logs archiveIRC Archive / Oftc / #tor / 2010 / May / 9 / 1
simNIX
Im trying to find minimal system specs needed to be tor relay (besides bw)
BarkerJr
depends on the bandwidth
simNIX
I think about setting it up on a 1Ghz cpu with almost 1Gb of ram - besides tor it should be able to be websreven - of fbsd
I think 30/30 k is max I can spare
BarkerJr
that should be plenty
simNIX
k - tnx for info
BarkerJr
hard for me to say on the CPU... I use virtual servers, so dunno what they are cpu-wise
Sebastian
30/30 shouldn't need much
simNIX
any gues on with how many bw my box would criple ?
Sebastian
my relay has a 200kB/s limit
it uses 100MB of ram and 7% of a 2ghz core currently
         

simNIX
ow
Sebastian
pretty irrelevant
simNIX
yup
Sebastian
Make sure to use version 0.2.1.26/0.2.2.13-alpha or later
simNIX
ill cheack what currrent version in ports is
current version is 0.2.1.25 and dev version in ports is 0.2.2.13.a - last one you recomend
ty
Sebastian
0.2.1.25 uses lots more resources
you can try it, if you want
or you're brave and try the alpha (that's what I'm running)
simNIX
brave enough to try alpha if tahts whats recomenden - and I will install it in aem if I come acros a bug jail so not much of a probl
*brave enough to try alpha if thats whats recomended - and I will install it in a jail so if I come acros a bugl so not much of a probl
Sebastian
great
dr|z3d
Tor alphas usually don't carry the same kind of risk as other project's alphas.. they're generally reasonably stable, and often they offer performance tweaks.
simNIX
good to know - and I can imagine that is staying anonymus is a moving trget so for me alpha fits
keb
doesnt a node have to allow at least two ports to be called a exit
dandon
wasn't there like a relay counter on the homepage? even few days ago?
BarkerJr
right, 80, 443, or 6667 (pick 2) must be wide open
keb
oic mikeperry explains it in subsequent emails
Kal
Hmm... My Tor instance is assuming the wrong WAN IP.
Do I have to stop and quit Vidalia completely?
keb
isnt it in a dmz
phobos
or, do you have more than one IP?
Kal
I'm trying to run a relay behind a UPnP router.
phobos
does the message log say your orport or dirport is reachable?
Kal
regular residential DSL, so only one WAN IP.
phobos: exactly the problem, they are not reachable because the Tor network isn't even trying to reach the correct IP. I can check the ports opened by UPnP and they appear OK.
         

phobos
how long have you left it running?
Kal
this morning.
I just restarted quit and re-launched Vidalia. Same problem, still wrong WAN IP.
I wonder if there is a cache that I have to clear or something similar.
keb
did you override the ip in the torrc
phobos
it sounds like, no
Kal
let me check.
nope, no mention of any IP in the torrc.
I think it has to do with my ISP's DNS.
The message log says DNS Hijacking Detected. What happens is that the DNS server is returning the Yellow Pages HK for domains that are not supposed to exist.
keb
did you set a server name in torrc
Kal
keb: no, no server name
keb
then im not sure how dns hijacking would affect the ip address tor thinks it is
Kal
Would Tor try to look up my local host name? You know how Unix-like systems sometime automatically give themselves names like bob.local?
If Tor tried to look up bob.local and got the Yellow Pages HK IP address, that would explain a lot.
keb
hmm there is something weird with .local, some ISPs set that
Kal
because I AM seeing in the message log that the Tor network is testing reachability by connecting to the Yellow Pages HK IP address.
phobos
the way tor detects your external IP is by asking a directory authority
Kal
What directory authority? Within the Tor network?
phobos
yeah
keb
are there rogue directory authorities
phobos
it makes a 1-hop circuit to a dirauth
and the dirauth replies with "here's the source Ip of your connection"
alternatively, you can set an ip in the torrc
keb
so it should not be possible for tor to see the wrong ip unless everything is going through some proxy
or another network interface
phobos
lots of isp's use a proxy
Kal
Hmm... ISPs in Hong Kong following secret directives from the CCP?
keb
is your computer connecting by wireless to someone else's wifi
Kal
keb: no. I'm connected to my own wifi.
Does 203.198.80.61 ring a bell?
phobos
nope
keb
NETVIGATOR, PCCW Limited, PO Box 9896 GPO Hong Kong
phobos
yeah, saw that
and?
keb
is that your isp Kal
Kal
yes
bogus-nxdomain
oops
I'm digging up more, weird info.
keb
is that the address Tor thinks it is
phobos
well, bogus-nxdomain doesn't affect tor
since tor relays work on ip addresses
Kal
Tor probably got 203.198.80.61 as a response due to a bogus-nxdomain setting in my Buffalo router. It appears that it is an anti-dns-hijacking tactic found on the web.
so 203.198.80.61 is actually NOT Yellow Pages HK.
phobos
I find that unlikely
Kal
There's even a page in Chinese with instructions for DD-WRT and Tomato router firmware.
phobos
since your tor relay is making a one-hop, ssl connection to a directory authority
keb
n219073011113.netvigator.com has address 219.73.11.113
phobos
and does so via IP, not hostname lookup
Kal
keb: that's my IP.
phobos
just put that in your torrc and restart
keb
and tor thinks it is the other one?
Kal
keb: yes.
Strange, I search for 203.198.80.61 in Google and it returns me a thread from an HK forum, which teaches people how to set DD-WRT to use bogus-nxdomain. Coincidentally, the thread is started 7 days ago. You probably don't read Chinese, but here is the page anyway. They mention DNSMasq and bogus-nxdomain=203.198.80.61: http://www.hkepc.com/forum/viewthread.php?tid=1446475
I think I know why they use 203.198.80.61.
It seems to be an address belonging to PCCW, possibly part of their backbone or something. So there are PCCW customers unhappy with PCCW hijacking failed DNS requests towards Yellow Pages HK, and so decide to configure routers to hammer a PCCW server instead for every failed DNS request.
keb
you think your router is masquerading you as that ip?
Kal
keb: I don't know. I have a standalone UPnP utility and it can detect my WAN IP correctly.
keb
someone was talking about using upnp for the "every tor is a relay" idea
Kal
keb: I like "every zombie is a relay" better.
It should be very very very difficult for ISPs to spoof Tor packets, right?
keb
well they can run their own relays if they want
Kal
I still wonder why the Tor network is trying to reach 203.198.80.61 instead of my IP.
keb
did you set your ip in the torrc
Kal
keb: no
keb
they can also run their own tor network if they want. but if you downloaded the package from the Real torproject.org site it should be connecting to the right directory authority servers
Kal
keb: what's the directive for specifying the WAN IP?
keb
Address
Kal
just found it, heh
But I'd really like to find the real problem and fix it. Using the Address directive is only a temporary workaround, it would fail as soon as my router gets a new IP.
keb
are you in control of your router
Kal
keb: ye
keb
how did that nx-domain get into it
Kal
Actually, I think it is quite possible that Tor got the wrong IP from a DNS request and somehow used it. The Tor manual says that the Address directive supports fully qualified domain names.
keb
did you ahve a doman name as your Address ?
Kal
keb: no, I had no Address directive in torrc at all.
so I'm thinking if this build of Tor somehow defaults to looking up the computer's host name.
keb
well like phobos said tor makes a 1-hop ssl connection to dir auth and that server sends back your ip address
which build did you use
Kal
The latest Vidalia bundle for Mac OS X from the official torproject.org website.
keb
if your dns was hijacked to start with, maybe you got it from someone else
Kal
keb: could some router between my computer and the dir auth have spoofed the packets for the 1-hop ssl connection?
making them look like they come from 203.198.80.61?
I'd doubt it very much. I downloaded it while in Hong Kong.
can you download the Mac OS X bundle signature and paste it somewhere?
keb
if you go to https://check.torproject.org without going through tor what does it say
about your ip address
Kal
Sorry. You are not using Tor.
keb
does it give a ip
Kal
Your IP address appears to be 219.73.11.113 (which is correct)
keb
what if you use http instead
Kal
same
keb
bc72898478749798f7b2e0ece23189dbbb7e80ce vidalia-bundle-0.2.1.25-0.2.7-i386.dmg
thtas the sha1sum
gpg sig is at http://paste.uni.cc/20636
though that would be rather hard to fake
Kal
right
so I have a clean bundle.
nsa
or: sebastian committed revision 22305 (/website/trunk/docs/en): Document that the bundles linked from tor-doc-osx are for i386
Runa
:)
nsa
or: [Tor Bug Tracker] #1388 filed by anonymous: #1388: Error parsing PID from output of "ps" - http://trac.torproject.org/projects/tor/ticket/1388
or: Orbot version: 0.2.2.10-alpha-orbot-0.0.5.apk
or: Android version: OpenEclair 1.3
or: Error log:
or: 05-09 16:07:33.754: ERROR/TOR_SERVICE(26501): error: unable to parse[...]
Zax
It would be really nice if Tor could write a log every once in a while to say, "Hey, good job! Somebody is using your bridge node."
At the moment if feels like an exercise in blind faith.
ln5
Zax: if you have the possibility of seeing graphs of bandwidth usage close to your bridge, the tor traffic is easily spotted as traffic in and out are correlating nicely
Sebastian_
Zax: neat idea
please see bug https://trac.torproject.org/projects/tor/ticket/1368
and add your comments
Zax
ln5: Yes, I can run ntop to do that but it logs more info than I want to log about source addresses.
Sebastian_
Zax: I totally understand that concern. Thanks for being a sane bridge operator!
ln5
Zax: ic. what about nload? have you tried that?
another option is running mrtg or similar on a nearby router
Zax
Sebastian_: Thanks, that's it exactly. Obviously somebody else shares my lack of blind faith. :)
Sebastian_
Zax: I wonder who opened that bug... *cough*
Zax
ln5: No I haven't looked at nload, I'll check it out.
Well it's Cc'd to you so it must have been somebody else
Sebastian_
Zax: I'm working on a patch. Please provide your feedback in the bug report so that I can include it in the patch.
Zax
Certainly
Sebastian_
see Reported by:Sebastian;p
nsa
or: [Tor Bug Tracker] #1368 was updated: #1368: Implement a heartbeat log message - http://trac.torproject.org/projects/tor/ticket/1368#comment:3
or: Comment(by zax):
or: Nice idea Sebastian. It's asking a lot of Bridge Ops to run a service but
or: not provide them with any feedback on its usage. Many will seek their[...]
Sebastian
Zax: great thanks
Zax
I should do the thanking. Coming up with the requests is the easy part. :)
Sebastian
ah, no worries. Every now and then I write a patch so that I can write more patches to fix all the bugs I introduced
Zax
Heh, I know that feeling
Karl_Marx
I know Tork != Tor, but this seems like a logical place to ask.
"Not enough info to try network yet" -- What Tork says in it's status bar.
I've had Tork running for a while now and it said something about "server not available" in the log tab.
Nevermind.
I just /etc/init.d/tor restart'd!
:|
Ben
Does the Tor Browser Bundle force all connections (i.e. disobedient flash connections) through Tor, or does it rely on simply disabling flash?
Actually, from Freedom House's video it looks like a preconfigured Firefox Portable - so that would mean flash IS still dangerous. Virtual Machine time...
BarkerJr
right, it just disables flash, so you should VM if you want flash
Ben
I'm downloading the old Incognito distro - would use Amnesiac but it's LiveCD only so far (and I need to install things). In fact, I would set up my own VM with connections forced through Tor, except I don't know enough about Linux networking/firewall. I don't trust myself not to leave leaks.
dr|z3d
http://www.matousec.com/info/articles/khobe-8.0-earthquake-for-windows-desktop-security-software.php
d-b
dr|z3d: oh noes!
what shall we do with our already pwned windows
dr|z3d
(Action) chuckles.
d-b
(Action) ahahah go clamwin!
not listed!
non-real time scanners ftw....
dr|z3d
On-demand scanners don't claim to offer the same level of protection.
d-b
um?
you mean non-real time?
BarkerJr
I'm glad I haven't run security software on my windows installs in years
Ben
I don't suppose anybody knows of a flash-based website that DISOBEYS browser proxy settings? I.e. that puts out direct requests for data (e.g. streams) regardless of the user's intended settings? I need it for testing
Sebastian
Zax: Not sure how excited you are about bug 1368, but implementing it will require a small proposal. If you want to get your hands dirty, you might want to start writing that one. Or I'll do it later
jn
If Ben comes back point him to http://decloak.net/ I am not sure if it tries everything flash can do but it might help him.
kjbbb
hey, who is going to the PETS?
Sebastian
[x]
dr|z3d
Do we know if wikipedia's using the DNSEL to block Tor edits?
(Action) suspects it is, but seeks confirmation.
Nevermind. Confirmed.
BarkerJr
only anonymous edits?
dr|z3d
« prev 1 2 next »