> On 10 Feb 2017, at 13:13, Andrew Deason <adeason@xxxxxxxx> wrote: > >>> From my current conversation with them, they are aware of at least some >>> suggested ways of blocking tor entirely, but claim some issues with >>> doing so. (Something having to do with exit node IPs changing too >>> frequently, making the existing methods useless.) >>> >>> I am not sure if there are real technical limitations, or there is just >>> a misunderstanding. Since I don't work with the technical details of tor >>> in and out every day, I'm a little hesitant to be arguing with them >>> about the various technical details, since I might get something wrong. >>> >>> And of course, if there _are_ actual problems with the mechanisms of tor >>> blacklisting, I can't do anything about it myself, and we have to play >>> "telephone" with me reporting some issue second-hand or whatever. >> >> They are probably using the wrong list, there are reliable lists >> maintained by Tor, as far as I know. > > As far as I can tell, the specific complaint here was that TorDNSEL > caches results for 30 minutes; I can see the results indeed give a TTL > of 30 minutes. You can just ignore the TTL though, but maybe they were > also (allegedly) seeing the information itself be 30 minutes stale. I > don't know. > > Anyway, so the claim (I think) is that the TorDNSEL data would be out of > date, and they would block based on that, so they would be missing some. > Attackers would then try running their exploit repeatedly until they > found an exit that works; and since (they claim) tor exit IPs change so > frequently, this would always be a problem. (Even if all of this were > true, how this is any better at all from having individual exits block > the target ranges via ExitPolicy from their automated reports is beyond > me.) > > It also seems like a service like theirs wouldn't be using TorDNSEL, but > instead maybe doing something parsed from consensus itself, but that's > just me. Consensuses only come out every hour, and almost all tor clients wait at least another hour before downloading them, so they have a head start. But no wonder they are having trouble if they are just using the consensus: it only contains ORPort/DirPort IP addresses. And Exits are free to use another IP as their OutboundBindAddress, so some of the Tor exit lists check by actually making a connection through the Exit. T -- Tim Wilson-Brown (teor) teor2345 at gmail dot com PGP C855 6CED 5D90 A0C5 29F6 4D43 450C BA7F 968F 094B ricochet:ekmygaiu4rzgsk6n xmpp: teor at torproject dot org ------------------------------------------------------------------------
Attachment:
signature.asc
Description: Message signed with OpenPGP
_______________________________________________ tor-relays mailing list tor-relays@xxxxxxxxxxxxxxxxxxxx https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays