuse could prompt a DDoS attack, which might affect that Linode host or even all Linodes at that datacenter. If that happens, the affected IP gets null routed and Linode asks the Tor operator to "knock it off". If they carry on, Linode invites them to take their business elsewhere.

My take on this:

People using tor as an anonymizer when conducting VA and/or port scans aren't going to be targeting linodes…I mean, they may, but that would be highly irregular, like biting the hand that feeds you…kinda dumb. More likely, they're going to bue using Tor as a conduit to attack/scan their targets. At most, the sheer traffic may impact the linode host the Tor conduit, and if the impact is high, the neighboring linode hosts may be affected.

IMO, I don't think there is a direct danger of vulnerability scans and attacks to the linodes themselves, but since the traffic will go through the linode hosting the service, linodes may be affected indirectly.

The trouble starts when people complain (to Linode or their connectivity supplier - the IP address assignee) about the port scans or start revenge attacks on the source.

I understand and agree, but there's still no REAL danger to the linodes themselves, which is where the discussion turned after xerbutter's question. Also, what looks like a port scan isn't always a port scan…I've seen legit Netbios connectivity (yeah, internal to a LAN) perceived as port scanning simply because of the amount of the traffic itself. I'd be more worried about vuln scans than port scans anyways, but that's just me.

What you're talking about could happen to ANY machine that has an IP, no matter the location. What I'm talking about is a definitive impact to the linodes themselves (loads that may spread to other neighboring linodes).

@unixfool:

What you're talking about could happen to ANY machine that has an IP, no matter the location. What I'm talking about is a definitive impact to the linodes themselves (loads that may spread to other neighboring linodes).
I agree, a Tor exit node isn't going to load the host so other Linodes notice. It does, however, increase the likelihood of a DDoS attack temporarily screwing the network for everyone.

Yeah, that would be an unintentional effect. For it to be intention would imply that someone knows that the Tor end node is a linode and that to attack the end node would affect many machines. The chance of that happening are remote, IMO, but the chance of an unintentional denial of service is quite a bit higher.

@anderiv:

I'm not sure if the tor daemon has a means of setting bandwidth speed/transfer limits, but it's something to think about.

-erik

In /etc/tor/torrc:

AccountingMax 50 GB

Thats 50 GB in and 50GB out, so 100GB in real transit. The accounting period is by default a month.

You might want to up the bandwidth rate and restrict the exit policy to just port 80.

TOR is a wonderful thing. It gives back the freedom of information many governments try to take away. Yes people will abuse it but while we still allow windows machines on the internet there will always be large pools of IPs open for abuse.

You can also rate throttle via iptables, and/or do something with denyhosts or portsentry (deprecated/abandoned but works) to add a 'drop' for anyone scanning you.

I've been doing most of the above (or some variant) on hosts in facilities where I dont have hardware firewalls for ages and I have never once been hacked in years (over 5).

Reply

Please enter an answer
Tips:

You can mention users to notify them: @username

You can use Markdown to format your question. For more examples see the Markdown Cheatsheet.

> I’m a blockquote.

I’m a blockquote.

[I'm a link] (https://www.google.com)

I'm a link

**I am bold** I am bold

*I am italicized* I am italicized

Community Code of Conduct