[tor-relays] Identifying a relay

Have a question about how a server I connect to can tell I am running a guard/middle relay. All I can think of is that they check the published list of tor nodes against the IP. Or (maybe, but unlikely) portscan the IP and probe any open ports to determine the service. Are there any other methods that can be used.

Background: The corp my wife works for blocked our IP. The excuse they gave was that it was due to a change made by a vendor they use to identify malicious IP addresses. I have been running the relay for almost 5 years without any previous flagging. They also state that running a middle relay is not in violation of any policy, but the vendor mis-identified our relay as an exit, hence blocking it.

After changing the IP, the new IP was also blocked in less than 24 hours. My feeling is that the vendor is now just using the full list of tor nodes and indiscriminately blocking everything, despite what the corp security folks say.

I'm looking for some sort of validation I can use to counter their claims.

Hi Eddie

but the vendor mis-identified our relay as an exit, hence
blocking it

The vendor or a service provider for its inbound protection might think:
Hey, this relay claims to be a non-exit but why do we receive a
connection from a non-exit? Bottom line they don't distinguish between
an IP and the relay service. If they put both together the clonclusion
makes sense in their wrong (?) perspective. It's a little paranoid I
would say.

After changing the IP, the new IP was also blocked in less
than 24 hours. My feeling is that the vendor is now just
using the full list of tor nodes and indiscriminately
blocking everything

Yup, agree

Do you have IPv6 available for your office traffic? While you use IP4
for the relay. If you route email and browser along IPv6 you could
resolve the issue.

All the best!

Eddie,

When experiencing similar issues, the recommended solution I received, from this list, and that seems to work best is a VPN for affected traffic.

With dnsmasq, iptables or reverse proxy, and a dedicated split-tunnel vpn, I shunt affect traffic over the split-tunnel vpn without end-users on my local network even knowing.

Seems to work fairly well.

Best of luck.

Gary

Have a question about how a server I connect to can tell I am running a
guard/middle relay. All I can think of is that they check the published
list of tor nodes against the IP.

Unfortunately, many people do this, often because they have no idea about the
different Tor relays.

Background: The corp my wife works for blocked our IP. The excuse they
gave was that it was due to a change made by a vendor they use to
identify malicious IP addresses. I have been running the relay for
almost 5 years without any previous flagging. They also state that
running a middle relay is not in violation of any policy, but the vendor
mis-identified our relay as an exit, hence blocking it.

After changing the IP, the new IP was also blocked in less than 24
hours. My feeling is that the vendor is now just using the full list of
tor nodes and indiscriminately blocking everything, despite what the
corp security folks say.

Workarounts:
- In Germany, almost every ISP has (www & ftp) proxies for its customers. I
use it generally, also for IRC, then the proxy IP is displayed.
- In Germany we have '¹Freifunk' in almost every city. Firmware is OpenWrt
with wireguard (VPN) and can be flashed on many WLAN-AP's/router. I have one
at home too.

¹Anonymous citizens wifi mesh networks. No registration, no logs.

There are block list providers which have Tor exit relays lists and sells those lists to their customers.
Mayve they extend their algorithm to all Tor relays.

Anyway, "Do not run a relay at home." might be a solution.

Unfortunately that option is very specifically disallowed as it’s considered as trying to hide the source IP.

Cheers.