[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

Re: Exit node blocking site?



just got back home, sitting here looking at these emails about this and
i thought i should say that i've run a server for a little while on a
machine with peerguardian. at the time i was using tor intermittently
for browsing and found myself getting 'could not contact server' way
more often than i ever did from just the bugs in the tor network... and
i think you are right, it would cause some serious problems... cos right
there sitting at the machine i was getting network timeouts, i imagine
if anyone had been trying to exit from my node they would have been very
frustrated. but on the other hand, i'd only permitted irc and silc
traffic to exit so probably didn't cause a big problem... but for some
reason ev1's entire ip range is blocked by the 'spyware/spam' blocking
system on peer guardian i believe there is a number of irc nodes on ev1
(everyone's internet, as it's known)

there's probably not much that can be done to stop people doing it i
guess, but perhaps it should be mentioned prominently somewhere on the
tor setup docs a mention of the problems that ip blacklists on a server
machine or at the edge of the intranet it's on. i wouldn't be surprised
if more than a few tor nodes are on ip's in a blacklisted range too,
which would cause problems with setting up circuits too.

Joseph Lorenzo Hall wrote:
> On 2/19/06, Roger Dingledine <arma@xxxxxxx> wrote:
>> On Sun, Feb 19, 2006 at 04:28:33PM -0500, Michael Holstein wrote:
>>> I actually block access to groups.google.com and groups.l.google.com by
>>> putting them as 127.0.0.2 in /etc/hosts -- but I noticed that TOR is
>>> smart enough to notice that the address will resolve to an IP prohibited
>>> by the exitpolicy, and not even try.
>> Right now you're degrading service for other Tor users that try to go to
>> groups.google.com, because you trick them into thinking that it resolves
>> to something else. Also (and you'll perhaps be more motivated by this), if
>> the user resolves the address into an IP first, you're not blocking that.
>>
>> The better answer is to change your exit policy to reflect the addresses
>> and ports that aren't reachable from your server. Then clients will
>> learn it from your descriptor and not even try to exit from you.
> 
> This can be done by essentially listing the IP addresses for
> groups.google.com in the torrc exit policy section, right?  Would
> using dig on groups.google.com be sufficient to block the IP addresses
> associated with that domain name?  I guess what I'm wondering is this:
> is there a way to learn all the IP addresses associated with a domain
> name using a tool like dig? Or is it sufficiently more complicated
> than that?
> 
> --
> Joseph Lorenzo Hall
> <http://josephhall.org/>


Attachment: signature.asc
Description: OpenPGP digital signature