[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

Re: Scroogle is allowing Tor again [Was: Re: Strange problem with Tor/Scroogle]


> I think Scroogle's blocking of Tor exit nodes may have been a mistake in
> setting up block lists somewhere; I can access it again through Tor.
> Anyone else want to confirm?

forwarded with David Brandts permission:

Date: Wed, 1 Oct 2008 10:33:41 -0700 (PDT)
From: Daniel Brandt <scroogle@xxxxxxxxxxxxx>
Subject: RE:Scroogle & Tor

Scroogle's six servers have been under an around-the-clock flooding
that is coming through Tor. Until today, this has been going on for
eight days without any let-up.

They came into Scroogle in the form of one of three GET requests
for a search. They use DNS lookups of www.scroogle.org because
they hit only our servers that were currently in our DNS. Curiously,
they also picked up our favicon.ico consistently, which in restrospect
seems to suggest a misconfigured machine. Anyway, it slowed to a crawl
about ten hours ago.

The three search terms requested are easy to catch:

1)  damian+conway+perl
2)  osman+semerci+-fired
3)  issam+fares+-kanaan

We lifted our Tor blocks about an hour ago. Only a few per hour are
coming through by now, which we are handling directly based on the
search terms instead of trying to block all Tor exit nodes.

Originally we thought that someone was using Scroogle to scan for
possible Tor exit nodes. We chose to use null-route blocking to
defeat this, because a "Forbidden" would merely confirm that the
circuit found its intended destination.

Then we thought that whoever is doing this is anti-Tor as much as
anti-Scroogle, and that it was an attempted denial of service.

Now we think it was an out-of-control machine and that it was
turned off earlier today.

-- Daniel Brandt

Date: Wed, 1 Oct 2008 12:48:07 -0700 (PDT)
From: Daniel Brandt <scroogle@xxxxxxxxxxxxx>
Subject: Re: Scroogle & Tor

Sure, please post it on the mailing list, and convey our apologies
to Tor users who were inconvenienced.

If it happens again, we will try to just block on the abuser's
search terms. We no longer suspect that anyone is stupid enough
to use Scroogle to scan for exit nodes, because they should
realize that if we let these get through to Google, then our
six servers might get blocked by Google. We know for a fact that
Google has the ability to block all of our servers from all of
their various data centers in about 30 minutes flat; all it takes
is for someone in a position of authority at Google to decide that
it's time to stop being tolerant toward Scroogle. (We have never
had any arrangements with Google whatsoever, and they already
know the IPs of our six servers as they appear at the 270+ Google
IP addresses we use.)

But if some Tor abuser wanted to vary the search terms by using
a dictionary lookup, this would be impossible to intercept.
In such a situation, we'd have to block all the exit nodes again.
At least we're now set up to do this effortlessly, because we've
had eight days of training. During that time we wrote and debugged
programs for automatic Tor exit-node blocking across all six

If the consensus among Tor experts is that this was a misconfigured
Tor server (we don't use Tor so we haven't a clue), we hope someone
can figure out how it happened, and also figure out how to prevent
this sort of accidental misconfiguration. Otherwise, Tor will
eventually get a bad name once script kiddies discover how much
fun this is, and it will no longer happen accidentally.

Something very similar happened to Scroogle in July, but it was at
a much lower level of activity, and seemed to happen during U.S.
business hours only, instead of around the clock. That's why we
think it may worth investigating by Tor experts, especially from
an  "ease of misconfiguration" standpoint, and possibly even from
an "early detection" standpoint.

-- Daniel


Mail per I2P: http://www.i2p2.de/