On Sat, Nov 24, 2012 at 4:24 AM, Moritz Bartl <moritz@torservers.net> wrote:

On 24.11.2012 12:46, tagnaq wrote:

...

...

Shouldn't some exit relays (funded or not) be deployed to use an exit IP that is different from it's advertised exit IP in order to prevent a simplistic form of blocking based on scraping the descriptor set?

I don't think it's a good idea. People are always thankful when I can point them to the bulk exit list and torDNSel. I point out that Tor has a lot of users and not all of them are bad, and urge for a temporary block. Most admins seem to follow that advice.

But in the light of "an IP address is not identity" -- is it reasonable to block every user of an IP because one person (or bot) is up to no good? Why do people insist on "stopping" problem behavior at the network layer? --Aaron

https://check.torproject.org/cgi-bin/TorBulkExitList.py https://www.torproject.org/projects/tordnsel.html.en

-- Moritz Bartl https://www.torservers.net/ _______________________________________________ tor-relays mailing list tor-relays@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays

What else do you propose? You have a service which is costing money to run, some idiot is abusing it to the detriment of your genuine users, and the only correlation you can see between connections is that they originate from Tor exit nodes (remember, the point of Tor is that you *can't* establish identity). Sure, you may be able to develop an application level defence against the attack, but that takes time and resources which may not be immediately available. Meanwhile, of course you block the originating network! It's just the same as if you're being flooded by abusive requests all from the same /24: you might not want to permanently block the whole subnet, but you certainly want to mitigate the immediate threat. Sysadmin 101: If you don't do something *now*, you'll regret it tomorrow.

they -should- indeed develop an application level defense to the problem. any defense that relies on layer 3 being accurate "identification" is just plain -wrong- (and probably designed by the same dusty nerds that still think smtp is a good idea to keep around ;) if you want to but can't tell your users appart by some other means but the ip address they connect from, your protocol/service sucks and isn't suitable for use on the real internet and needs to go back to the drawing board. its not just "tor" you know, back in the days you just took a dialup number in venezuela and all was fine :P (and you can still do that today ;) as for "attacks" i'd distinguish between actual network attacks (where i don't give a crap if its spoofed or not, just DROP it :P and lets say, people (or bots) using a service "on top" of the actual internet (lets say an online banking system). NOW if your online banking system has such CRAPPY authentication that you need to fall back to ip based blocking them, your online banking system does not belong on the internet in the first place. and the same goes for forum spam, "virusses" (basically crappy written software products (ie: windows) which refuse to fix the exploits ;) etc. tor does one thing: it kinda like urges them to fix their crap :P (now if only there were more exit nodes ;) i'd say, bring on some more protocols like tor and lets have a shakeout of the crap that should not be on the internet/market in the first place. (smtp, windows and other highly vulnerable operating systems and software, crappy forum software, crappy online banks and creditcard systems which think a static username (or even email) and password is hell of a good idea, etc ;) zomg, they use tor to commit fraud/spam/send virusses: no they don't. your own service is at fault there for not being designed with hostile networks like the internet in mind. (and usually the ones spending all their time complaining about it could just fix it with 10 lines of code ;) so yeah, let them all go to hell for all i care :P -- CB3ROB LTD. ======================== DEDICATED SERVER FARMS IP TRANSIT SERVICES DATACENTER FACILITIES ======================== SKYPE: CB3ROB ========================

Julian

-- 3072D/F3A66B3A Julian Yon (2012 General Use) <pgp.2012@jry.me>

On Tue, 27 Nov 2012 01:58:40 +0000 (UTC) Sven Olaf Kamphuis <sven@cb3rob.net> wrote:

[Utopian fantasy]

Meanwhile, back in the Real World, ancient protocols like SMTP dominate the Internet (oh look, you used it to post to this list) and people do what they have to in order to keep their services running. Perhaps you've never worked on a project large enough that network ops and development are handled by separate teams, but in such an environment a sysadmin who allowed the servers to fall over because they believed it was dev's responsibility would quickly find herself out of a job. Tor won't benefit from that person's career suicide. Whereas giving admins the power to implement an easy kill switch (by blocking the exits when they need to) makes Tor a much less attractive prospect for those who would abuse the network. If you can run your attack over Tor, knowing you can be blocked easily, or over some botnet, which would you choose? This means more bandwidth for the rest of us, and fewer abuse complaints for exit operators. I'd say that's a win. Of course, some organisations (I'm looking at Wikipedia) have a problem with Tor that is due to policy, not technology. Is their policy right? Of course not - the impressive level of vandalism that happens anyway proves that (although CluebotNG has an equally impressive catch rate, it has to be said). But unless you're the one paying for and running the infrastructure of that free-as-in-beer service, what right do you have to say “let them all go to hell”? Do you say the same about people who run relays whose exit policies don't allow your traffic? Do you curse at your neighbour whose unencrypted wireless network doesn't allow connections to your favourite porn site? Seriously, get some perspective. Nobody's going to listen if you're rude to/about them. They're more likely to just dig in their heels and erect another barrier. People do what they feel they must to protect what they (are being paid to) care about. Being open about where the exits are is one way of saying “look, we're all friends”. Conversely, making a serious effort to circumvent their blocks by using unpublished exit addresses will simply create another game of Cat & Mouse, just like the one being played with bridge relays. Sites like Wikipedia, who have made at least some token efforts to come to a solution which works for Tor, will stop trying at all because it will no longer be possible to distinguish Tor exit traffic from other non-authenticated connections. As you can see I've made the effort to write in real sentences, use capital letters and avoid “zomg”. I won't do so a second time, because if I haven't convinced you by now I'm not going to. By all means continue daydreaming, just remember that's what it is. If you want your utopia to eventually exist, you have to start with reality. You can't just will it into existence. Julian -- 3072D/F3A66B3A Julian Yon (2012 General Use) <pgp.2012@jry.me>

I have the opposite problem in a way. I use geocaching.org frequently. But because they have had a problem in the past with Tor users they block Tor nodes. As I run a Relay, not Exit, this means that I have to ask for an exception every time my IP changes Happily that doesn't happen very often but it is surly a pain when it does. Is there a way for someone to distinguish real and exit IPs? If so I'll try to educate them. Bill W On Tue, Nov 27, 2012 at 1:15 PM, Daniel Case <danielcase10@gmail.com> wrote:

I have a real world example of this. My forum was being abused by several users all originating from the Tor network, so the first thing I did (and any sane admin would do) was block Tor access (with a note) for a few hours while I figured out what to do. I ended up unbloacking the network and showing Tor users a low-fi version of the forum, and not letting them sign in without captcha (a simple qualitative question) - reducing load and spam.

But something must be done temporally, I agree that Tor users shouldn't be blocked permanently but quiet is needed in order to implement a solution and to get that quiet you need to block at network level, then you can begin a more permanent mitigation plan.

_______________________________________________ tor-relays mailing list tor-relays@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays

It would just seem really frustrating for users who want to participate in account based sites (and really, what sites aren't) to find themselves kneejerk blocked at the network level. Tor is slow, there's really no claim to be made that Tor is capable of literally DoSing a site. Only one for cranks and spam and abuse. For which higher layer filters/moderation can work, as does simply closing the offending account. So when a way of running an exit appears, such as perhaps this one, that might mitigate against the kneejerk for those 'good' users that care to find them... myself, I'd tend to give the world the benefit of the doubt and run one [1]. It's not like anyone who already disbelieves in Tor/anon/etc enough to block it is going to donate to Tor for providing a nice [DNS/consensus] blocklist or stand up amongst their peers and say 'Tor is some really nice guys'. As a site admin, Tor is but a speck of trouble compared to the rest of the IP space. Put yourself in the shoes of a public service... Facebook, Gmail, forum, whatever... though Tor might bring some rarer serious issues, that's nothing compared to the ticket counts of the general moronic public. [1] Caveat testing to be done regarding proof for those needing it via Exonerator, etc.