🤠 bgp.rodeo

I ran a Tor Exit Node

and i’m not sure if I would do it again.

(note: this post is antedated to form a proper timeline of the developments of my network, it was actually written in march of 2024)

Why run a Tor node in the first place?

Right after I started with my network, I started running Tor nodes. I have been doing it on-and-off in the past, but this was a chance to get full control over the infrastructure the node was running on and have the traffic it generates be useful to me.

While running Tor on your machine, you have two choices: do I become a Tor relay, or an Exit node?

They both function differently, and I suggest reading up on how Tor works to get a full understanding. But here is the executive summary:

Tor directs Internet traffic via a free, worldwide volunteer overlay network that consists of more than seven thousand relays

If someone uses Tor to browse the internet, they may or may not use your relay to route that traffic. However, there is a moment where that traffic has to leave the Tor network and connect to a real webserver. Maybe even the webserver hosting this blog. This connection can only be made from an Exit node. An Exit node is specifically made available to ’exit’ the Tor network and connect to the ‘real’ internet with the publicly routable addresses of that exit node.

Running an exit node

After running Tor relays for a while, I wanted to see what it was like to run an exit node. I’ve doubted it for a long time. On one hand I would be doing the community a favor, since running an exit node can come with some risks. But I finally decicded to do it.

So, what was that like?

Shortly after applying the exit policy, I could see that my exit nodes were being used to browse the internet. And it didn’t take long for the first abuse e-mails to arrive.

They mostly were all from one person, and his name is ‘Ben Sodos’, of ‘Vobile, Inc.’.

Anyone working at an ISP or providing VPN / VPS services already know what this is.

These are e-mails from some automated system that scans BitTorrent for movies, tv shows and other copyrighted content being download, and then sends e-mails to the abuse contacts of the IP-address owners.

The e-mails look something like this

Hash: SHA1

Notice ID: xxx
Notice Date: xxx
IP-Connect LLC
Dear Sir or Madam:
I certify under penalty of perjury that I am authorized to act on behalf of the Paramount Global companies CBS Broadcasting Inc., CBS Studios Inc., Paramount Pictures Corporation, Showtime Networks Inc., Viacom International, Inc., Black Entertainment Television LLC, and other Paramount Global subsidiaries and affiliates (collectively, the “Rights Owners”), the owners of certain exclusive intellectual property rights in the copyrighted work(s) identified in this notice. I have a good faith belief that the information in this notice is accurate.
We have become aware that the below IP addresses have been using your service for distributing video files, which contain infringing video content that is exclusively owned by the Rights Owners. 
We have a good faith belief that the Rights Owners’ video content that is described in the below report has not been authorized for sharing or distribution by the copyright owner, its agent, or the law. Such copying and use of this material constitutes clear infringement of the Rights Owners' rights under the Copyright Act and its counterpart laws around the world.
We are requesting your immediate assistance in removing and disabling access to the infringing material from your network.  We also ask that you ensure the user and/or IP address owner refrains from future use and sharing of the Rights Owners’ materials and property. 
In complying with this notice, you should not destroy any evidence that may be relevant in a lawsuit relating to the infringement alleged; including all associated electronic documents and data relating to the presence of the infringing items on your site, which shall be preserved while disabling public access, irrespective of any document retention or corporate policy to the contrary.
Nothing in this letter shall be construed as a waiver or relinquishment of any right, remedy, or claims possessed by the Rights Owners, or any affiliated party, all of which are expressly reserved.

Should you have any questions, please contact me at the information below.
Ben Sodos
Vobile, Inc.
Address: 2880 Lakeside Drive, Suite 360
Santa Clara, CA 95054, United States
Email: p2p@copyright-notice.com

<?xml version="1.0" encoding="UTF-8"?>
<Infringement xmlns="http://www.acns.net/ACNS" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://www.acns.net/ACNS http://www.acns.net/v1.2/ACNS2v1_2.xsd">
    <Entity>Paramount Pictures Corporation</Entity>
    <Contact>Vobile - Compliance</Contact>
    <Address>2880 Lakeside Drive, Suite 360
Santa Clara, CA 95054</Address>
    <Phone>+1 (408) 492 1100</Phone>
    <Entity>IP-Connect LLC</Entity>
    <SubType BaseType="P2P" Protocol="BITTORRENT"/>
      <Title>Into the Wild</Title>
      <Hash Type="SHA1">c9324982afdb92da095e913d0db4dbe9d938ea84</Hash>
Version: GnuPG v2.0.22 (GNU/Linux)


Besides copyright violations, I also got a lot of other types of automated abuse reports. Mainly from portscans, bots trying to break into someones Wordpress website or some other (often benign) activity. Sometimes without specifying what the problem was exactly. Like this example:

To Whom it May Concern,

You have a system on your network that is actively scanning and/or attacking external sites on the Internet.  This can come from many sources and because it is often difficult to detect this activity, we are sending this E-mail in an attempt to help you solve the problem.

We have detected your system with an IP of,, scanning a client we monitor.  This was not a short attack but a prolonged scan and/or probe that was designed to find and intrude into the target network.

This may be someone on your network who is actively trying to hack others. This person may be a legitimate user on your network or it may be that this system has been compromised and is being used by someone to hack others. It is also likely that the system is running automated tools that have been installed to perform these actions without any human intervention.

Below is the information about the attack.  Keep in mind that the source IP of our client has been sanitized for anonymity.

Date: 08/25/2023
Time: 12:38:06
Time Zone: America/Chicago
Type of Attack/Scan: Generic
Log: >

Possible Cause:

Thank you for your attention to this matter,

email: xxx@xxx.com

Yes, they really listed some RFC1918 address 🙄.

Then, after about a month in, something strange happened. Some French dude decided to e-mail and call the person I am leasing my IPv4 space from to tell him that ‘Tor is not ideal’. Sharing all kinds of publicly available information about me and calling this person up at weird times. Not chill, dude.

After about a month, I decided to call it quits and removed the exit policy. They still help the network, do plenty of traffic and don’t come with abuse mails.

Would I do it again? Maybe…