Re: TOR Blocked at Universities
On 2/12/10, Michael Holstein wrote: > >> Could you bind your exit traffic to IPs outside your University's >> primary block? > > Not sure what you mean by "bind to outside IP", but our network is a > contiguous /16. We would have to register for extra /24s from ARIN, and > that costs money. Not necessarily. Ask about getting an address block from your ISP - it might be included in your contract. Regards, Lee *** To unsubscribe, send an e-mail to majord...@torproject.org with unsubscribe or-talkin the body. http://archives.seul.org/or/talk/
Re: TOR Blocked at Universities
On Feb 12, 2010, at 5:27 PM, Michael Holstein wrote: Why not simply block that entire network in the Exit policy? You're missing the point .. we already blocked our *own* /16 in the exit. The problem was the thousands of academic journals, all of which have distinct addresses, that consider any traffic from our /16 as being "on campus" and thus not needing of authentication. As the exit node resided with that /16, any traffic sourced from it would appear to be "on campus" from the perspective of the other entity. Indeed, I missed the point entirely. My apologies. I somehow thought people from the outside were accessing ressources within your university. Sebastian *** To unsubscribe, send an e-mail to majord...@torproject.org with unsubscribe or-talkin the body. http://archives.seul.org/or/talk/
Re: TOR Blocked at Universities
> Why not simply block that entire network in the Exit policy? You're missing the point .. we already blocked our *own* /16 in the exit. The problem was the thousands of academic journals, all of which have distinct addresses, that consider any traffic from our /16 as being "on campus" and thus not needing of authentication. As the exit node resided with that /16, any traffic sourced from it would appear to be "on campus" from the perspective of the other entity. I could have : a) created an exit policy thousands of lines long prohibiting a.b.c.d/32:* for each of them b) used IPtables to do the same thing, but that would not make the prohibition known to clients and break things. c) use entries in /etc/hosts to accomplish the same things as "b)" with the same results. We found that since the list of exit nodes is known, people would actively seek those that ended in .edu and try to rape the journals with them .. downloading entire issues of various scientific journals (this happens on-campus too from misguided students, but that's easier to track down). If the network spec could easily handle any number of exit nodes, each with a policy of unlimited length .. this wouldn't be a problem (other than the ongoing maintenance headache). Likewise, if we had a few /24s to stick stuff like this into that were outside the primary /16 we could make it work .. but IP space is getting harder to come by, and it's hard to justify additional allocations when you already have a class B (plus, it costs money). Before anyone tells me it's "broken" to authenticate just by IP address .. I already know that .. but that's how most of the academic publishers do it at the moment. For the record, the DMCA complaints, subpoenas, and various angry phone calls were never a problem. It was the theft of academic journals (and that doing so jeopardized our subscriptions) that did it in. Cheers, Michael Holstein Cleveland State University *** To unsubscribe, send an e-mail to majord...@torproject.org with unsubscribe or-talkin the body. http://archives.seul.org/or/talk/
Re: TOR Blocked at Universities
On Feb 12, 2010, at 3:42 PM, Michael Holstein wrote: Could you bind your exit traffic to IPs outside your University's primary block? Not sure what you mean by "bind to outside IP", but our network is a contiguous /16. We would have to register for extra /24s from ARIN, and that costs money. Cheers, Michael Holstein Cleveland State University Why not simply block that entire network in the Exit policy? *** To unsubscribe, send an e-mail to majord...@torproject.org with unsubscribe or-talkin the body. http://archives.seul.org/or/talk/
Re: TOR Blocked at Universities
> Could you bind your exit traffic to IPs outside your University's > primary block? Not sure what you mean by "bind to outside IP", but our network is a contiguous /16. We would have to register for extra /24s from ARIN, and that costs money. Cheers, Michael Holstein Cleveland State University *** To unsubscribe, send an e-mail to majord...@torproject.org with unsubscribe or-talkin the body. http://archives.seul.org/or/talk/
Re: TOR Blocked at Universities
On 02/11/2010 05:58 PM, Peter Farver wrote: > I meant clients for TOR were blocked. Yes, for all students and > faculty. I believe the attacks were from the TOR exit nodes, but I > will try to get more information from network administrators. I have > not tried bridges yet, but maybe I will obtain a bridge to connect to > test in the future. Welcome to China or Burma. The public list of Tor relays are blocked, so they have to use non-public relays (bridges) to connect to Tor. This appears to be your situation as well. If Auburn's network admins want to talk about their issues, I'm happy to talk to them. I bet with a high probability that by blocking Tor exit nodes, the attacks didn't go away. Now they just originate from other IPs (zombie computers/botnets, open proxies, etc). Blocking tor clients outbound seems overkill to me. -- Andrew Lewman The Tor Project pgp 0x31B0974B Website: https://torproject.org/ Blog: https://blog.torproject.org/ Identi.ca: torproject *** To unsubscribe, send an e-mail to majord...@torproject.org with unsubscribe or-talkin the body. http://archives.seul.org/or/talk/
Re: TOR Blocked at Universities
Il 11/02/2010 22:17, Michael Holstein ha scritto: > .. but the above problem is ultimately what forced us to do the same > thing (although we just prohibit the operation of an exit). My university's department of computer sciences stopped an exit node because both a) some DMCA notices for alleged copyright infringement; and b) it was not an official research project. Jan *** To unsubscribe, send an e-mail to majord...@torproject.org with unsubscribe or-talkin the body. http://archives.seul.org/or/talk/
Re: TOR Blocked at Universities
> > > Why couldn't your exit policy just block the IPs of the journal sites? > > Because there's > 1000 of them (and each would be a /32). It was > discussed in another thread at the time, and the developers led me to > the conclusion that such hugely long exit policies were a bad idea. Could you bind your exit traffic to IPs outside your University's primary block?
Re: TOR Blocked at Universities
On Thu, Feb 11, 2010 at 04:20:49PM -0500, Flamsmark wrote: > On 11 February 2010 16:17, Michael Holstein > wrote: > > Let's not debate the stupidity of authenticating a network by IP address > > .. but the above problem is ultimately what forced us to do the same > > thing (although we just prohibit the operation of an exit). I should > > note that the original effort to run an exit was conducted by myself, > > and I do network security here .. but it was the complaints from the > > library folks that got us into hot water .. there simply wasn't an easy > > way to block access to all of them without an overly-complex exit > > policy, and all of our IP space is within a single /16. > > Why couldn't your exit policy just block the IPs of the journal sites? Or more generally, just block *:80? It's not the best answer I could hope for, but it's sure better than not being an exit relay at all. A more general approach would be to get a DMZ address, meaning somewhere in your university address space that hasn't been whitelisted by the libraries. That concept might not exist at your university though -- yet :). --Roger *** To unsubscribe, send an e-mail to majord...@torproject.org with unsubscribe or-talkin the body. http://archives.seul.org/or/talk/
Re: TOR Blocked at Universities
I meant clients for TOR were blocked. Yes, for all students and faculty. I believe the attacks were from the TOR exit nodes, but I will try to get more information from network administrators. I have not tried bridges yet, but maybe I will obtain a bridge to connect to test in the future. >>> coderman 02/11/10 2:06 PM >>> On Thu, Feb 11, 2010 at 11:15 AM, Peter Farver wrote: > TOR is now blocked campus-wide at Auburn University (for all 24,000 students) > because of apparent attacks emanating from the TOR network. can you elaborate on that? are these apparent attacks coming _from_ the Tor exits or are Tor clients being used to circumvent network policy, etc? > Whenever trying to run TOR, TOR cannot get past the 10% mark. do bridges work or is this identifying Tor client signature to filter? best regards, *** To unsubscribe, send an e-mail to majord...@torproject.org with unsubscribe or-talkin the body. http://archives.seul.org/or/talk/ *** To unsubscribe, send an e-mail to majord...@torproject.org with unsubscribe or-talkin the body. http://archives.seul.org/or/talk/
Re: TOR Blocked at Universities
> Why couldn't your exit policy just block the IPs of the journal sites? Because there's > 1000 of them (and each would be a /32). It was discussed in another thread at the time, and the developers led me to the conclusion that such hugely long exit policies were a bad idea. Cheers, Michael Holstein Cleveland State University *** To unsubscribe, send an e-mail to majord...@torproject.org with unsubscribe or-talkin the body. http://archives.seul.org/or/talk/
Re: TOR Blocked at Universities
On 11 February 2010 16:17, Michael Holstein wrote: > > Let's not debate the stupidity of authenticating a network by IP address > .. but the above problem is ultimately what forced us to do the same > thing (although we just prohibit the operation of an exit). I should > note that the original effort to run an exit was conducted by myself, > and I do network security here .. but it was the complaints from the > library folks that got us into hot water .. there simply wasn't an easy > way to block access to all of them without an overly-complex exit > policy, and all of our IP space is within a single /16. Why couldn't your exit policy just block the IPs of the journal sites?
Re: TOR Blocked at Universities
> TOR is now blocked campus-wide at Auburn University (for all 24,000 students) > because of apparent attacks emanating from the TOR network. If your problem is anything like the one we had, I'm guessing the "attacks" have more to do with the fact that many journal subscriptions authenticate by IP address, thus, if someone has their client configured to be an exit, people will readily find it and use it to download en-masse from your very expensive journal memberships. Let's not debate the stupidity of authenticating a network by IP address .. but the above problem is ultimately what forced us to do the same thing (although we just prohibit the operation of an exit). I should note that the original effort to run an exit was conducted by myself, and I do network security here .. but it was the complaints from the library folks that got us into hot water .. there simply wasn't an easy way to block access to all of them without an overly-complex exit policy, and all of our IP space is within a single /16. Cheers, Michael Holstein Cleveland State University *** To unsubscribe, send an e-mail to majord...@torproject.org with unsubscribe or-talkin the body. http://archives.seul.org/or/talk/
Re: TOR Blocked at Universities
Hi Peter, When you say blocked are you saying that faculty, staff, and students are not allowed to run exit nodes in the TOR network? Or rather that the above are not allowed to use TOR clients to connect into the TOR network? Cheers, Harry On Thu, 2010-02-11 at 13:15 -0600, Peter Farver wrote: > TOR is now blocked campus-wide at Auburn University (for all 24,000 students) > because of apparent attacks emanating from the TOR network. Whenever trying > to run TOR, TOR cannot get past the 10% mark. Would it have been wiser for > Auburn University to block incoming connections from TOR nodes, but allow TOR > outgoing connections? Does this break TOR if incoming connections are > blocked yet outgoing are not? > *** > To unsubscribe, send an e-mail to majord...@torproject.org with > unsubscribe or-talkin the body. http://archives.seul.org/or/talk/ > *** To unsubscribe, send an e-mail to majord...@torproject.org with unsubscribe or-talkin the body. http://archives.seul.org/or/talk/
Re: TOR Blocked at Universities
On Thu, Feb 11, 2010 at 11:15 AM, Peter Farver wrote: > TOR is now blocked campus-wide at Auburn University (for all 24,000 students) > because of apparent attacks emanating from the TOR network. can you elaborate on that? are these apparent attacks coming _from_ the Tor exits or are Tor clients being used to circumvent network policy, etc? > Whenever trying to run TOR, TOR cannot get past the 10% mark. do bridges work or is this identifying Tor client signature to filter? best regards, *** To unsubscribe, send an e-mail to majord...@torproject.org with unsubscribe or-talkin the body. http://archives.seul.org/or/talk/
