On 16 Nov 2017, at 00:38, Alec Muffett alec.muffett@gmail.com wrote:
I think it's important to point out that a Tor client is never guaranteed to hold a *definitive* consensus.
That's why I say "(mostly) definitive" in my text - my feeling is that a locally-held copy of the consensus to be queried is going to be on average of far higher quality, completeness, and non-stagnancy than something that one tries to scrape out of Onionoo every 15 minutes.
Please don't use a consensus or a tor client to check for exits for this purpose. It produces significant numbers of false negatives, because some exits use other IP addresses for their exit traffic.
Using Onionoo or TorDNSEL reduces your false negatives, because it pulls data from Exitmap to populate exit_addresses. (Tor clients do not pull data from Exitmap, and that data is not in the consensus.)
On 16 Nov 2017, at 03:03, Tom Ritter tom@ritter.vg wrote:
Detecting exit nodes is error prone, as you point out. Some exit nodes have their traffic exit a different address than their listening port.[1]
... [1] Hey does Exonerator handle these?
Exonerator uses data from Exitmap, which queries a service through each exit to discover the address(es) the exit uses to send client requests to websites.
The list is updated every 24 hours. So there's really no need to scrape OnionOO every 15 minutes.
but now we are discussing weird tor modules that communicate with the Tor daemon to decide whether to redirect clients, so it seems to me like an equally "special" Tor setup for sysadmins.
I can see how you would think that, and I would kind-of agree, but at least this would be local and cheap. Perhaps instead of a magic protocol, it should be a REST API that's embedded in the local Tor daemon? That would be a really, REALLY common pattern for an enterprise to query.
You can download the set of exit addresses every 24 hours, and write a small tool that implements a REST API to query it:
https://check.torproject.org/exit-addresses
In fact, you could even adapt the "check" service to your needs, if it doesn't do what you want already:
https://gitweb.torproject.org/check.git
Is this the kind of JSON reply you would want?
https://check.torproject.org/api/ip
{"IsTor":true,"IP":"176.10.104.243"}
Or for the interactive version, see:
https://check.torproject.org/cgi-bin/TorBulkExitList.py
(And if you supply a destination port, it's more accurate, because it checks exit policies as well.)
T
-- Tim / teor
PGP C855 6CED 5D90 A0C5 29F6 4D43 450C BA7F 968F 094B ricochet:ekmygaiu4rzgsk6n ------------------------------------------------------------------------