[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

Re: tor block list





Brian Bruns wrote:

If you are blocking TOR nodes primarily for IRC users, then you
should be aware the TOR nodes are individually configurable as to
which destinations they allow.  Some TOR nodes don't allow *any*
outgoing traffic -- they only act as middlemen between other TOR
nodes.

Yes, I am aware of the ability to restrict what traffic the nodes
allow.

We actually have more then just IRC users using this right now - we've
got a prototype setup with a Usenet server, as well several web hosts
restricting certain web pages/sites with the list (for things like
whois lookups, SSL transactions), which is why it lists all nodes and
not just some (each list we load into our servers uses up resources,
so we try to limit our lists as specifically as we can).
Then still you gain nothing by blocking tor nodes which do not allow any outgoing connections. There should be no technical reason to block hosts with no exitpoints. That should be easy to fix, and it doesn't require separate lists.

Its up to the users themselves to figure out how to properly use the
list. However, I will personally yell at any individual who uses this
list for SMTP blocking, since it is bound to cause false positives.
I'd say it is guaranteed to cause false positives the way it is now. 100% false positives for SMTP as of a couple hours ago when I last checked -- there were a total of 0 tor nodes that allowed exit to SMTP ports.

On the flip side, anyone who runs this kind of service on a server
that does other things like SMTP, needs to honestly reevaluate this
choice, as it is guaranteed to cause problems with the other services
once abuse starts spewing from the node.
This kind of service.. Sounds like an evil group. Maybe we could call them 'red commie bastard' servers for greater effect. Tor and SMTP are entirely separate, even if they come from the same IP address.

On the flip side of that flip side, I don't envy your job, because services which provide blocking lists are tasked with a job of not producing false positives, just like my spam filter. Sure, it would be easier if you never had to fine-tune blocking -- you could do like a certain company and block all of Europe.. But just like my spam filter, false positives tend to upset customers, and I know that if my spam filter starts dropping mail from my friends, I do something about it, including finding something better.
I have nothing against TOR
itself - its a nifty idea, but its already started causing me stress
from dealing with the abuse on irc.
I had a talk with someone from one of the IRC servers recently because they were getting unwanted traffic from my tor server as an endpoint. The person reporting the problem had suggested that I block IRC ports or else my server would get blocked by his network. But the way I see it is that there are hundreds of IRC networks, and blocking access to all IRC ports would be dumbing down the connection options to whatever the least tolerant network wanted. I'd rather see my node blocked by IRC networks that don't want anonymous traffic, because I expect that there will be some that do allow it!

So, I have nothing against some networks blocking IRC connections from tor nodes with IRC exitpoints, like mine. But if my server's other connections are wrongfully blocked, then I'll try to educate the users on finding better solutions. That's why I think it is in both of our interests to have your lists used for the right purpose.

regards,
Valient