undefined | Better HN

0 pointsthaumaturgy5y ago0 comments

The packet signature thing is maybe sort of interesting, but it's not hard to block Tor exit nodes; Tor themselves makes this easy:

    #!/bin/bash
    addresses=$(curl -s https://check.torproject.org/torbulkexitlist?ip=<your-server's-ip> | sed '/^#/d')

    if [ -n "$addresses" ]; then
        /sbin/ipset flush tor
        echo "$addresses" | while read address; do
            /sbin/ipset -q -A tor "$address"
        done
    fi

Add that to a cron job and your form abuse traffic falls off a cliff.

0 comments

EE84M3i5y ago

If you feel it necessary to block Tor nodes in some way, I think it's better to only block non-safe methods.

Personally, I don't do it, but I understand why it's appealing. I see it as a personal decision (its your website after all) and not morally wrong as some see it.

I once talked to someone working security for a Canadian government agency. They considered it against their charter and/or illegal to block tor nodes, because it could be blocking legitimate access for Canadian citizens potentially in distress, much to the chagrin of their downstream customers (other agencies). I thought that was pretty interesting.

gpm5y ago

I think there are also some Canadian court cases protecting the right to speak anonymously over the internet. It's an area where I think our government is going a pretty decent job (as governments interacting with new fangled technologies go)

EE84M3i5y ago

Yeah, I don't remember the exact reason they didn't consider it a possibility, but I seem to remember the guy saying it would save him a headache but it wasn't in the cards and that they had to explicitly configure some solution they were using (perhaps cloudflare?) to not DoS the traffic.

thaumaturgyOP5y ago

Yeah. I'm sympathetic towards the Tor project in general, but it's also a huge source of nuisances and almost 0% legitimate traffic (in my case). As a beleaguered one-man sysadmin who also wears a full-time dev hat, I just don't have the resources available to build out a more clever rule-based filter for Tor traffic. This approach took me all of about 10 minutes to figure out and deploy across my little network of servers, and it made an entire stream of daily emails disappear immediately.

If I were fortunate enough to be part of a larger team, I'd advocate for exactly what you're suggesting.

EE84M3i5y ago

I was thinking that Apache / Nginx blocking based on IP match and HTTP method is likely approximately equivalent complexity.

Also CDNs generally offer this if you use one.

1 more reply

cryo5y ago

The article also mentions banning ip ranges and it's disadvantages. The described detection of Tor traffic seems to be more bullet proof and performant.

Hopefully the Tor devs consider the proposed enhancements to make the traffic less vulnerable to identification. As he already digged into the source code, maybe it's easier when he submits a PR for a higher chance to fix the issue.

ColanR5y ago

I believe the article mentions that, but also notes your method works for low-traffic situations. The 0day is a high-performance alternative.

thaumaturgyOP5y ago

ipset is very fast (http://web.archive.org/web/20160514091316/http://daemonkeepe...).

The author's approach requires examining a certificate to see if it matches a pattern that may or may not change in the future.

j / k navigate · click thread line to collapse

0 comments

EE84M3i5y ago

If you feel it necessary to block Tor nodes in some way, I think it's better to only block non-safe methods.

Personally, I don't do it, but I understand why it's appealing. I see it as a personal decision (its your website after all) and not morally wrong as some see it.

gpm5y ago

EE84M3i5y ago

thaumaturgyOP5y ago

If I were fortunate enough to be part of a larger team, I'd advocate for exactly what you're suggesting.

EE84M3i5y ago

I was thinking that Apache / Nginx blocking based on IP match and HTTP method is likely approximately equivalent complexity.

Also CDNs generally offer this if you use one.

1 more reply

cryo5y ago

The article also mentions banning ip ranges and it's disadvantages. The described detection of Tor traffic seems to be more bullet proof and performant.

ColanR5y ago

I believe the article mentions that, but also notes your method works for low-traffic situations. The 0day is a high-performance alternative.

thaumaturgyOP5y ago

ipset is very fast (http://web.archive.org/web/20160514091316/http://daemonkeepe...).

The author's approach requires examining a certificate to see if it matches a pattern that may or may not change in the future.

j / k navigate · click thread line to collapse