[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

tor block list

To: admins@xxxxxxxxx
Subject: tor block list
From: Valient Gough <vgough@xxxxxxxxx>
Date: Tue, 01 Feb 2005 19:53:01 +0100
Cc: or-talk@xxxxxxxxxxxxx
Delivered-to: archiver@seul.org
Delivered-to: or-talk-outgoing@seul.org
Delivered-to: or-talk@seul.org
Delivery-date: Tue, 01 Feb 2005 13:53:38 -0500
Reply-to: or-talk@xxxxxxxxxxxxx
Sender: owner-or-talk@xxxxxxxxxxxxx
User-agent: Mozilla Thunderbird 1.0 (X11/20041207)


Dear TOR block-list administrator,

If you are blocking TOR nodes primarily for IRC users, then you should
be aware the TOR nodes are individually configurable as to which
destinations they allow.  Some TOR nodes don't allow *any* outgoing
traffic -- they only act as middlemen between other TOR nodes.

Attached is an example perl script which can parse through tor exitpoint
rules and show which nodes allow access to a particular port (say one of
the IRC ports), and which nodes do not.

Currently, less then 60% of tor nodes allow outgoing connections to port
6667.  By comparison, 67% allow outgoing connections to port 80, and
none allows outgoing connections to port 25.

So I don't think a single list will cover all uses.  Rather then
disallowing connections from a system because it happens to be a TOR
node, take into consideration what the exit policy is of the node.

regards,
Valient

#!/usr/bin/perl -w

use strict;

# first (and only) argument should be a port number to look for
my $testPort = $ARGV[0]
    || die "Usage: tor-exitpoint <port number>\n";

# fetch tor server list from server
# this server was listed on the report page:
# http://www.noreply.org/tor-running-routers/
open(TOR, "wget -q http://tor.noreply.org:9030/ -O - |")
    || die "Can't open wget: $!";

# parse rules for each server..
my $state = 1;
my $routerName;
my $routerIP;
while(<TOR>)
{
    chomp;
    if($state == 1 && m#^router (.*) (\d+\.\d+.\d+.\d+)#)
    {
	#print "found router id line \"$_\"\n";
	# found router list
	$routerName = $1;
	$routerIP = $2;
	$state = 2;
    } elsif( $state == 2 && m#^(reject|accept) \*:(.*)# )
    {
	# $2 is port or port range (eg "110"   or  "1-1000")
	my $type = $1;
	my $startport = $2;
	my $endport = $2;

	if($startport =~ m#(\d+)-(\d+)#)
	{
	    $startport = $1;
	    $endport = $2;
	}

	if($startport eq "*" ||
	    ( $startport <= $testPort && $endport >= $testPort ))
	{
	    # rule matches
	    #print "rule \"$_\" matches port $testPort\n";
	    if($type eq "reject")
	    {
		print "$routerName ($routerIP) rejects $testPort ($_)\n";
		$state = 1;
	    } else
	    {
		print "$routerName ($routerIP) accepts $testPort ($_)\n";
		$state = 1;
	    }
	}
    }
}

close(TOR);

Attachment: signature.asc
Description: OpenPGP digital signature

Follow-Ups:
- Re: tor block list
  - From: Geoffrey Goodell

Prev by Author: Re: Tor hogging cpu
Next by Author: Re: tor block list
Previous by thread: Another blacklist
Next by thread: Re: tor block list
Index(es):
- Author
- Thread