Calgarypuck Forums - The Unofficial Calgary Flames Fan Community - View Single Post - Prevent Tor/HSS and other onion routers from working

sclitheroe · 08-05-2010, 08:59 PM

I wonder if this would be a solution - since Tor is essentially a proxy, what would happen if ALL web traffic had to utilize a proxy at the ISP to access the web?

Since a browser can only use one proxy, would this effectively kill Tor? I haven’t looked into the client design enough - perhaps Tor clients know to relay requests to upstream proxies.

Edit: nope, not a solution: https://trac.torproject.org/projects...PorSOCKSproxy.

Edit #2:

I think the approach you need to begin with, and that would demonstrate due diligence to your customer, is to block access to the Tor Directory Servers. These are the authoritative servers that the Tor client uses to find available Tor routers. If the client can’t fetch this list, it can’t connect.

Presumably, a hard core user could manually obtain the list from a mirror site, however, blocking access to the directory servers is a good first step. You could also build a script that would access these same directory servers and retrieve the list, and update your blocks for the actual Tor routers too. Schedule that to run hourly, and you’re going to be moving just as quickly to stamp out Tor activity as users will be able to find new Tor routers.

An important thing to keep in mind is that you don’t have to achieve a 100% technically airtight solution - if you can effectively block all of Tor every hour or so, via a combination of directory server and known Tor router IP’s, you’ll make using Tor painful enough that people will find another approach.

And then the game starts again, but that’s another story...

08-05-2010, 08:59 PM	#30
sclitheroe #1 Goaltender Join Date: Sep 2005 Exp:	I wonder if this would be a solution - since Tor is essentially a proxy, what would happen if ALL web traffic had to utilize a proxy at the ISP to access the web? Since a browser can only use one proxy, would this effectively kill Tor? I haven’t looked into the client design enough - perhaps Tor clients know to relay requests to upstream proxies. Edit: nope, not a solution: https://trac.torproject.org/projects...PorSOCKSproxy. Edit #2: I think the approach you need to begin with, and that would demonstrate due diligence to your customer, is to block access to the Tor Directory Servers. These are the authoritative servers that the Tor client uses to find available Tor routers. If the client can’t fetch this list, it can’t connect. Presumably, a hard core user could manually obtain the list from a mirror site, however, blocking access to the directory servers is a good first step. You could also build a script that would access these same directory servers and retrieve the list, and update your blocks for the actual Tor routers too. Schedule that to run hourly, and you’re going to be moving just as quickly to stamp out Tor activity as users will be able to find new Tor routers. An important thing to keep in mind is that you don’t have to achieve a 100% technically airtight solution - if you can effectively block all of Tor every hour or so, via a combination of directory server and known Tor router IP’s, you’ll make using Tor painful enough that people will find another approach. And then the game starts again, but that’s another story... __________________ -Scott Last edited by sclitheroe; 08-05-2010 at 09:19 PM.