Re: Tor and NNTP

2006-11-05 Thread Matt Ghali 

On Fri, 3 Nov 2006, Aioe wrote:


In order to avoid SYN DDOS and floods, my server accepts only a determinate
number of daily connections and bytes per IP. Trespassers are banned for a
day. While a single (end) proxy serves a single client the total activity
generated on my host by that tor router usually remains under this limit.
When more than a client uses the same proxy, often that tor router exceeds
those values because the barrier is calibrated assuming a single client per
IP. Every IP can also post only 25 messages per day which is a reasonable
limit for a single client but it isn't enough when multiple users share the
same IP.


There is a fundamental flaw in this assumption that will cause you 
problems with a much larger user set than just tor users. Your 
assumptions on a 1:1 mapping of users to ip addresses also break for 
populations behind NAT. Sometimes entire organizations or networks 
appear to the public internet as a single set of proxy/NAT 
addresses, and your accounting method breaks for this set as well.


While explicitly permitting Tor routers is a step in the right 
direction, you're going to run into the same problems with natted 
users, and that will be a tougher nut to crack.


good luck,
matto

[EMAIL PROTECTED]darwin
  Moral indignation is a technique to endow the idiot with dignity.
- Marshall McLuhan

Re: Tor and NNTP

2006-11-03 Thread Fabian Keil 
Aioe [EMAIL PROTECTED] wrote:

 I need a (server side) way to separate the tor users from the other
 ones: is this possible?
 I'm supposing to setup an hidden service which redirects all tor users
 to a non default *local* NNTP port in order to treat them differently
 from the other clients. In this way, when the tor users access the
 server from the main DNS system (as nntp.aioe.org) they're still
 subjected to the standard rules that are applied to all clients but when
 they use the .onion domain a different (less restrictive) policy can be
 applied to them.  Is this a right way? 

As this still relies on the users to get active and change their
settings it's probably a good idea to combine it with a Tor node that
allows (only) exits to your NTTP port.

This way Tor clients of lazy users should automatically pick
your node as exit and you can detect these requests on their
IP addresses as well. If I remember correctly this only works
from the second connection on, but I assume most of your user
use the first connection to fetch new articles anyway, therefore
this shouldn't be a problem.

Fabian
-- 
http://www.fabiankeil.de/


signature.asc
Description: PGP signature