On Wed, Aug 19, 2015 at 10:00:54PM -0700, Greg wrote:
I tried to spin up a relay on GCE a few days ago, and I found that it was outright rejected with a message like "Authdir is rejecting routers in this range". I don't have the IP handy now, but I could easily get another ephemeral IP. I thought I came across a thread saying that there was an attack on the tor network originating from GCE, and that's why it got blacklisted. I'm not finding that thread now. But is GCE going to be removed from the blacklist? I realize it's not a very economical place to run a relay.
I wonder if we wouldn't be better off with GCE remaining blocked. Cloud platforms seem quite popular among attackers -- presumably because they can quickly give you a large number of disposable machines. Naturally, there will also be benign relays running on cloud platforms. We might have to do some number crunching to ponder if the benefit of having these benign relays outweighs the potential harm of attackers being able to use GCE et al.
Second, and perhaps less obvious, Google is already in a privileged position as many exit relays use Google's public DNS server as resolver. If GCE machines end up being guard relays, Google might be able to correlate some DNS requests of the Tor clients that end up selecting GCE guards.
Cheers, Philipp