[tor-talk] CloudFlare Ciprian Dorin Craciun

Lucia Liljegren lucia at rankexploits.com
Fri Apr 19 18:35:49 UTC 2013 

 Ciprian Dorin Craciun 
Ciprian Dorin Craciun 
>. But in a large portion (99.99999...%) the population is a normal "Internet" citizen:
>non-technical, using an assortment of Facebook, YouTube, etc...

Because they have an international appeal Facebook, YouTube and other large international services likely try to find fine grained ways to distinguish between hackers, spammers, defacers and so on. But small hobby English language forums using CMS's like simple machines or some such, or bloggers using self hosted wordpress systems discussing knitting or gardening generally find that IPs from rdsnet.ro, fiberlink.ro, and yes, TOR are disproportionately spammers, hackers and such like. The reason for this is that  99.99999...% of Romanian knitters and gardeners will prefer to visit Romanian language knitting and gardening sites. They mostly aren't interested in English language knitting sites. (Not that they couldn't be, but mostly they go elsewhere.)

The consequence is if you look at the conditional probability given the knowledge that the site hit is an english language site about knitting, the probability that the connection from rdsnet.ro is spammy, cracky or scrapy is very high. In contrast, if the site were a romanian language site, the probability that a connection from rdsnet.ro was spammy, cracky or scrapey would be low.  A similar issue arises with Tor. Some forum admins find the vast majority of requests from Tor IPs are spammy, cracky or scrapey; others will find the majority of Tor user are people who have other not necessarily illegitimate reason to conceal their IP addresses. 

These connections can be dealt with in a variety of ways, but blocking rdsnet.ro, fiberlink.ro, and yes, TOR can simplify things for a hobbiest who just wants to get on with discussing the relative merits of "k2tog" vs "ssk" decreases when knitting a hat and not be bombarded with traffic attempting to submit links to porn sites or hack into the site and take over the server. Blocking rdsnet.ro isn't sufficient to protecting the site, but it does reduce the server load and provides some relief from difficulties that currently present themselves.

Similar balancing acts are made when a site operator elects to block by IP, user agent, domain, Tor use, referrer or any feature of the request.

More information about the tor-talk mailing list