On Sat, 24 Nov 2012 07:44:48 -0800 Aaron aagbsn@extc.org wrote:
On Sat, Nov 24, 2012 at 4:24 AM, Moritz Bartl moritz@torservers.net wrote:
I don't think it's a good idea. People are always thankful when I can point them to the bulk exit list and torDNSel. I point out that Tor has a lot of users and not all of them are bad, and urge for a temporary block. Most admins seem to follow that advice.
But in the light of "an IP address is not identity" -- is it reasonable to block every user of an IP because one person (or bot) is up to no good? Why do people insist on "stopping" problem behavior at the network layer?
What else do you propose? You have a service which is costing money to run, some idiot is abusing it to the detriment of your genuine users, and the only correlation you can see between connections is that they originate from Tor exit nodes (remember, the point of Tor is that you *can't* establish identity). Sure, you may be able to develop an application level defence against the attack, but that takes time and resources which may not be immediately available. Meanwhile, of course you block the originating network! It's just the same as if you're being flooded by abusive requests all from the same /24: you might not want to permanently block the whole subnet, but you certainly want to mitigate the immediate threat. Sysadmin 101: If you don't do something *now*, you'll regret it tomorrow.
Julian