[tor-bugs] #19064 [- Select a component]: Access denied, by most exits, to a very specific IP range

Tor Bug Tracker & Wiki blackhole at torproject.org
Mon May 16 10:29:21 UTC 2016 

#19064: Access denied, by most exits, to a very specific IP range
----------------------------------+--------------------------
 Reporter:  Tu2020                |          Owner:
     Type:  defect                |         Status:  reopened
 Priority:  Medium                |      Milestone:
Component:  - Select a component  |        Version:
 Severity:  Normal                |     Resolution:
 Keywords:  range IP block        |  Actual Points:
Parent ID:                        |         Points:
 Reviewer:                        |        Sponsor:
----------------------------------+--------------------------

Comment (by teor):

 Replying to [comment:3 Tu2020]:
 > Replying to [comment:2 teor]:
 > > It's likely that this IP range has decided to block Tor Exit nodes. If
 so, there's nothing we can do. (Except ask politely to be unblocked.)
 > >
 > > Feel free to look up the owner of the IP range and add them to:
 > >
 https://trac.torproject.org/projects/tor/wiki/org/doc/ListOfServicesBlockingTor
 >
 > I have triple checked with the Administrator of the IP range, as well as
 the Hosting company.  Neither of those entities have blocked TOR exits.
 In fact, it would be technically impossible to do so, because of the
 quantity of addresses.  These are the rationale given to me both both the
 Administrator of the sites in that IP range, as well as the hosting
 company (Hivelocity).
 >
 > Of course, I have reviewed
 https://trac.torproject.org/projects/tor/wiki/org/doc/ListOfServicesBlockingTor
 , and it is focused entirely about a server side block, which, as I've
 specified, is not the case here.
 >
 > The blocking in question is distinctly from within TOR.

 Each Tor Exit operator makes their own decisions about what ports and IP
 ranges they will allow.

 The top 10 exits on Compass do not block this range in their exit
 policies:
 https://compass.torproject.org/#?exit_filter=fast_exits_only_any_network&links&sort=cw&sort_reverse&country=
 So there is no Tor block at the Exit level.
 (And Tor has no way to configure blocks at the Tor Network level.)


 When I tried to connect to 162.216.5.226 in Tor Browser, I received the
 typical log entries that happen when an IP range drops packets from Tor
 Exits:
 {{{
 May 16 06:21:55.000 [notice] We tried for 15 seconds to connect to
 '[scrubbed]' using exit
 $20B0038D7A2FD73C696922551B8344CB0893D1F8~edwardsnowden1 at 109.163.234.8.
 Retrying on a new circuit.
 May 16 06:22:11.000 [notice] We tried for 15 seconds to connect to
 '[scrubbed]' using exit
 $7D5CCD1D8D798779979DF7E0A3A2BFA55D2C24B3~torlesnet2 at 199.87.154.251.
 Retrying on a new circuit.
 May 16 06:22:27.000 [notice] We tried for 15 seconds to connect to
 '[scrubbed]' using exit
 $4B170476D09459328438F3E68ED19516C9F75A80~birnenpfeffimitzimt at
 212.21.66.6. Retrying on a new circuit.
 May 16 06:22:42.000 [notice] We tried for 15 seconds to connect to
 '[scrubbed]' using exit $379FB450010D17078B3766C2273303C358C3A442~aurora
 at 176.126.252.12. Retrying on a new circuit.
 May 16 06:22:57.000 [notice] We tried for 15 seconds to connect to
 '[scrubbed]' using exit $615ABEA2DE76EB3760BC51E7306BAA59F15CD8F2~Cloud at
 5.135.158.101. Retrying on a new circuit.
 May 16 06:23:14.000 [notice] We tried for 15 seconds to connect to
 '[scrubbed]' using exit $9D6AE1BD4FDF39721CE908966E79E16F9BFCCF2F~Necto at
 93.115.95.201. Retrying on a new circuit.
 May 16 06:23:29.000 [notice] We tried for 15 seconds to connect to
 '[scrubbed]' using exit
 $69DF3CDA1CDA460C17ECAD9D6F0C117A42384FA0~AccessNow008 at 176.10.99.204.
 Retrying on a new circuit.
 May 16 06:23:29.000 [notice] Tried for 132 seconds to get a connection to
 [scrubbed]:80. Giving up.
 }}}

 It's possible Hivelocity has a block at the network (/28 or higher) level
 that targets unwanted traffic, and Tor Exits are included in that block.
 The administrators you contacted could be unaware of this block, or may
 not understand the consequences of the traffic filtering that has been
 configured.

 This could well be part of Hivelocity's "DDoS protection" or "Firewall"
 services:
 https://www.hivelocity.net/enhancements/ddos-protection/
 https://www.hivelocity.net/enhancements/firewall/

 And yes, it is possible to block almost all Tor Exits from accessing an
 entire network. All it takes is one device at the entry to the network,
 configured with a list of Tor Exits.

 Please feel free to provide logs or packet traces that show where
 connections to 162.216.5.226 are being blocked - as you can see from the
 above logs and Compass exit list, there is no blocking between Tor clients
 and Tor exits, or in Tor exit policies.

--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/19064#comment:4>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online

More information about the tor-bugs mailing list