commit 1bd7c21c00285eed6a3b3653af3352dd66c2d07b Author: Kim Le kle2@student.unimelb.edu.au Date: Sat Oct 17 10:52:46 2020 +1100
replace CAPTCHA with Captcha --- content/gsoc/cloudflare-captcha-monitoring/contents.lr | 18 +++++++++--------- .../tor-abuse-templates/contents.lr | 12 ++++++------ 2 files changed, 15 insertions(+), 15 deletions(-)
diff --git a/content/gsoc/cloudflare-captcha-monitoring/contents.lr b/content/gsoc/cloudflare-captcha-monitoring/contents.lr index f511683..eae7c86 100644 --- a/content/gsoc/cloudflare-captcha-monitoring/contents.lr +++ b/content/gsoc/cloudflare-captcha-monitoring/contents.lr @@ -24,40 +24,40 @@ arma --- difficulty: medium --- -title: Cloudflare CAPTCHA Monitoring +title: Cloudflare Captcha Monitoring --- subtitle:
-This project should implement a mechanism to track the rate that Cloudflare fronted webpages return CAPTCHAs to Tor users over time. +This project should implement a mechanism to track the rate that Cloudflare fronted webpages return Captchas to Tor users over time.
--- body:
# Problem
-A large number of Tor users report getting hit by infinite CAPTCHA loops when visiting webpages fronted by Cloudflare. This makes them feel punished for using Tor to protect their privacy and prevents them from legitimately accessing websites. +A large number of Tor users report getting hit by infinite Captcha loops when visiting webpages fronted by Cloudflare. This makes them feel punished for using Tor to protect their privacy and prevents them from legitimately accessing websites.
# Proposal
-For this project we would like to track in practice how often Cloudflare fronted webpages return CAPTCHAs to Tor clients. +For this project we would like to track in practice how often Cloudflare fronted webpages return Captchas to Tor clients.
Our proposed approach consists of:
1. Setting up a very simple static webpage to be fronted by Cloudflare -2. Write a web client to periodically fetch this static webpage via Tor and record how often a CAPTCHA is returned -3. Record and graph CAPTCHA vs real page rates +2. Write a web client to periodically fetch this static webpage via Tor and record how often a Captcha is returned +3. Record and graph Captcha vs real page rates 4. Using the pre-existing architecture, run a second client that does not fetch this webpage via Tor. This will allow us to contrast and compare how Cloudflare responds to Tor Browser vs other browsers. 5. Track and publish these details publicly
There are two interesting metrics to track over time:
-- the fraction of exit relays that are getting hit with CAPTCHAs, and -- the chance that a Tor client, choosing an exit relay in the normal weighted faction, will get hit by a CAPTCHA. +- the fraction of exit relays that are getting hit with Captchas, and +- the chance that a Tor client, choosing an exit relay in the normal weighted faction, will get hit by a Captcha.
Then there are other interesting patterns to look for:
- Are certain IP addresses punished consistently and others never punished? -- Is whether you get a CAPTCHA much more probabilistic and transient? +- Is whether you get a Captcha much more probabilistic and transient? - Does that pattern change over time?
# Getting Started diff --git a/content/relay-operations/community-resources/tor-abuse-templates/contents.lr b/content/relay-operations/community-resources/tor-abuse-templates/contents.lr index 007e0d2..6b4549e 100644 --- a/content/relay-operations/community-resources/tor-abuse-templates/contents.lr +++ b/content/relay-operations/community-resources/tor-abuse-templates/contents.lr @@ -59,8 +59,8 @@ However, be aware that this may be just one jerk amongst many legitimate Tor use You might have luck getting rid of this jerk by temporarily limiting account creation to require Gmail accounts before posting, or by requiring account creation be done over non-Tor before posting.
In general, we believe that problems like this are best solved by improving your service to defend against the attack from the Internet at large. -Brute force login attempts can be reduced/slowed by captchas, which is the approach taken by Gmail for this same problem. -In fact, Google provides a free captcha service, complete with code for easy inclusion in a number of systems to help other sites deal +Brute force login attempts can be reduced/slowed by Captchas, which is the approach taken by Gmail for this same problem. +In fact, Google provides a free Captcha service, complete with code for easy inclusion in a number of systems to help other sites deal with this issue: https://code.google.com/apis/recaptcha/intro.html
``` @@ -100,8 +100,8 @@ https://check.torproject.org/cgi-bin/TorBulkExitList.py?ip=YOUR_IP&port=...
In general however, we believe that problems like this are best solved by improving the service to defend against the attack from the Internet at large.
-Scraping and robot activity can be reduced/slowed by captchas, which is the approach taken by Gmail for this same problem. -In fact, Google provides a free captcha service, complete with code for easy inclusion in a number of systems to help other sites deal with this issue: https://code.google.com/apis/recaptcha/intro.html +Scraping and robot activity can be reduced/slowed by Captchas, which is the approach taken by Gmail for this same problem. +In fact, Google provides a free Captcha service, complete with code for easy inclusion in a number of systems to help other sites deal with this issue: https://code.google.com/apis/recaptcha/intro.html
Slow DoS attacks [aimed to consume the Apache MaxClients limit](http://www.guerilla-ciso.com/archives/2049) can be alleviated by reducing the httpd.conf TimeOut and KeepAliveTimeout config values to 15-30 and raising the ServerLimit and MaxClients values to omething like 3000.
@@ -121,8 +121,8 @@ The attacker would probably just chain an open proxy after Tor, or just use open The Tor project does provide an automated DNSRBL for you to query to flag requests from Tor nodes as requiring special treatment: https://www.torproject.org/projects/tordnsel.html.en
In general, we believe that problems like this are best solved by improving the service to defend against the attack from the Internet at large rather than specifically tailoring behavior for Tor. -Brute force login attempts can be reduced/slowed by captchas, which is the approach taken by Gmail for this same problem. -In fact, Google provides a free captcha service, complete with code for easy inclusion in a number of systems to help other sites deal with this issue: https://code.google.com/apis/recaptcha/intro.html +Brute force login attempts can be reduced/slowed by Captchas, which is the approach taken by Gmail for this same problem. +In fact, Google provides a free Captcha service, complete with code for easy inclusion in a number of systems to help other sites deal with this issue: https://code.google.com/apis/recaptcha/intro.html ```
## SSH Bruteforce Attempts