Re: ietf.org unaccessible for Tor users
Alec Muffett <alecm@fb.com> Tue, 15 March 2016 13:21 UTC
Return-Path: <prvs=2882ba8273=alecm@fb.com>
X-Original-To: ietf@ietfa.amsl.com
Delivered-To: ietf@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id F216C12D50A for <ietf@ietfa.amsl.com>; Tue, 15 Mar 2016 06:21:06 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.72
X-Spam-Level:
X-Spam-Status: No, score=-2.72 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7, RCVD_IN_MSPIKE_H3=-0.01, RCVD_IN_MSPIKE_WL=-0.01, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=fb.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 1_cV6vDF3jEr for <ietf@ietfa.amsl.com>; Tue, 15 Mar 2016 06:21:04 -0700 (PDT)
Received: from mx0a-00082601.pphosted.com (mx0a-00082601.pphosted.com [67.231.145.42]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 2402D12D5B9 for <ietf@ietf.org>; Tue, 15 Mar 2016 06:21:02 -0700 (PDT)
Received: from pps.filterd (m0044008.ppops.net [127.0.0.1]) by mx0a-00082601.pphosted.com (8.16.0.11/8.16.0.11) with SMTP id u2FDFTje017397; Tue, 15 Mar 2016 06:21:00 -0700
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=fb.com; h=from : to : cc : subject : date : message-id : references : in-reply-to : content-type : mime-version; s=facebook; bh=jg1gTYUc0JL1NPAZU2X+9WsDGWWbx7i+xakjvFqG4uU=; b=cUiK0RTN8eYhYKCOANXjNdo3XVlXeGm5aF5Mub63kO8rzETk/pm2lft0WVZn9POBdjIs vzlPLpECZXrVhRJxg9yk2tI/gm554x+E9Jwe3QOn6Ae19lZnnONWfMBh4AS5UxhehwJh zCzyTJtlWddpGiC9bWSPsQbbdm3+h7ufTEI=
Received: from mail.thefacebook.com ([199.201.64.23]) by mx0a-00082601.pphosted.com with ESMTP id 21pjdag6nc-1 (version=TLSv1 cipher=AES128-SHA bits=128 verify=NOT); Tue, 15 Mar 2016 06:21:00 -0700
Received: from PRN-MBX02-4.TheFacebook.com ([169.254.2.215]) by PRN-CHUB09.TheFacebook.com ([fe80::b128:36fa:e69b:a338%12]) with mapi id 14.03.0248.002; Tue, 15 Mar 2016 06:20:59 -0700
From: Alec Muffett <alecm@fb.com>
To: Phillip Hallam-Baker <phill@hallambaker.com>
Subject: Re: ietf.org unaccessible for Tor users
Thread-Topic: ietf.org unaccessible for Tor users
Thread-Index: AQHRfgLB+RUL/0piL0GFmq6KqbJrIZ9aCzuAgAAQnACAAD6HgIAAgtEAgAAOqwCAAAQTgIAABGsA
Date: Tue, 15 Mar 2016 13:20:59 +0000
Message-ID: <55E0D596-2487-4947-B8EC-DBF6D77E3740@fb.com>
References: <m2a8m0y72q.wl%randy@psg.com> <20160315002604.15726.qmail@ary.lan> <CACRMD1Gp_3xjanC+YXLrwo9FMcDay1JQ6YPtAS1tTqk+C_AUVg@mail.gmail.com> <alpine.OSX.2.11.1603150755160.47203@ary.lan> <m237rrsy5h.wl%randy@psg.com> <CAMm+Lwhb7Z6mKE2=JEhLJZ5zVvpzashNW2utDK5TCVvH0qn9-w@mail.gmail.com>
In-Reply-To: <CAMm+Lwhb7Z6mKE2=JEhLJZ5zVvpzashNW2utDK5TCVvH0qn9-w@mail.gmail.com>
Accept-Language: en-GB, en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-originating-ip: [192.168.52.123]
Content-Type: multipart/alternative; boundary="_000_55E0D59624874947B8ECDBF6D77E3740fbcom_"
MIME-Version: 1.0
X-Proofpoint-Spam-Reason: safe
X-FB-Internal: Safe
X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10432:, , definitions=2016-03-15_04:, , signatures=0
Archived-At: <http://mailarchive.ietf.org/arch/msg/ietf/mzh5xox0WGE4_KDeyJC0RpxTceY>
Cc: John R Levine <johnl@taugh.com>, IETF <ietf@ietf.org>
X-BeenThere: ietf@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: IETF-Discussion <ietf.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ietf>, <mailto:ietf-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ietf/>
List-Post: <mailto:ietf@ietf.org>
List-Help: <mailto:ietf-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ietf>, <mailto:ietf-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 15 Mar 2016 13:21:07 -0000
On Mar 15, 2016, at 13:05, Phillip Hallam-Baker <phill@hallambaker.com<mailto:phill@hallambaker.com>> wrote: Hi Phillip! Yes, I actually think it's more simple even than you describe: Sln2: Can Cloudflare adjust their CAPTCHA scheme so that it only queries users if an attack is actually in progress. Question: Is this what they do already? Was the CAPTCHA showing up because of a dumb blacklist or was it showing up because the IP was on a blacklist AND that IP was currently performing a DDoS AND that DDoS was aimed at ietf.org<http://ietf.org>? I suspect IETF use is atypical where Tor is concerned. Most sites probably just want to shut Tor exit nodes out. Cloudflare recently posted this: https://support.cloudflare.com/hc/en-us/articles/203306930-Does-CloudFlare-block-Tor- Why might a Tor visitor be blocked or challenged? Due to the behavior of some individuals using the Tor network (spammers, distributors of malware, attackers, etc.), the IP addresses of Tor exit nodes may earn a bad reputation, elevating their CloudFlare threat score. Our basic protection level issues CAPTCHA-based challenges to visitors whose IP address has a high threat score, depending on the level chosen by the CloudFlare customer. The choices for security range from Essentially Off to I'm Under Attack. The default level is Medium. What additional control do CloudFlare customers have over traffic from visitors using Tor? Since late February 2016, CloudFlare treats Tor exit nodes as a "country" of their own. There's no geography associated with these IPs, but this approach lets CloudFlare customers override the default CloudFlare threat score to define the experience for their Tor visitors. CloudFlare updates its list of Tor exit node IP addresses every 15 minutes. Control is in the Access Rules section of the Firewall app. If I read it/the rest of the post rightly, it appears that Cloudflare customers (IETF?) can nowadays flip a switch which whitelists Tor whilst still providing all the other protections that Cloudflare provide. Basically it appears that all IETF need to do is decide whether people accessing the IETF website over Tor constitutes a threat, and modify control panel settings accordingly? -a
- ietf.org unaccessible for Tor users Yui Hirasawa
- Re: ietf.org unaccessible for Tor users Randy Bush
- Re: ietf.org unaccessible for Tor users John Levine
- Re: ietf.org unaccessible for Tor users Andrew Sullivan
- RE: ietf.org unaccessible for Tor users Michel Py
- Re: ietf.org unaccessible for Tor users Narelle
- Re: ietf.org unaccessible for Tor users Yoav Nir
- Re: ietf.org unaccessible for Tor users Randy Bush
- Re: ietf.org unaccessible for Tor users Leif Johansson
- Re: ietf.org unaccessible for Tor users Jari Arkko
- Re: ietf.org unaccessible for Tor users Jari Arkko
- Re: ietf.org unaccessible for Tor users Paul Wouters
- Re: ietf.org unaccessible for Tor users Leif Johansson
- Re: ietf.org unaccessible for Tor users Eliot Lear
- Re: ietf.org unaccessible for Tor users Christian de Larrinaga
- Re: ietf.org unaccessible for Tor users Eliot Lear
- Re: ietf.org unaccessible for Tor users Alec Muffett
- Re: ietf.org unaccessible for Tor users Stephen Farrell
- Re: ietf.org unaccessible for Tor users Rich Kulawiec
- Re: ietf.org unaccessible for Tor users Eliot Lear
- Re: ietf.org unaccessible for Tor users Jari Arkko
- Re: ietf.org unaccessible for Tor users Christian de Larrinaga
- Re: ietf.org unaccessible for Tor users Stephen Farrell
- Re: ietf.org unaccessible for Tor users Leif Johansson
- RE: ietf.org unaccessible for Tor users Ted Lemon
- Re: ietf.org unaccessible for Tor users Alec Muffett
- Re: ietf.org unaccessible for Tor users John R Levine
- Re: ietf.org unaccessible for Tor users Christian de Larrinaga
- Re: ietf.org unaccessible for Tor users John Kristoff
- Re: ietf.org unaccessible for Tor users Antonio Prado
- Re: ietf.org unaccessible for Tor users John R Levine
- Re: ietf.org unaccessible for Tor users Rich Kulawiec
- Re: ietf.org unaccessible for Tor users Randy Bush
- Re: ietf.org unaccessible for Tor users Eliot Lear
- Re: ietf.org unaccessible for Tor users Phillip Hallam-Baker
- Re: ietf.org unaccessible for Tor users Alec Muffett
- Re: ietf.org unaccessible for Tor users Leif Johansson
- Re: ietf.org unaccessible for Tor users Alec Muffett
- Re: ietf.org unaccessible for Tor users Michael Richardson
- Re: ietf.org unaccessible for Tor users Michael Richardson
- Re: ietf.org unaccessible for Tor users Eliot Lear
- Re: ietf.org unaccessible for Tor users Randy Bush
- Re: ietf.org unaccessible for Tor users Stephen Farrell
- Re: ietf.org unaccessible for Tor users Tim Chown
- Re: ietf.org unaccessible for Tor users John Levine
- RE: ietf.org unaccessible for Tor users Michel Py
- Re: ietf.org unaccessible for Tor users Leif Johansson
- RE: ietf.org unaccessible for Tor users Michel Py
- Re: ietf.org unaccessible for Tor users Alec Muffett
- Re: ietf.org unaccessible for Tor users Rich Kulawiec
- Re: ietf.org unaccessible for Tor users John R Levine
- Re: ietf.org unaccessible for Tor users Theodore V Faber
- Re: ietf.org unaccessible for Tor users John Kristoff
- Re: ietf.org unaccessible for Tor users John R Levine
- Re: ietf.org unaccessible for Tor users Leif Johansson
- Re: ietf.org unaccessible for Tor users Randy Bush
- Re: ietf.org unaccessible for Tor users Randy Bush
- Re: ietf.org unaccessible for Tor users lloyd.wood
- Re: ietf.org unaccessible for Tor users Leif Johansson
- Re: ietf.org unaccessible for Tor users Eliot Lear
- Re: ietf.org unaccessible for Tor users Randy Bush
- Re: ietf.org unaccessible for Tor users Eliot Lear
- Re: ietf.org unaccessible for Tor users Randy Bush
- Re: ietf.org unaccessible for Tor users Eliot Lear
- Re: ietf.org unaccessible for Tor users lloyd.wood
- Re: ietf.org unaccessible for Tor users Warren Kumari
- Re: ietf.org unaccessible for Tor users Dave Cridland
- Re: ietf.org unaccessible for Tor users Leif Johansson
- Re: ietf.org unaccessible for Tor users Rich Kulawiec
- Re: ietf.org unaccessible for Tor users Randy Bush
- Re: ietf.org unaccessible for Tor users Paul Wouters
- Re: ietf.org unaccessible for Tor users Jari Arkko
- Re: ietf.org unaccessible for Tor users Jari Arkko
- Re: ietf.org unaccessible for Tor users Rich Kulawiec
- Re: ietf.org unaccessible for Tor users Adam Roach
- Re: ietf.org unaccessible for Tor users Michael StJohns
- Re: ietf.org unaccessible for Tor users Eliot Lear
- Re: ietf.org unaccessible for Tor users Adam Roach
- Re: ietf.org unaccessible for Tor users Eliot Lear
- Re: ietf.org unaccessible for Tor users Adam Roach
- Re: ietf.org unaccessible for Tor users Linus Nordberg
- Re: ietf.org unaccessible for Tor users Michael StJohns
- Re: ietf.org unaccessible for Tor users Adam Roach
- RE: ietf.org unaccessible for Tor users Tony Hain
- Re: ietf.org unaccessible for Tor users Rich Kulawiec
- Re: ietf.org unaccessible for Tor users Michael StJohns
- RE: ietf.org unaccessible for Tor users Michel Py
- RE: ietf.org unaccessible for Tor users Michel Py
- RE: ietf.org unaccessible for Tor users John C Klensin
- Re: ietf.org unaccessible for Tor users Adam Roach
- Re: ietf.org unaccessible for Tor users Stephen Farrell
- RE: ietf.org unaccessible for Tor users Tony Hain
- Re: ietf.org unaccessible for Tor users Michael StJohns
- Re: ietf.org unaccessible for Tor users Michael StJohns
- Re: ietf.org unaccessible for Tor users Randy Bush
- Re: ietf.org unaccessible for Tor users Warren Kumari
- Re: ietf.org unaccessible for Tor users Leif Johansson
- Re: ietf.org unaccessible for Tor users Leif Johansson
- Re: ietf.org end-to-end principle Stefan Winter
- Re: ietf.org end-to-end principle Stefan Winter
- RE: ietf.org end-to-end principle Varma, Eve (Nokia - US)
- Re: ietf.org end-to-end principle DIEGO LOPEZ GARCIA
- Re: ietf.org end-to-end principle Stephen Farrell
- Re: ietf.org end-to-end principle DIEGO LOPEZ GARCIA
- Re: ietf.org unaccessible for Tor users Linus Nordberg
- Re: ietf.org end-to-end principle Jari Arkko
- Re: ietf.org end-to-end principle Phillip Hallam-Baker
- Re: ietf.org end-to-end principle Stefan Winter
- RE: ietf.org end-to-end principle Josh Howlett
- RE: ietf.org end-to-end principle Josh Howlett
- Re: ietf.org end-to-end principle Melinda Shore
- Re: ietf.org end-to-end principle joel jaeggli
- Re: ietf.org end-to-end principle Eliot Lear
- Re: ietf.org end-to-end principle lloyd.wood
- Re: ietf.org end-to-end principle Leif Johansson
- RE: ietf.org end-to-end principle Josh Howlett
- Re: ietf.org end-to-end principle joel jaeggli
- Re: ietf.org end-to-end principle Dave Crocker
- Re: ietf.org end-to-end principle Jari Arkko
- Re: ietf.org end-to-end principle DIEGO LOPEZ GARCIA
- RE: ietf.org end-to-end principle Hui Deng
- Re: ietf.org end-to-end principle Joe Touch