[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

Re: How to ban many IPs?

On Wed, Oct 29, 2008 at 5:14 PM, slush <slush@xxxxxxxxxx> wrote:
> I didnt read Tor path selection very well, but I suppose, that exit nodes
> which allow some special address are not preffered by tor clients. So
> argument that whitelisting will raise network thoughput is problably false.
> More in "path-specification" on
> https://svn.torproject.org/svn/tor/trunk/doc/spec/path-spec.txt , especially
> part 2 of this document.

See 2.2.1. "Choosing an exit"

While Roger would be able to clarify, it looks like you could avoid
being flagged as a bad exit if you used a short whitelist in your
torrc file. Specifically I think of sites such as Wikipedia or
whatever search engine is the most popular in the tor network.

> Im happy that other people found the same solution like me (Squid), but as I
> wrote, I think it is not clear solution. After time, tor scanners will find
> that there is problably something wrong and for some URLs is always returned
> http error code or something. It is the easiest way to obtain BadExit flag.
> As I wrote in mail before, blocking mechanism "on demand" (so not "in
> advance" like ExitPolicy) will be the best solution. There can be config
> directive (for example) "Blacklist 1" in torrc file, which will
> a) Enable some implementation of blacklisting in tor node (reading from
> flatfile, subrequest to local service, ...)
> b) Export Blacklisting flag to directory servers (like flags Exit, Fast,
> ...), so tor clients know, that request to this server can be rejected.
> c) Tor client after rejection status from this exit node will select another
> path (problably exit node without Blacklist flag).
> I know it need changes in Tor server, directory servers and tor client (path
> selection), but it can be very helpful in some cases. We are speaking in
> levels of MB/s of throughput.
> Any suggestion?
> Marek
> 2008/10/29 Jonathan Addington <madjon@xxxxxxxxx>
>> I had an interesting conversation on this list a few months back
>> facing the same problem (wanting to use a blacklist for certain
>> sites). Trying to do it in the torrc file is simply a bad idea. Using
>> blacklists in general doesn't work out well. If I were you, I might
>> consider using a white list instead. It is going to severely limit the
>> sites people can reach but that still might be ok. Even a relatively
>> short white list could relieve a lot of congestion on the tor network
>> if the sites are high bandwidth.
>> The easiest way to implement it is probably to use Squid in
>> *non-caching* mode. It's ACL's are powerful enough that other people
>> have built web blocking software around it. Not the best of solutions,
>> but you could return an error page for any sites that don't match the
>> white list explaining that your node can't accept such requests.
>> (To the dozen responses I am going to get back on why this is such a
>> bad idea: I know. I don't know of a better one if a white/black list
>> has to be used and HTTP traffic is allowed.)
>> That's my two cents.