On 10 Feb 2017, at 13:13, Andrew Deason adeason@dson.org wrote:
From my current conversation with them, they are aware of at least some suggested ways of blocking tor entirely, but claim some issues with doing so. (Something having to do with exit node IPs changing too frequently, making the existing methods useless.)
I am not sure if there are real technical limitations, or there is just a misunderstanding. Since I don't work with the technical details of tor in and out every day, I'm a little hesitant to be arguing with them about the various technical details, since I might get something wrong.
And of course, if there _are_ actual problems with the mechanisms of tor blacklisting, I can't do anything about it myself, and we have to play "telephone" with me reporting some issue second-hand or whatever.
They are probably using the wrong list, there are reliable lists maintained by Tor, as far as I know.
As far as I can tell, the specific complaint here was that TorDNSEL caches results for 30 minutes; I can see the results indeed give a TTL of 30 minutes. You can just ignore the TTL though, but maybe they were also (allegedly) seeing the information itself be 30 minutes stale. I don't know.
Anyway, so the claim (I think) is that the TorDNSEL data would be out of date, and they would block based on that, so they would be missing some. Attackers would then try running their exploit repeatedly until they found an exit that works; and since (they claim) tor exit IPs change so frequently, this would always be a problem. (Even if all of this were true, how this is any better at all from having individual exits block the target ranges via ExitPolicy from their automated reports is beyond me.)
It also seems like a service like theirs wouldn't be using TorDNSEL, but instead maybe doing something parsed from consensus itself, but that's just me.
Consensuses only come out every hour, and almost all tor clients wait at least another hour before downloading them, so they have a head start.
But no wonder they are having trouble if they are just using the consensus: it only contains ORPort/DirPort IP addresses.
And Exits are free to use another IP as their OutboundBindAddress, so some of the Tor exit lists check by actually making a connection through the Exit.
T
-- Tim Wilson-Brown (teor)
teor2345 at gmail dot com PGP C855 6CED 5D90 A0C5 29F6 4D43 450C BA7F 968F 094B ricochet:ekmygaiu4rzgsk6n xmpp: teor at torproject dot org ------------------------------------------------------------------------