Home Explore Help
Sign In
piros
/
tor
3
0
Fork 0
Files Issues 0 Pull Requests 0 Wiki
Tree: 795aa1a196
Branches Tags
tor
/
doc
/
contrib
/
torbl-design.txt

torbl-design.txt 6.6 KB
History Raw

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166 
  1. Design For A Tor RBL {DRAFT}
    2. 

  2. 

  3. Status:
    4. 

  4. 

  5.   This is a suggested design for a DNSBL for Tor exit nodes.  It hasn't been
    6. 

  6.   implemented.
    7. 

  7. 

  8. Why?
    9. 

  9. 

  10.   It's useful for third parties to be able to tell when a given connection
    11. 

  11.   is coming from a Tor exit node.  Potential applications range from
    12. 

  12.   "anonymous user" cloaks on IRC networks like oftc, to networks like
    13. 

  13.   Freenode that apply special authentication rules to users from these
    14. 

  14.   IPs, to systems like Wikipedia that may want to make a priority of
    15. 

  15.   _unblocking_ shared IPs more liberally than non-shared IPs, since shared
    16. 

  16.   IPs presumably have non-abusive users as well as abusive ones.
    17. 

  17. 

  18.   Since Tor provides exit policies, not every Tor server will connect to
    19. 

  19.   every address:port combination on the Internet.  Unless you're trying to
    20. 

  20.   penalize hosts for supporting anonymity, it makes more sense to answer
    21. 

  21.   the fine-grained question "which Tor servers will connect to _me_?" than
    22. 

  22.   the coarse-grained question "which Tor servers exist?"  The fine-grained
    23. 

  23.   approach also helps Tor server ops who share an IP with their Tor
    24. 

  24.   server: if they want to access a site that blocks Tor users, they
    25. 

  25.   can exclude that site from their exit policy, and the site can learn
    26. 

  26.   that they won't send it anonymous connections.
    27. 

  27. 

  28.   Tor already ships with a tool (the "contrib/exitlist" script) to
    29. 

  29.   identify which Tor nodes might open anonymous connections to any given
    30. 

  30.   exit address.  But this is a bit tricky to set up, so only sites like
    31. 

  31.   Freenode and OFTC that are dedicated to privacy use it.
    32. 

  32.   Conversely, providers of some DNSBL implementations are providing
    33. 

  33.   coarse-grained lists of Tor hosts -- sometimes even listing servers that
    34. 

  34.   permit no exit connections at all.  This is rather a problem, since
    35. 

  35.   support for DNSBL is pretty ubiquitous.
    36. 

  36. 

  37. 

  38. How?
    39. 

  39. 

  40.   Keep a running Tor instance, and parse the cached-routers and
    41. 

  41.   cached-routers.new files as new routers arrive.  To tell whether a given
    42. 

  42.   server allows connections to a certain address:port combo, look at the
    43. 

  43.   definitions in dir-spec.txt or follow the logic of the current exitlist
    44. 

  44.   script. If bug 405 is still open when you work on this
    45. 

  45.   (http://bugs.noreply.org/flyspray/index.php?do=details&id=405), you'll
    46. 

  46.   probably want to extend it to look at only the newest descriptor for
    47. 

  47.   each server, so you don't use obsolete exit policy data.
    48. 

  48. 

  49.   FetchUselessDescriptors would probably be a good torrc option to enable.
    50. 

  50. 

  51.   If you're also running a directory cache, you get extra-fresh
    52. 

  52.   information.
    53. 

  53. 

  54. 

  55. The DNS interface
    56. 

  56. 

  57.   DNSBL, if I understand right, looks like this:  There's some host at
    58. 

  58.   foo.example.com.  You want to know if 1.2.3.4 is in the list, so you
    59. 

  59.   query for an A record for 4.3.2.1.foo.example.com.  If the record
    60. 

  60.   exists, 1.2.3.4 is in the list.  If you get an NXDOMAIN error, 1.2.3.4
    61. 

  61.   is not in the list.
    62. 

  62. 

  63.   Assume that the DNSBL sits at some host, torhosts.example.com.  Below
    64. 

  64.   are some queries that could be supported, though some of them are
    65. 

  65.   possibly a bad idea.
    66. 

  66. 

  67. 

  68.   Query type 1: "General IP:Port"
    69. 

  69. 

  70.     Format:
    71. 

  71.         {IP1}.{port}.{IP2}.ip-port.torhosts.example.com
    72. 

  72. 

  73.     Rule:
    74. 

  74.         Iff {IP1} is a Tor server that permits connections to {port} on
    75. 

  75.         {IP2}, then there should be an A record.
    76. 

  76. 

  77.     Example:
    78. 

  78.         "1.0.0.10.80.4.3.2.1.ip-port.torhosts.example.com" should exist
    79. 

  79.         if and only if there is a Tor server at 10.0.0.1 that allows
    80. 

  80.         connections to port 80 on 1.2.3.4.
    81. 

  81. 

  82.     Example use:
    83. 

  83.         I'm running an IRC server at w.x.y.z:9999, and I want to tell
    84. 

  84.         whether an incoming connection is from a Tor server.  I set
    85. 

  85.         up my IRC server to give a special mask to any user coming from
    86. 

  86.         an IP listed in 9999.z.y.x.w.ip-port.torhosts.example.com.
    87. 

  87. 

  88.         Later, when I get a connection from a.b.c.d, my ircd looks up
    89. 

  89.         "d.c.b.a.9999.z.y.x.w.ip-port.torhosts.example.com" to see
    90. 

  90.         if it's a Tor server that allows connections to my ircd.
    91. 

  91. 

  92. 

  93.   Query type 2: "IP-port group"
    94. 

  94. 

  95.     Format:
    96. 

  96.         {IP}.{listname}.list.torhosts.example.com
    97. 

  97. 

  98.     Rule:
    99. 

  99.         Iff this Tor server is configured with an IP:Port list named
    100. 

  100.         {listname}, and {IP} is a Tor server that permits connections to
    101. 

  101.         any member of {listname}, then there exists an A record.
    102. 

  102. 

  103.     Example:
    104. 

  104.         Suppose torhosts.example.com has a list of IP:Port called "foo".
    105. 

  105.         There is an A record for 4.3.2.1.foo.list.torhosts.example.com
    106. 

  106.         if and only if 1.2.3.4 is a Tor server that permits connections
    107. 

  107.         to one of the addresses in list "foo".
    108. 

  108. 

  109.     Example use:
    110. 

  110.         Suppose torhosts.example.com has a list of hosts in "examplenet",
    111. 

  111.         a popular IRC network.  Rather than having them each set up to
    112. 

  112.         query the appropriate "ip-port" list, they could instead all be
    113. 

  113.         set to query a central examplenet.list.torhosts.example.com.
    114. 

  114. 

  115.     Problems:
    116. 

  116.         We'd be better off if each individual server queried about hosts
    117. 

  117.         that allowed connections to itself.  That way, if I wanted to
    118. 

  118.         allow anonymous connections to foonet, but I wanted to be able to
    119. 

  119.         connect to foonet from my own IP without being marked, I could add
    120. 

  120.         just a few foonet addresses to my exit policy.
    121. 

  121. 

  122. 

  123.   Query type 3: "My IP, with port"
    124. 

  124. 

  125.     Format:
    126. 

  126.         {IP}.{port}.me.torhosts.example.com
    127. 

  127. 

  128.     Rule:
    129. 

  129.         An A record exists iff there is a tor server at {IP} that permits
    130. 

  130.         connections to {port} on the host that requested the lookup.
    131. 

  131. 

  132.     Example:
    133. 

  133.         "4.3.2.1.80.me.torhosts.example.com" should have an A record if
    134. 

  134.         and only if there is a Tor server at 1.2.3.4 that allows
    135. 

  135.         connections to port 80 of the querying host.
    136. 

  136. 

  137.     Example use:
    138. 

  138.         Somebody wants to set up a quick-and-dirty Tor detector for a
    139. 

  139.         single webserver: just point them at 80.me.torhosts.example.com.
    140. 

  140. 

  141.     Problem:
    142. 

  142.         This would be easiest to use, but DNS gets in the way. If you
    143. 

  143.         create DNS records that give different results depending on who is
    144. 

  144.         asking, you mess up caching.  There could be a fix here, but might
    145. 

  145.         not.
    146. 

  146. 

  147. 

  148.   RECOMMENDATION: Just build ip-port for now, and see what demand is
    149. 

  149.   like.  There's no point in building mechanisms nobody wants.
    150. 

  150. 

  151. Web interface:
    152. 

  152. 

  153.   Should provide the same data as the dns interface.
    154. 

  154. 

  155. Other issues:
    156. 

  156. 

  157.   30-60 minutes is not an unreasonable TTL.
    158. 

  158. 

  159.   There could be some demand for address masks and port lists. Address
    160. 

  160.   masks wider than /8 make me nervous here, as do port ranges.
    161. 

  161. 

  162.   We need an answer for what to do about hosts which exit from different
    163. 

  163.   IPs than their advertised IP. One approach would be for the DNSBL
    164. 

  164.   to launch periodic requests to itself through all exit servers whose
    165. 

  165.   policies allow it -- and then see where the requests actually come from.
    166. 

  166.