Does connecting to your own Guard increase or decrease overall security?

Hey everyone,

I’m runing my own relay since some time and always wondered if I soly connect to my own relay (guard) if this would increas my security ?

Obvious partial answers are:

  1. You maybe less at risk with attacks like “relay early” traffic confirmation attack in 2014
  2. If you run a public entry node, then you may be subjected to DDOS that may be going on

Hope someone will give more pointers.

1 Like

Thanks, so 1. does increase my security and 2. is “just” an issue for my node but not for my security, right ?
To me it loks like my node is kinda suffering from the DDOS already, as it’s listed, among others, “overloaded”. Hope this matter gets resolved soon.

Of course, your own node is the safest. :nerd_face: I only use my own or friends’.
Hint: You can have 2 instances per IP. In addition to your guard, you can also set up a hidden bridge. Only for you and friends.

How do you tell Tor which guard to choose? I always thought it was selected at random. And if you create a guard yourself would it only be accessable by yourself or would it be used within the network by other people? I also imagine if someone is listening to entry nodes and exit nodes at the same time they could do a sybil attack to match data regardless of guard authenticity

man torrc

# A list of identity fingerprints, country codes and address patterns of nodes to use for the first hop in your normal circuits. (Guards & plain Bridges)
EntryNodes $D2ADD68BA9F735031893CB8A58548375E831B45B,[2001:db8::],203.0.113.0/24
HSLayer2Nodes
HSLayer3Nodes
ExitNodes
ExcludeNodes
ExcludeExitNodes
StrictNodes 1

Relays (guard, exit) are always accessable by all, hidden bridges don’t.

# uncomment if you don't want torproject.org to know your bridge
#PublishServerDescriptor 0
BridgeRelay 1

OK NSA & such has oversight of so much of the internet. (I think 70-80%) We know from Snowden that they love our DE-CIX.
Imagine if someone owns the entry nodes and exit nodes at the same time. That’s what some adversaries try to do. Hundreds of relays in different networks without MyFamily. There are some tools running on the Tor network for that and some security experts and the bad-relay list people are trying to prevent that. With your own bridge (whether hidden or public) you are safe from it. A public one is better because your traffic mixes with the others. (Hint: A public bridge and a public relay must not run on one IP.)

2 Likes

Thanks to everyone contributing. I stick with my node then.

And @Angular, keep in Mind that you can’t create a Guard, your Relay get’s “chosen”.

@boldsuck can you point me to where I can read about running 2 nodes on the same IP ? I would then run the 2nd as (hidden) bridge.

2 Likes

That depends on your OS. The easiest way to do this is with Debian or Ubuntu tor-instance-create

I’ve never tried if EntryNodes works with non-guard flagged relays. I have to test it. Is the right time because of the DDoS in the Tor network, I just lost a lot of flags.

1 Like

Is that of surface web or does that include the Tor network? I’ve got a static IPv4 IP from my VPN which I think could be used to host a guard without the traffic being directly handled by me but its probably more complicated than I can bare

So how do you get it to choose yours?

Keep in mind that if you think “security = anonymity”, then now you definitively have an IP, an email, and perhaps some other information exposed as being associated with Tor.

If you use your friend’s, how do you know when your friend’s will turn malicious?

If you use public entry nodes, it seems to me that eventually, you will connect to a malicious node, belonging to this group, or that group, or others. The eventuality may be faster than “designed” especially if this DDOS keeps going. 555 if your luck holds, maybe your IP will remain anonymous long enough. If it isn’t anonymous, then hopefully, you are not doing anything to get yourself in trouble while your IP address is exposed!

1 Like

And don’t imagine just the malicious exit nodes, if your adversary has visibility of your activities on your website / service, owning the malicious entry node might be enough to correlate you.

For example, suppose torproject’s forum is prohibited in your country, so you use tor to interact with it. Suppose you don’t use tor to do anything else. Owning your entry node might be enough to start correlating you, such as: look, whenever this guy posts, this IP is connected to this guard node I own.

2 Likes

What would you recommend for maximum security AND anonymity?
Sorry for spamming up the thread too haha

I can tell you it won’t. Tried it, failed !

That is an automatic Process, by the autority nodes if I’m not mistaken.
Make sure your Relay is stable and fast.

Yes, but thats tied to the Node not mthe Activieties on my Machine. Note that my Node is a VPS not my home machine. So yes someone can grab the infos of the public node but whatever I do with the TOR browser should not be tied to this IP. How could it ?

OK
Do you have tried EntryNodes with StrictNodes 1?

But whatever, I have hidden bridges and a few hundred nodes in EntryNodes & HSLayer[2,3]Nodes with vanguards. In general, I have the settings for hidden services (bisq, crypto wallets, my Monero nodes).
I only use the Tor browser to test my relays sometimes.

NSA and BKA say “Tor stinks” in their documents. But seriously, they are interested in Al-Qaeda, IS and Putin not in you and me. If someone is really on their list, they should throw away their phone and unplug the cord. They got Osama and they got Aiman al-Sawahir.

Your VPN provider has your MAC, IP and other data. If you do something illegal about it, he must release the data. The VPN provider can also be a government honey pot.
So in Europe and the USA it is allowed to operate Tor relays, there is no need to hide. Paying for a server anonymously over a longer period of time and administering it via SSH is not easy. And sometimes shit happens, the bulletproof hoster CyberBunker was near me. The cops have busted the entire ISP and are evaluating several thousand servers over the next few years.

1 Like

VPN provider (removed) has emerged victorious from legal action initiated by movie companies hoping to get closer to the operators of The Pirate Bay. After a back-and-forth process, the court agreed with (removed) claims that as no-logging provider, it had no useful data to hand over.

1 Like

From same company

  • no logging of traffic
  • no logging of timestamps
  • no logging of DNS requests
  • no logging of IP addresses
  • no logging of MAC addresses
  • no logging of individual user bandwidth volumes
1 Like