On 1 Sep 2015, at 07:45, Philipp Winter <phw@nymity.ch mailto:phw@nymity.ch> wrote:
The harm caused by cloud-hosted relays is more difficult to quantify. Getting rid of them also wouldn't mean getting rid of any attacks. At best, attackers would have to jump through more hoops.
If we were to decide to permanently reject cloud-hosted relays, we would have to obtain the netblocks that are periodically published by all three (and perhaps more) cloud providers: <https://docs.aws.amazon.com/general/latest/gr/aws-ip-ranges.html https://docs.aws.amazon.com/general/latest/gr/aws-ip-ranges.html> <https://msdn.microsoft.com/en-us/library/azure/Dn175718.aspx https://msdn.microsoft.com/en-us/library/azure/Dn175718.aspx> <https://cloud.google.com/appengine/kb/general?hl=en#static-ip https://cloud.google.com/appengine/kb/general?hl=en#static-ip>
Note that this should be done periodically because the netblocks are subject to change.
On 1 Sep 2015, at 08:58, nusenu nusenu@openmailbox.org wrote:
Should you decide to continue generally blacklisting entire ISPs/ASes/IP ranges:
Please add that info (including the banned ISPs/ASes/IP ranges) to the documentation (i.e. relay setup guides [4]) so volunteers don't waste their time and money to setup blacklisted relays [5].
[4] https://www.torproject.org/getinvolved/relays.html.en https://www.torproject.org/getinvolved/relays.html.en [5] https://lists.torproject.org/pipermail/tor-relays/2015-August/007655.html https://lists.torproject.org/pipermail/tor-relays/2015-August/007655.html
If the blocked IP ranges are going to become numerous, and change frequently, why not create a tool that volunteer relay operators can use to check an IP address?
Tim (teor)