[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

Re: [tor-relays] Reaching out to webiron



> On 10 Feb 2017, at 13:13, Andrew Deason <adeason@xxxxxxxx> wrote:
> 
>>> From my current conversation with them, they are aware of at least some
>>> suggested ways of blocking tor entirely, but claim some issues with
>>> doing so. (Something having to do with exit node IPs changing too
>>> frequently, making the existing methods useless.)
>>> 
>>> I am not sure if there are real technical limitations, or there is just
>>> a misunderstanding. Since I don't work with the technical details of tor
>>> in and out every day, I'm a little hesitant to be arguing with them
>>> about the various technical details, since I might get something wrong.
>>> 
>>> And of course, if there _are_ actual problems with the mechanisms of tor
>>> blacklisting, I can't do anything about it myself, and we have to play
>>> "telephone" with me reporting some issue second-hand or whatever.
>> 
>> They are probably using the wrong list, there are reliable lists
>> maintained by Tor, as far as I know.
> 
> As far as I can tell, the specific complaint here was that TorDNSEL
> caches results for 30 minutes; I can see the results indeed give a TTL
> of 30 minutes. You can just ignore the TTL though, but maybe they were
> also (allegedly) seeing the information itself be 30 minutes stale. I
> don't know.
> 
> Anyway, so the claim (I think) is that the TorDNSEL data would be out of
> date, and they would block based on that, so they would be missing some.
> Attackers would then try running their exploit repeatedly until they
> found an exit that works; and since (they claim) tor exit IPs change so
> frequently, this would always be a problem. (Even if all of this were
> true, how this is any better at all from having individual exits block
> the target ranges via ExitPolicy from their automated reports is beyond
> me.)
> 
> It also seems like a service like theirs wouldn't be using TorDNSEL, but
> instead maybe doing something parsed from consensus itself, but that's
> just me.

Consensuses only come out every hour, and almost all tor clients wait
at least another hour before downloading them, so they have a head
start.

But no wonder they are having trouble if they are just using the
consensus: it only contains ORPort/DirPort IP addresses.

And Exits are free to use another IP as their OutboundBindAddress, so
some of the Tor exit lists check by actually making a connection
through the Exit.

T

--
Tim Wilson-Brown (teor)

teor2345 at gmail dot com
PGP C855 6CED 5D90 A0C5 29F6 4D43 450C BA7F 968F 094B
ricochet:ekmygaiu4rzgsk6n
xmpp: teor at torproject dot org
------------------------------------------------------------------------



Attachment: signature.asc
Description: Message signed with OpenPGP

_______________________________________________
tor-relays mailing list
tor-relays@xxxxxxxxxxxxxxxxxxxx
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays