[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

Re: [tor-relays] Comcast blocks ALL traffic with tor relays



Yes, I agree 100% with Danny's summary here, so I have to concede, I did not found enough evidence that Comcast blocks connections *to* tor relays. I apologize. Specifically, I did some tests with ronqtorrelays at risley.net , who is a Comcast Business customer, and he had no problem initiating TCP connection to my relay, even to tor-unrelated port. 

About the other direction - from tor relays or exits to Comcast:
https://www.xfinity.com/support/articles/using-xfinity-xfi-advanced-security mentions "Blocks remote access to smart devices from known dangerous sources.". What do you mean by dangerous sources, and does it include tor relays or exits?

https://www.xfinity.com/support/articles/using-xfinity-xfi-advanced-security mentions "Blocks remote access to smart devices from known dangerous sources.". What do you mean by dangerous sources, and does it include tor relays or exits?


It may be down to the fact that “unknown” users connect to the relay/exit and that the average consumer user of the Advanced Security service does not want that. I suspect if someone wants this, it’s best to toggle Advanced Security off.


https://www.xfinity.com/support/articles/using-xfinity-xfi-advanced-security mentions "Blocks remote access to smart devices from known dangerous sources.". What do you mean by dangerous sources, and does it include tor relays or exits?


It may be down to the fact that “unknown” users connect to the relay/exit and that the average consumer user of the Advanced Security service does not want that. I suspect if someone wants this, it’s best to toggle Advanced Security off.


https://www.xfinity.com/support/articles/using-xfinity-xfi-advanced-security mentions "Blocks remote access to smart devices from known dangerous sources.". What do you mean by dangerous sources, and does it include tor relays or exits?


It may be down to the fact that “unknown” users connect to the relay/exit and that the average consumer user of the Advanced Security service does not want that. I suspect if someone wants this, it’s best to toggle Advanced Security off.


https://www.xfinity.com/support/articles/using-xfinity-xfi-advanced-security mentions "Blocks remote access to smart devices from known dangerous sources.". What do you mean by dangerous sources, and does it include tor relays or exits?


It may be down to the fact that “unknown” users connect to the relay/exit and that the average consumer user of the Advanced Security service does not want that. I suspect if someone wants this, it’s best to toggle Advanced Security off.


It may be down to the fact that “unknown” users connect to the relay/exit and that the average consumer user of the Advanced Security service does not want that. I suspect if someone wants this, it’s best to toggle Advanced Security off.

Seems you do not understand the difference between exit relay and non-exit relay. (Nor does the persons who implemented this blocking of traffic from tor relays - this would explain a lot.) 

I would first reformulate: unknown and anonymous users may route their traffic through tor, including some attacks (DDoS or worse), and this traffic will look like originating from tor *exit* relay. But this is only true about *exit* relays (and then only about some ports, but let's keep it simple). Non-exit relays only send tor-related traffic to other tor relays, never to other destinations. So when a non-exit relay R connects to a computer X, which does not run anything tor-related, you can be sure this connection is not tor-related and is really initiated by R. If we had a tor exit relay E, then connection E->X could be initiated by E or by a bad guy B who is abusing tor's anonymity. And X cannot tell the difference, so it is reasonable to assume the worst and block this. The traffic from B would really follow the path B->R1->R2->E->X, where R1 are R2 non-exit relays. You may argue that this bad traffic goes through R1 and R2, but so what? Blocking E->X is sufficient, but you are also blocking R1->X and R2->X.

Here is a basic explanation of relay types by the Tor project itself: https://community.torproject.org/relay/types-of-relays/ . 

Q to community: Is there some better official document explaining difference between exit and non-exit relay? It could be more trustworthy than my explanation (and better written). Most of what I found is about tor exits, like https://community.torproject.org/relay/community-resources/tor-abuse-templates/  .

I can see how a random website does not bother to understand this - see reports in this thread about a bank blocking tor relays. But ISP's core competency should be networks, so I would expect an ISP to understand the real dangers and apply more nuance than "let's block everything tor-related".


_______________________________________________
tor-relays mailing list
tor-relays@xxxxxxxxxxxxxxxxxxxx
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays