[tor-talk] torslap!

Andreas Krey a.krey at gmx.de
Fri May 3 22:04:10 UTC 2013


On Fri, 03 May 2013 12:06:27 +0000, lucia at rankexploits.com wrote:
...
> >You mean, when I set up a bit of link farming, you will block Googlebot? :-)
> 
> Oh you silly billy. :-)  Everyone knows it's trivially easy to block one
> link farmer without blocking google. If I detected you doing rapid or
> voracious scraping I would block you.

I wouldn't touch your IP range a single time. I'd just set up a lot of
DNS to point there, and have lots of pages point to those domains. Then
the googlebot whould try to fetch all the 404 pages, and get blocked.

...
> I'm not groking this.

Obviously.

...
> I don't see how this torslap applied to logins addresses this sort of
> misbehavior.

It doesn't. It's designed for a different problem set.

...
> If  you mean the low number of exit nodes means that when I ban one IP I
> may ban a large fraction of potential Tor traffic, that's possible. But
> very little of that Tor traffic is people coming to my blog. I read a
> paper -- now several years old -- that suggested more than half the
> traffic was involved in  Tor tunnels used to exchange bit Torrent traffic.

Problem is, no one really can tell.

> >If there a reason you block for several days? I don't see how that
> >would help much. As opposed to not directly blocking but instead
> >reversing source and destination address in packets coming from
> >such IPs. :-)
> 
> Yes. I block for days because blocking for hours is insufficient to solve
> the problem.  The script-kiddie programs the script to come back and it
> likely will as soon as an IP is blocked. Even if the script-kiddie isn't
> specifically interested in my blog, they still seems to write these things
> to behave like "The Terminator" from the movie.
> 
> I don't know why you think blocking won't "help much".

I spoke of the 'for days'. I don't see why blocking the script kiddie
again for an hour when he reappears wouldn't equally help.

...
> I don't understand what precisely you are proposing by this "not directly
> blocking but instead
> reversing source and destination address in packets coming from
> such IPs. :-)",  nor what the smilie is intended to convey in that
> statement.

Just think what would happen if you did. (I got that idea watching the
sustained and stuipd ssh login attacks.)

...
> As it happens: when I block an IP at Cloudflare, the packets don't arrive
> at my server.  I can't reverse packets and send them back.  Blocking the
> IP that has been sucking my server resources in these pesky "not attacks"
> is quick, simple and it prevents bots from crashing my server as a result
> of their "not attack" behaviors.

Seriously, what kind of 404 page do you have that can't handle requests
at line speed?

...
> vulnerabilities and so on from wreaking havoc on a server.  Because the
> smiley may seem friendly, but it really doesn't clarify the otherwise
> rather vague suggestion.

No; if you can't figure out what's funny about the suggestion, I won't
go explain the joke (further).

Andreas

-- 
"Totally trivial. Famous last words."
From: Linus Torvalds <torvalds@*.org>
Date: Fri, 22 Jan 2010 07:29:21 -0800


More information about the tor-talk mailing list