[tor-relays] Some Dir Authorities blocked

Scott Bennett bennett at sdf.org
Wed Sep 20 08:46:59 UTC 2017


Andreas Krey <a.krey at gmx.de> wrote:

> On Sun, 17 Sep 2017 08:13:43 +0000, Scott Bennett wrote:
> ...
> > connections to other relays somewhere, those of us using packet filters could
> > include the rest of the missing addresses in aid of the connectivity you want.
>
> I really don't see what the point is in this filtering. Any attacker
> can just fire up its own relay and attack from there once its address
> in the consensus.
>
     Attackers/probers, at least of my system, do not appear to be aware of
tor, or of most other applications, for that matter.  They assault mainly
any open ports they find.  The IP addresses from which such attacks connect
are either direct attackers or are systems whose security is inadequately
attended to and have been commandeered by attackers.  The purpose of the
filter rules is to deny the attackers access to *anything* on my system to
the degree to which they can be identified.
     The source IP addresses belonging to tor relays are a special case
because attacks might exit through them or might be running on those systems,
but tor connectivity must be maintained.  So the rules are a compromise.
They allow inbound connections only to the ORPort and the DirPort from all
addresses known to belong to tor relays in order to maintain that
connectivity.  Any such attacks on the ORPort or DirPort from those addresses
are a) likely to be rare, if only because the time delays in going through
tor to attack tor (or anything else) slow the attacker's automation
to a degree usually not accepted by the attacker's software and b) also rare
because the tor relay operator community tends to be significantly more
security-conscious than the vastly broader community of Internet users at
large and are therefore far less likely to allow stuff on their systems
running relays to engage in such attacks in the first place.  Addresses in
the list of offending addresses that are not also in the list of tor relay
addresses are blocked from attacking tor or any other services on my system.
     The problem here stems from allowing secret addresses to belong to tor
relays inasmuch as connections from those secret addresses cannot be
protected in the fashion described above.
     FWIW, I had composed two or three nights ago a fairly detailed response
to teor's arguments against what I had previously posted, when my Comcast
connection went down several times in rapid succession, destroying my SSH
session.  Unfortunately, virecover on SDF's servers does not actually produce
usable recovery files, so the message, which was almost ready to be sent, was
lost.  I managed to copy many blocks of text from several pages of the screen
buffer into a file on my system, but their order is scrambled.  As soon as I
can spare the time to reconstruct my arguments and proposed solutions, I will
do so, but at the moment I have urgent personal matters to attend to for a few
days.


                                  Scott Bennett, Comm. ASMELG, CFIAG
**********************************************************************
* Internet:   bennett at sdf.org   *xor*   bennett at freeshell.org  *
*--------------------------------------------------------------------*
* "A well regulated and disciplined militia, is at all times a good  *
* objection to the introduction of that bane of all free governments *
* -- a standing army."                                               *
*    -- Gov. John Hancock, New York Journal, 28 January 1790         *
**********************************************************************


More information about the tor-relays mailing list