Discussion:
[tor-relays] Suspension of service (ISP Scaleway / tor exit)
Olaf Grimm
2018-09-04 20:27:13 UTC
Permalink
Dear readers,

some days ago I change my relay to an exit relay with a very strict
policy. Today came the suspension message into my regular mail account.
After login into the Scaleway account I saw that the time between the
abuse log message and the deactivation of my exit relay were 6 hours
only. At these time I was at work! I was not able to react of the
message, neither I knew it.

The "abuse message" was a raw firewall log, without spaces hard to read.
I'm not a professional, so I could read only "SYNFLOOD src IP xxxx dest
IP xxxx". That's all.
After I learnt what this is, I responded to the provider that good
providers realize own DDOS protection in the network and protect
customers too. Why log the provider bad outgoing traffic and ignore bad
incoming traffic? They don't know the source of the bad traffic, but
have the customer to beat someone!
The answer field for the reply were some lines only. Without comment
from the ISP the ticket was closed and the VPS locked yet.
I try to delete the old instance and build a new one. If the same occur
I leave Scaleway (and give info about that again).

Now I recommend to set the ISP Scaleway (in France) of the list of bad
providers.

Scaleway message:

Hello,

We have tried to contact you about an abuse report concerning one of your server. Unfortunately at this time you did not reply to this report. As stated in our terms of service, we have suspended your account.

Sincerly,
Scaleway

End message


To avoid a big shitstorm: I know what I do and it is not my first and only exit. Scaleway was the first trouble and in such a way, that I must leave a comment.

To the tor website editors:
It is possible to include a basic abuse protection chapter in the tor documentation (config guide)? I've found some iptable rules, but I use the user-friedly "ufw", the overlay to iptables.
It would be fine if some good guys could help with an easy configuration guide in the config chapter for tor relays.

Have a good time. I feel me better.

Olaf
Volker Mink
2018-09-04 20:29:48 UTC
Permalink
Had the same experience with Scaleway a year ago.
Post by Olaf Grimm
Dear readers,
some days ago I change my relay to an exit relay with a very strict
policy. Today came the suspension message into my regular mail account.
After login into the Scaleway account I saw that the time between the
abuse log message and the deactivation of my exit relay were 6 hours
only. At these time I was at work! I was not able to react of the
message, neither I knew it.
The "abuse message" was a raw firewall log, without spaces hard to read.
I'm not a professional, so I could read only "SYNFLOOD src IP xxxx dest
IP xxxx". That's all.
After I learnt what this is, I responded to the provider that good
providers realize own DDOS protection in the network and protect
customers too. Why log the provider bad outgoing traffic and ignore bad
incoming traffic? They don't know the source of the bad traffic, but
have the customer to beat someone!
The answer field for the reply were some lines only. Without comment
from the ISP the ticket was closed and the VPS locked yet.
I try to delete the old instance and build a new one. If the same occur
I leave Scaleway (and give info about that again).
Now I recommend to set the ISP Scaleway (in France) of the list of bad
providers.
Hello,
We have tried to contact you about an abuse report concerning one of your server. Unfortunately at this time you did not reply to this report. As stated in our terms of service, we have suspended your account.
Sincerly,
Scaleway
End message
To avoid a big shitstorm: I know what I do and it is not my first and only exit. Scaleway was the first trouble and in such a way, that I must leave a comment.
It is possible to include a basic abuse protection chapter in the tor documentation (config guide)? I've found some iptable rules, but I use the user-friedly "ufw", the overlay to iptables.
It would be fine if some good guys could help with an easy configuration guide in the config chapter for tor relays.
Have a good time. I feel me better.
Olaf
_______________________________________________
tor-relays mailing list
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
Nathaniel Suchy
2018-09-04 20:51:57 UTC
Permalink
I run a "browser-only" exit relay at Scaleway, by "browser-only" I mean
only ports 53 (DNS), 80 (HTTP), 443 (HTTPS) and so far it's gone well.
Their support recommends if you run "an open proxy" to check your abuse
inbox daily (See: https://cloud.scaleway.com/#/abuses) as they will suspend
after 48 hours without a response. Still someone could try to send a syn
flood on those ports. Is there any guidance on dropping outgoing syn floods
with netfilter/iptables?

Cordially,
Nathaniel
Post by Volker Mink
Had the same experience with Scaleway a year ago.
Post by Olaf Grimm
Dear readers,
some days ago I change my relay to an exit relay with a very strict
policy. Today came the suspension message into my regular mail account.
After login into the Scaleway account I saw that the time between the
abuse log message and the deactivation of my exit relay were 6 hours
only. At these time I was at work! I was not able to react of the
message, neither I knew it.
The "abuse message" was a raw firewall log, without spaces hard to read.
I'm not a professional, so I could read only "SYNFLOOD src IP xxxx dest
IP xxxx". That's all.
After I learnt what this is, I responded to the provider that good
providers realize own DDOS protection in the network and protect
customers too. Why log the provider bad outgoing traffic and ignore bad
incoming traffic? They don't know the source of the bad traffic, but
have the customer to beat someone!
The answer field for the reply were some lines only. Without comment
from the ISP the ticket was closed and the VPS locked yet.
I try to delete the old instance and build a new one. If the same occur
I leave Scaleway (and give info about that again).
Now I recommend to set the ISP Scaleway (in France) of the list of bad
providers.
Hello,
We have tried to contact you about an abuse report concerning one of
your server. Unfortunately at this time you did not reply to this report.
As stated in our terms of service, we have suspended your account.
Post by Olaf Grimm
Sincerly,
Scaleway
End message
To avoid a big shitstorm: I know what I do and it is not my first and
only exit. Scaleway was the first trouble and in such a way, that I must
leave a comment.
Post by Olaf Grimm
It is possible to include a basic abuse protection chapter in the tor
documentation (config guide)? I've found some iptable rules, but I use the
user-friedly "ufw", the overlay to iptables.
Post by Olaf Grimm
It would be fine if some good guys could help with an easy configuration
guide in the config chapter for tor relays.
Post by Olaf Grimm
Have a good time. I feel me better.
Olaf
_______________________________________________
tor-relays mailing list
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
_______________________________________________
tor-relays mailing list
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
Paul
2018-09-04 21:00:23 UTC
Permalink
I made the same experience as you several times in the last few weeks with Scaleway.

Usually you have 48 hours to respond - that's at least what they tell you somewhere on their pages.

My impression is that you can place anything you want in your answer - important is your answer within time.

If it happens to often within a short period they seem to get nervous and want to get rid of you (to protect their reputation as they say)

Next time they shut my relay forever they promised :-)

I would doubt that they know anything about tor, or do not care?

Paul

p.s. bad that they offer uncomparable speed/price relation
Post by Olaf Grimm
Dear readers,
some days ago I change my relay to an exit relay with a very strict
policy. Today came the suspension message into my regular mail account.
After login into the Scaleway account I saw that the time between the
abuse log message and the deactivation of my exit relay were 6 hours
only. At these time I was at work! I was not able to react of the
message, neither I knew it.
The "abuse message" was a raw firewall log, without spaces hard to read.
I'm not a professional, so I could read only "SYNFLOOD src IP xxxx dest
IP xxxx". That's all.
After I learnt what this is, I responded to the provider that good
providers realize own DDOS protection in the network and protect
customers too. Why log the provider bad outgoing traffic and ignore bad
incoming traffic? They don't know the source of the bad traffic, but
have the customer to beat someone!
The answer field for the reply were some lines only. Without comment
from the ISP the ticket was closed and the VPS locked yet.
I try to delete the old instance and build a new one. If the same occur
I leave Scaleway (and give info about that again).
Now I recommend to set the ISP Scaleway (in France) of the list of bad
providers.
Hello,
We have tried to contact you about an abuse report concerning one of your server. Unfortunately at this time you did not reply to this report. As stated in our terms of service, we have suspended your account.
Sincerly,
Scaleway
End message
To avoid a big shitstorm: I know what I do and it is not my first and only exit. Scaleway was the first trouble and in such a way, that I must leave a comment.
It is possible to include a basic abuse protection chapter in the tor documentation (config guide)? I've found some iptable rules, but I use the user-friedly "ufw", the overlay to iptables.
It would be fine if some good guys could help with an easy configuration guide in the config chapter for tor relays.
Have a good time. I feel me better.
Olaf
_______________________________________________
tor-relays mailing list
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
Nathaniel Suchy
2018-09-04 21:15:45 UTC
Permalink
For DoS traffic, it'd be nice to have some agreed upon rate limit rules of
obvious syn flood and similar traffic which both stop the attacks, or slow
them down so they don't affect anything and cause complaints, while still
allowing legitimate traffic to flow as normal. Scaleway knows about Tor,
but they are also operating out of France and have stricter legal
requirements to follow - it's understandable they want a rapid response to
any complaints.

My advice for dealing with future complaints...
1) Respond explaining the traffic is coming from the Tor network and you
can't stop entirely but you can stop the traffic from coming from your exit.
2) Block outgoing traffic to the affected IP with your exit policy, if it's
an attack directed towards a website I'd go through DNS Records and block
all related IP Addresses. Perhaps the affected /24 or /16, better safe than
losing out on 100Mbps so of bandwidth or from the Tor network :)
3) BE FAST: Scaleway isn't playing games anymore when it comes to managing
abuse. They're allowing Tor Exits, but only if you are very fast about
managing abuse. If you get to the point where they say next complaint and
they suspend your service - stop running an exit node and operate in relay
only mode. Exit bandwidth is important, BUT, unique guards controlled by a
variety of people are still necessary. It's something to consider if you've
damaged your relationship with Scaleway beyond repair.
4) Maybe only allow DNS, HTTP, and HTTPS ports. That's less port choice for
sending out a syn flood and makes you less likely to get a complaint.

Cordially,
Nathaniel
Post by Paul
I made the same experience as you several times in the last few weeks with Scaleway.
Usually you have 48 hours to respond - that's at least what they tell you
somewhere on their pages.
My impression is that you can place anything you want in your answer -
important is your answer within time.
If it happens to often within a short period they seem to get nervous and
want to get rid of you (to protect their reputation as they say)
Next time they shut my relay forever they promised :-)
I would doubt that they know anything about tor, or do not care?
Paul
p.s. bad that they offer uncomparable speed/price relation
Post by Olaf Grimm
Dear readers,
some days ago I change my relay to an exit relay with a very strict
policy. Today came the suspension message into my regular mail account.
After login into the Scaleway account I saw that the time between the
abuse log message and the deactivation of my exit relay were 6 hours
only. At these time I was at work! I was not able to react of the
message, neither I knew it.
The "abuse message" was a raw firewall log, without spaces hard to read.
I'm not a professional, so I could read only "SYNFLOOD src IP xxxx dest
IP xxxx". That's all.
After I learnt what this is, I responded to the provider that good
providers realize own DDOS protection in the network and protect
customers too. Why log the provider bad outgoing traffic and ignore bad
incoming traffic? They don't know the source of the bad traffic, but
have the customer to beat someone!
The answer field for the reply were some lines only. Without comment
from the ISP the ticket was closed and the VPS locked yet.
I try to delete the old instance and build a new one. If the same occur
I leave Scaleway (and give info about that again).
Now I recommend to set the ISP Scaleway (in France) of the list of bad
providers.
Hello,
We have tried to contact you about an abuse report concerning one of
your server. Unfortunately at this time you did not reply to this report.
As stated in our terms of service, we have suspended your account.
Post by Olaf Grimm
Sincerly,
Scaleway
End message
To avoid a big shitstorm: I know what I do and it is not my first and
only exit. Scaleway was the first trouble and in such a way, that I must
leave a comment.
Post by Olaf Grimm
It is possible to include a basic abuse protection chapter in the tor
documentation (config guide)? I've found some iptable rules, but I use the
user-friedly "ufw", the overlay to iptables.
Post by Olaf Grimm
It would be fine if some good guys could help with an easy configuration
guide in the config chapter for tor relays.
Post by Olaf Grimm
Have a good time. I feel me better.
Olaf
_______________________________________________
tor-relays mailing list
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
_______________________________________________
tor-relays mailing list
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
Anders Andersson
2018-09-08 07:51:24 UTC
Permalink
Post by Paul
I made the same experience as you several times in the last few weeks with Scaleway.
Usually you have 48 hours to respond - that's at least what they tell you somewhere on their pages.
My impression is that you can place anything you want in your answer - important is your answer within time.
[...]
p.s. bad that they offer uncomparable speed/price relation
These are likely related. They can offer a very competitive price
simply because they don't care much about catering to "special"
customers. So if a script doesn't see a reply within 48 hours your
service is shut off automatically.
Nathaniel Suchy
2018-09-08 18:34:18 UTC
Permalink
If your service is automatically terminated, will they reinstate once
you respond?
Post by Anders Andersson
Post by Paul
I made the same experience as you several times in the last few weeks with Scaleway.
Usually you have 48 hours to respond - that's at least what they tell you somewhere on their pages.
My impression is that you can place anything you want in your answer - important is your answer within time.
[...]
p.s. bad that they offer uncomparable speed/price relation
These are likely related. They can offer a very competitive price
simply because they don't care much about catering to "special"
customers. So if a script doesn't see a reply within 48 hours your
service is shut off automatically.
_______________________________________________
tor-relays mailing list
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
Loading...