[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

Re: How to ban many IPs?



I didnt read Tor path selection very well, but I suppose, that exit nodes which allow some special address are not preffered by tor clients. So argument that whitelisting will raise network thoughput is problably false.

More in "path-specification" on https://svn.torproject.org/svn/tor/trunk/doc/spec/path-spec.txt , especially part 2 of this document.

Im happy that other people found the same solution like me (Squid), but as I wrote, I think it is not clear solution. After time, tor scanners will find that there is problably something wrong and for some URLs is always returned http error code or something. It is the easiest way to obtain BadExit flag.

As I wrote in mail before, blocking mechanism "on demand" (so not "in advance" like ExitPolicy) will be the best solution. There can be config directive (for example) "Blacklist 1" in torrc file, which will

a) Enable some implementation of blacklisting in tor node (reading from flatfile, subrequest to local service, ...)
b) Export Blacklisting flag to directory servers (like flags Exit, Fast, ...), so tor clients know, that request to this server can be rejected.
c) Tor client after rejection status from this exit node will select another path (problably exit node without Blacklist flag).

I know it need changes in Tor server, directory servers and tor client (path selection), but it can be very helpful in some cases. We are speaking in levels of MB/s of throughput.

Any suggestion?

Marek

2008/10/29 Jonathan Addington <madjon@xxxxxxxxx>

I had an interesting conversation on this list a few months back
facing the same problem (wanting to use a blacklist for certain
sites). Trying to do it in the torrc file is simply a bad idea. Using
blacklists in general doesn't work out well. If I were you, I might
consider using a white list instead. It is going to severely limit the
sites people can reach but that still might be ok. Even a relatively
short white list could relieve a lot of congestion on the tor network
if the sites are high bandwidth.

The easiest way to implement it is probably to use Squid in
*non-caching* mode. It's ACL's are powerful enough that other people
have built web blocking software around it. Not the best of solutions,
but you could return an error page for any sites that don't match the
white list explaining that your node can't accept such requests.

(To the dozen responses I am going to get back on why this is such a
bad idea: I know. I don't know of a better one if a white/black list
has to be used and HTTP traffic is allowed.)

That's my two cents.