Version 3 (modified by gk, 3 years ago) (diff)


CDN and Tor Exit Node blocking

  • summary of usenix security 2017 paper (88% of Tor exits are blacklisted on one or more of the blacklists out there, more conservative exit policies do not help; ian and rob can't share the latter experience though)
  • rate limit on Tor exits to avoid exit node blocking? (on an exit node level or a circuit level)
  • getting relationships set up with major CDNs (Cloudflare, Akamai, Amazon etc.) would be useful
  • not just CDNs are a problem but commercial IP blacklist services as well; and they often include not only exit nodes but all nodes
  • do we know what causes blocking? project honeypot used as data source for what to block
  • not reasonable that CDNs just accept Tor traffic outright; PoW for exit node rotation? cloudflare CAPTCHA bypass extension?
  • do we need more data about exit blocking to make good arguments? <-- YES!
  • doing IP reputation-based blocking in general is much more problematic than just Tor exit node blocking: but Facebook has IP reputation-based blocking having a script that takes Tor exit nodes from that list
  • it seems it is more a non-technical problem we need to solve (even though technical means could aid in that)
  • one big difference between Akamai and Cloudflare is their business model (Akamai has big contracts but Cloudflare is many small customers) which needs to be taken into account when designing solutions
  • tor-in-a-box for CDNs that would implement rate-limiting to prevent scraping etc.: endpoint being an .onion service could differentiate between circuits <- circuit-based IP reputation
  • help with getting the tor-in-the-box solution operated (good contacts needed!) including convincing arguments why they should deploy that
  • clearnet tor connections -> 302 to the .onion one is running and then all the reputation circuit-based or whatever is getting applied (circuitID in TCP option for instance)
  • activism angle (scorecard about good and bad CDNs)