>Message: 1 >Date: Thu, 2 May 2013 20:45:36 +0200 >From: Andreas Krey <[email protected]> >To: [email protected] >Subject: Re: [tor-talk] torslap!
>>On Thu, 02 May 2013 13:19:59 +0000, Lucia Liljegren wrote: >>... >>Because these "not attackers" are guessing addresses they tend to hit my >>404 page which is dynamic and does some checks. When I detect an IP doing >>this sort of stuff, I use Cloudflare's API and ban the IP 7 days . >You mean, when I set up a bit of link farming, you will block Googlebot? :-) Oh you silly billy. :-) Everyone knows it's trivially easy to block one link farmer without blocking google. If I detected you doing rapid or voracious scraping I would block you. If your range was identifiable, I might block you permanently. This would not affect Googlebot. >>... >>What's the proposal under Torslap? I check the IP that's fingerprinting, >>and if it's TOR, I make it pass a "proof or work", and then let it >>continue to scan? That can't be what you are suggesting. So what are you >>suggesting. >The proof of work would be bound to a login, not an IP. The idea being >that one is only allowed to put content (aka 'comment') when such a >proof exist, and the proof would be declared invalid if the account >is being found spamming. I'm not groking this. If your IP was voraciously scraping, attempting RFI attacks, fingerprinting or doing any of these similarly hostile to my server, I would block IP = 123.123.123.123 for that reason. Even if someone else shared 123.123.123.123, that IP is not going to get sufficiently near my server for me to check the login. That IP will be blocked. This has nothing to do with "spam". It has to do with all the resource sucking behavior the previous person describe and explained were not attacks. I don't see how this torslap applied to logins addresses this sort of misbehavior. It seems to me Tor will still be blocked for these sorts of things. As far as I can see, Torslap has been proposed based on the notion that the only or at least main problem is spam. Spam can be and likely is a problem. But the main problem I've witnessed with Tor has been scraping/fingerprinting/ vulnerability scanning and all the things that have been called "not attacks" in the previous comment. >Apparently there are way too few exit nodes (especially fast ones >that get selected often). If you mean the low number of exit nodes means that when I ban one IP I may ban a large fraction of potential Tor traffic, that's possible. But very little of that Tor traffic is people coming to my blog. I read a paper -- now several years old -- that suggested more than half the traffic was involved in Tor tunnels used to exchange bit Torrent traffic. That's mostly likely involved in copyright violations. Whether or not it is, my blocking that doesn't affect those who wish to use Tor for bit Torrent. Of the remaining portion, most was stuff like "search" or "social networks". Very little was visiting blogs. Given that most Tor traffic that hits my blog seems to be these "not attacks", I think my blocking Tor will inconvenience only a very small number of Tor users whose traffic I would find desirable. In general, unless an awfully large fraction of Tor is doing bad things, my 7 day ban will be invisible to most Torians. >If there a reason you block for several days? I don't see how that >would help much. As opposed to not directly blocking but instead >reversing source and destination address in packets coming from >such IPs. :-) Yes. I block for days because blocking for hours is insufficient to solve the problem. The script-kiddie programs the script to come back and it likely will as soon as an IP is blocked. Even if the script-kiddie isn't specifically interested in my blog, they still seems to write these things to behave like "The Terminator" from the movie. I don't know why you think blocking won't "help much". I've implemented the solution and I find it works rather well at solving my problem. I don't understand what precisely you are proposing by this "not directly blocking but instead reversing source and destination address in packets coming from such IPs. :-)", nor what the smilie is intended to convey in that statement. Nor do I know why you think this operation would help solve the problem of scraping/hacking more or better than blocking the IPs at Cloudflare. Words might help clarify this in a way that a smile cannot. As it happens: when I block an IP at Cloudflare, the packets don't arrive at my server. I can't reverse packets and send them back. Blocking the IP that has been sucking my server resources in these pesky "not attacks" is quick, simple and it prevents bots from crashing my server as a result of their "not attack" behaviors. If you think there is a method that would work better, perhaps you could describe in words what you think ought to be done in nuts and bolts terms and then explain why you think it would help prevent entities that are doing rapid fire scraping, submitting RFI attempts, trying to hunt for vulnerabilities and so on from wreaking havoc on a server. Because the smiley may seem friendly, but it really doesn't clarify the otherwise rather vague suggestion. Lucia _______________________________________________ tor-talk mailing list [email protected] https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
