How to ban many IPs?

slush slush at centrum.cz
Wed Oct 29 22:14:37 UTC 2008 

I didnt read Tor path selection very well, but I suppose, that exit nodes
which allow some special address are not preffered by tor clients. So
argument that whitelisting will raise network thoughput is problably false.

More in "path-specification" on
https://svn.torproject.org/svn/tor/trunk/doc/spec/path-spec.txt , especially
part 2 of this document.

Im happy that other people found the same solution like me (Squid), but as I
wrote, I think it is not clear solution. After time, tor scanners will find
that there is problably something wrong and for some URLs is always returned
http error code or something. It is the easiest way to obtain BadExit flag.

As I wrote in mail before, blocking mechanism "on demand" (so not "in
advance" like ExitPolicy) will be the best solution. There can be config
directive (for example) "Blacklist 1" in torrc file, which will

a) Enable some implementation of blacklisting in tor node (reading from
flatfile, subrequest to local service, ...)
b) Export Blacklisting flag to directory servers (like flags Exit, Fast,
...), so tor clients know, that request to this server can be rejected.
c) Tor client after rejection status from this exit node will select another
path (problably exit node without Blacklist flag).

I know it need changes in Tor server, directory servers and tor client (path
selection), but it can be very helpful in some cases. We are speaking in
levels of MB/s of throughput.

Any suggestion?

Marek

2008/10/29 Jonathan Addington <madjon at gmail.com>

>
> I had an interesting conversation on this list a few months back
> facing the same problem (wanting to use a blacklist for certain
> sites). Trying to do it in the torrc file is simply a bad idea. Using
> blacklists in general doesn't work out well. If I were you, I might
> consider using a white list instead. It is going to severely limit the
> sites people can reach but that still might be ok. Even a relatively
> short white list could relieve a lot of congestion on the tor network
> if the sites are high bandwidth.
>
> The easiest way to implement it is probably to use Squid in
> *non-caching* mode. It's ACL's are powerful enough that other people
> have built web blocking software around it. Not the best of solutions,
> but you could return an error page for any sites that don't match the
> white list explaining that your node can't accept such requests.
>
> (To the dozen responses I am going to get back on why this is such a
> bad idea: I know. I don't know of a better one if a white/black list
> has to be used and HTTP traffic is allowed.)
>
> That's my two cents.
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.torproject.org/pipermail/tor-talk/attachments/20081029/c747bc3d/attachment.htm>

More information about the tor-talk mailing list