A couple of years ago I was assigned a simulation project for a new technology that mapped and categorized outbound end-user traffic. I thought, “Hmmm, where can I get live user traffic?” The idea of simulating end-user traffic via scripts, or (shudder) manual testing, seemed like serious drudgery—like weeding a garden, polishing silver, or proofreading my own writing. Im better than that!
An epiphany struck me: My test network in my basement could get real live end-user traffic, without simulation, by running a Tor (The Onion Router) exit node.
The Tor network is fascinating. Fascinating, people! It is the original, decentralized anonymization service that the United States government simultaneously funds and loves to hate.
DARPA—the Defense Advanced Research Projects Agency—invented the Tor network, and still partially funds it, as a way for overseas spies to get data home without blowing their cover via IP address trails. Yet, Tor annoys law enforcement (e.g., the FBI), which can’t track hackers, thieves, and drug dealers who use it. Today, the Tor network is mostly run by true (privacy) believers at the Tor Project.1 These volunteers are constantly trying to improve the network, releasing Tor Browser updates and closing the periodic de-anonymization vulnerabilities that pop up.
It was suspected that the U.S. National Security Agency (NSA) ran up to 50 percent of the Tor nodes in the aftermath of the Heartbleed incident. But because the Tor network is actually pretty good at anonymization, the NSA still couldn’t de-anonymize users, at least according to the Snowden papers.
The Tor network is composed of two types of nodes: relay nodes and exit nodes.
Tor relay nodes are simple and safe—they’re just bridges from one node to the next in the network. They have no exposure to volatile Tor traffic passing through them because it’s encrypted.
My Decision to Run a Tor Exit Node
Tor exit nodes, on the other hand, are anything but simple and safe. A Tor exit node will appear to the Internet as if it were the actual user on the other side of Tor. The user could be a researcher. Or a journalist. Or a spy. Or a child pornographer. Or a digital pirate. Or a hacker. The only thing you know about someone who is using Tor is that, well, they don’t want to be known. They want to be anonymous.
|Positive Tor Traffic||Negative Tor Traffic|
|Freedom of speech
|Media piracy (torrents)
Child abuse media
Illegal drug markets
Illegal arms markets
So, I thought long and hard about whether to run a Tor exit node. I didn’t want to be wrongly fingered as a child abuser, as happened to this Seattle couple,2 or as a terrorism supporter, which happened to this professor.3 On the other hand, I do believe in free speech as a general human right. And if running a Tor exit node could enable a journalist or whistle-blower in an oppressive regime the freedom to publish their findings, it seemed worth the risk. And, of course, I needed that live traffic for testing.
I bought a mid-range PC from my local pawnshop, wiped the hard drive, and installed my favorite Linux distribution, Ubuntu Server. I followed the Tor Project’s instructions on installing and configuring a Tor exit node. (I was about to link to those instructions, but here’s a much, much better guide to running a Tor exit node.4) Why not run the Tor exit node from one of my main servers? Honestly, I was nervous about the node containing a zero-day break of some kind. If there’s any software in the world that a nation-state actor would like to get a back door into, it would be Tor. And with the amount of hacking traffic exiting a Tor node, it seemed like a sensible idea to isolate the exit node as much as possible.
So, I put the node on its own subnet with a single interface connected directly to a dedicated interface at my load balancer. I then put a firewall rule on the load balancer blocking all non-routable traffic coming from the node. Traffic spilling out of the exit node could only be forwarded back out to the Internet and couldn’t probe my internal network.