Opened 10 years ago

Closed 9 years ago

#2942 closed defect (wontfix)

Please Update Abuse FAQ To Include ISP Shutdowns Due To Virus Activity

Reported by: pmouse Owned by: phobos
Priority: Medium Milestone:
Component: Webpages/Website Version:
Severity: Keywords:
Cc: porcelain_mouse@… Actual Points:
Parent ID: Points:
Reviewer: Sponsor:


The section "What should I expect if I run an exit relay?" is great and helped me decide to run an exit. But, after about 6 months of operation, my ISP blocked my internet access, twice, because my IP ended up in's reports on two different occasions.

I think it would be really helpful if you added this to the list of things that can go wrong if you run an exit relay. In addition, it would be very interesting if you could include some statistics on how much Tor traffic is associated with malware or how many viruses are designed to use Tor.

From talking to folks on the tor-relays list, I learned that security researchers are actually using Tor to test their honeypots, too. So, it's not just abuses of Tor that could put your IP address on a virus report, but legitimate uses could result in the same thing.

Child Tickets

Change History (3)

comment:1 Changed 10 years ago by phobos

Resolution: wontfix
Status: newclosed

As far as I know, you are the first to run into this. This is not a frequently asked question. We don't know how much tor traffic is associated with anything. Getting this data would mean we would have to record traffic, or pay attention to content, which we cannot do.

One person's virus is another person's teenager talking to 20 people in a conf room.

Your core problem seems to be that your ISP believes shadowserver's data without question.

comment:2 Changed 10 years ago by pmouse

Cc: porcelain_mouse@… added
Resolution: wontfix
Status: closedreopened

Phobos, you're right about what happened to me, but I'm not complaining about my core problem.

The question is "What should I expect if I run an exit relay?" and it is already frequently asked. I'm just saying this possibility should be on the list. It is clearly a possible outcome and I'm just asking that it be added. None of the things on the list happened to me, but they could have and I'm not suggesting that they be removed.

I'm not the only person who has experienced this. Of the three people who replied to my inquiry on the tor-relay mailing list, one had experienced it, one had never experienced it, and another hadn't experienced it and even guessed that data from a honeypot like was involved. So, it was clear from the responses I got that abuse of the tor network by viruses was a real concern for exit operators. I believe the quote was "We need to think hard about viruses on Tor."

(BTW, it is NOT true that you need to monitor tor traffic to post the data I suggested. I meant to suggest that you could just match up exits with available virus infection data. Or take a survey of viruses that are known to use Tor, directly. The statistics would be limited to publicly available data, but much of the data about known viruses is public. I'm willing to help. I didn't mean to imply that the Tor team wasn't doing enough work, already.)

comment:3 Changed 9 years ago by phobos

Resolution: wontfix
Status: reopenedclosed

This can go on the trac wiki if you still think it's a problem. So far, roughly zero people have reported it as a problem. It's not even a frequently asked question we see on -assistants or community-support.

Note: See TracTickets for help on using tickets.