[tor-talk] torslap!

lucia at rankexploits.com lucia at rankexploits.com
Fri May 3 19:06:27 UTC 2013 

>Message: 1
>Date: Thu, 2 May 2013 20:45:36 +0200
>From: Andreas Krey <a.krey at gmx.de>
>To: tor-talk at lists.torproject.org
>Subject: Re: [tor-talk] torslap!

>>On Thu, 02 May 2013 13:19:59 +0000, Lucia Liljegren wrote:
>>...
>>Because these "not attackers"  are guessing addresses they tend to hit
my >>404 page which is dynamic and does some checks. When I detect an IP
doing >>this sort of stuff,  I use Cloudflare's API and ban the IP 7
days .

>You mean, when I set up a bit of link farming, you will block Googlebot? :-)

Oh you silly billy. :-)  Everyone knows it's trivially easy to block one
link farmer without blocking google. If I detected you doing rapid or
voracious scraping I would block you.   If your range was identifiable, I
might block you permanently.  This would not affect Googlebot.


>>...
>>What's the proposal under Torslap?  I check the IP that's
fingerprinting, >>and if it's TOR, I make it pass a "proof or work", and
then let it >>continue to scan? That can't be what you are suggesting.  
So what are you
>>suggesting.

>The proof of work would be bound to a login, not an IP. The idea being
>that one is only allowed to put content (aka 'comment') when such a
>proof exist, and the proof would be declared invalid if the account
>is being found spamming.

I'm not groking this.  If your IP was voraciously scraping, attempting RFI
attacks, fingerprinting or doing any of these similarly hostile to my
server,   I would block IP = 123.123.123.123 for that reason.  Even if
someone else shared  123.123.123.123, that  IP is not going to get
sufficiently near my server for me to check the login.  That IP will be
blocked. This has nothing to do with "spam". It has to do with all the
resource sucking behavior the previous person describe and explained were
not attacks.

I don't see how this torslap applied to logins addresses this sort of
misbehavior. It seems to me Tor will still be blocked for these sorts of
things.   As far as I can see, Torslap has been proposed based on the
notion that the only or at least main problem is spam. Spam can be and
likely is a problem. But the main problem I've witnessed with Tor has been
scraping/fingerprinting/ vulnerability scanning and all the things that
have been called "not attacks" in the previous comment.


>Apparently there are way too few exit nodes (especially fast ones
>that get selected often).
If  you mean the low number of exit nodes means that when I ban one IP I
may ban a large fraction of potential Tor traffic, that's possible. But
very little of that Tor traffic is people coming to my blog. I read a
paper -- now several years old -- that suggested more than half the
traffic was involved in  Tor tunnels used to exchange bit Torrent traffic.
That's mostly likely involved in copyright violations. Whether or not it
is, my blocking that doesn't affect those who wish to use Tor for bit
Torrent. Of the remaining portion, most was stuff like "search" or "social
networks". Very little was visiting blogs. Given that most Tor traffic
that hits my blog seems to be these "not attacks", I think my blocking Tor
will inconvenience only a very small number of Tor users whose traffic I
would find desirable.  In general, unless an awfully large fraction of Tor
is doing bad things, my 7 day ban will be invisible to most Torians.


>If there a reason you block for several days? I don't see how that
>would help much. As opposed to not directly blocking but instead
>reversing source and destination address in packets coming from
>such IPs. :-)

Yes. I block for days because blocking for hours is insufficient to solve
the problem.  The script-kiddie programs the script to come back and it
likely will as soon as an IP is blocked. Even if the script-kiddie isn't
specifically interested in my blog, they still seems to write these things
to behave like "The Terminator" from the movie.

I don't know why you think blocking won't "help much". I've implemented
the solution and I find it works rather well at solving my problem.

I don't understand what precisely you are proposing by this "not directly
blocking but instead
reversing source and destination address in packets coming from
such IPs. :-)",  nor what the smilie is intended to convey in that
statement.  Nor do I know why you think this operation would help solve
the problem of scraping/hacking more or better than blocking the IPs at
Cloudflare.  Words might help clarify this in a way that a smile cannot.

As it happens: when I block an IP at Cloudflare, the packets don't arrive
at my server.  I can't reverse packets and send them back.  Blocking the
IP that has been sucking my server resources in these pesky "not attacks"
is quick, simple and it prevents bots from crashing my server as a result
of their "not attack" behaviors.

If you think there is a method that would work better, perhaps you could
describe in words what you think ought to be done in nuts and bolts terms
and then explain why you think it would help prevent entities that are
doing rapid fire scraping, submitting RFI attempts, trying to hunt for
vulnerabilities and so on from wreaking havoc on a server.  Because the
smiley may seem friendly, but it really doesn't clarify the otherwise
rather vague suggestion.

Lucia

More information about the tor-talk mailing list