[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

Re: reconsidering default exit policy

Jonathan D. Proulx wrote:
The most reasonable suggestion I heard for determining a default exit
policy is the eating our own dogfood metric. Is there a to compile
some statistics on the percent of running tor routers that allow a
given port to exit?  Canonicalizing existing practice is probably a
good place to start.

I whipped up a small script last month when I got some complaints about
IRC abuse.  I wanted to find out how many tor exitpoints there were for
:6667.   I think I posted it at one point, but since it is a small
script I'll attach it again.  It only looks for accept/reject lines
which match all networks (the form '[accept|reject] \*:(\d+)-?(\d+)?')

as a bit of an aside how can exit policy defend against abuse of
google groups?  seems this is all port 80 and would require digging
into the application layer (i would be strongly apposed to interfering
with anonyimity in google searches).  It seems this has bprobably been
discussed so I should probably just go Read The Fine Archives :)

The only two sources of complaints that I've had so far have been from
IRC abuse and from usenet abuse via google.  The IRC networks seem to
have figured out ways to deal with Tor users, although I was intending
to allow IRC exit points anyway because there are many IRC networks, and
some may still accept anonymous connections.

For the google problem, I've been blocking by address rather then by
port.  So I've blocked a large range of google addresses which contained
the groups.google.com ips.  But I just checked now and it looks like
groups.google.com maps into a new set of addresses then last month, so
looks like I may just keep adding more of google's IP range(s) to my
reject lines.

sigh...  I guess being on blacklists isn't so bad though..  One thing
I've noticed though is that I get a lot more worms/zombies trying to use
my web server as a proxy.  They must assume that because I am on a
particular blacklist that my web server allows proxying.  Amusing in a
way, but it was causing my firewall logs to grow rapidly (which showed
up as a secondary effect on my server's temperature log from extra disk
IO)..  so it is official, tor contributes to global warming :-)

I remember hearing someone talk about asking their google friends what
they were going to do about anonymous abuse, but that's the last I heard.


#!/usr/bin/perl -w

use strict;

# first (and only) argument should be a port number to look for
my $testPort = $ARGV[0] || die "Usage: tor-exitpoint <port number>\n";

# fetch tor server list from server, cache locally to be nice...
my $cache = ".tor-policies";
my $cacheExpiration = 60*60;
if((! -f $cache) || (stat($cache))[9] + $cacheExpiration < time())
    print "Fetching aggregate tor policy file.\n";
    system "wget -q http://tor.noreply.org:9030/ -O - > $cache";

# parse rules for each server..
my $routerName;
my $routerIP;
my $findPort = 0;
open(TOR,$cache) || die "can't open cache file: $!";
	# found router list
	$routerName = $1;
	$routerIP = $2;
	$findPort = 1;
    } elsif($findPort && m#^(reject|accept)\s+\*:(\d+|\*)-?(\d+)?# )
	my $type = $1;
	my $startport = $2;
	my $endport = $3 || $2;

	if($startport eq "*" || ( $startport <= $testPort
		&& $endport >= $testPort ))
	    print "$routerName ($routerIP) " . $type . "s $testPort ($_)\n";
	    $findPort = 0;

Attachment: signature.asc
Description: OpenPGP digital signature