On 1 Sep 2015, at 07:45, Philipp Winter <phw@nymity.ch> wrote:

The harm caused by cloud-hosted relays is more difficult to quantify.
Getting rid of them also wouldn't mean getting rid of any attacks.  At
best, attackers would have to jump through more hoops.

If we were to decide to permanently reject cloud-hosted relays, we would
have to obtain the netblocks that are periodically published by all
three (and perhaps more) cloud providers:
<https://docs.aws.amazon.com/general/latest/gr/aws-ip-ranges.html>
<https://msdn.microsoft.com/en-us/library/azure/Dn175718.aspx>
<https://cloud.google.com/appengine/kb/general?hl=en#static-ip>

Note that this should be done periodically because the netblocks are
subject to change.

On 1 Sep 2015, at 08:58, nusenu <nusenu@openmailbox.org> wrote:

Should you decide to continue generally blacklisting entire ISPs/ASes/IP
ranges:

Please add that info (including the banned ISPs/ASes/IP ranges) to the
documentation (i.e. relay setup guides [4])  so volunteers don't waste
their time and money to setup blacklisted relays [5].

[4] https://www.torproject.org/getinvolved/relays.html.en
[5]
https://lists.torproject.org/pipermail/tor-relays/2015-August/007655.html

If the blocked IP ranges are going to become numerous, and change frequently, why not create a tool that volunteer relay operators can use to check an IP address?

Tim (teor)