Re: [security-discuss] gnuradio project DoS attacks GNU wget users

[Mike Gerwitz]

On Fri, Mar 03, 2017 at 00:43:15 +0100, Nomen Nescio wrote:
> Alfred M. Szmidt said:
>
>> I suggest you go and visit the actual GNU Radio page, which is fully
>> usable in Lynx for example.  You can also browse the manual directly
>> by building GNU radio.
>> 
>>   http://gnuradio.org/doc/doxygen/page_exploring_gnuradio.html
>
> You've obviously missed some posts.  This is what lynx looks like over
> Tor:
>
>   
> https://entp-tender-production.s3.amazonaws.com/assets/3e9d7001fcc0dae367198e8a815204317db43320/anki_nongui.png?AWSAccessKeyId=AKIAISVUXXOK32ATONEQ&Expires=1800510383&Signature=0l1hqGIHAdagtNzBGUWJo7PldeM%3D

This is the CloudFlare CAPTCHA page.  Viewed in a graphical browser
without JS, you'd see a grid of images with checkboxes, would be asked
to choose a specific set of them (e.g. all the street signs), submit the
form, and then paste the provided token into the textarea below.

This is obviously very difficult to do without an actual graphical
browser, or at least a text-mode browser that supports images
(e.g. using a framebuffer, or using Emacs).

> That's a denial of service.

There also seems to be confusion around terminology that's aggravating
discussion.  "Denial of Service" (abbreviated DoS) has a very specific
meaning in computing, and refers to an attack on a network resource that
makes it unavailable to users requesting it.[0]

So, as Alfred mentioned in another part of this thread, this isn't
DoS---the server itself is doing this, not an attacker.

Despite how disagreeable this is, it's important to understand why and
how this is happening.  (Let me preface this with me saying that I
disagree fundamentally with centralizing chunks of the Web behind
CloudFlare, but that's orthogonal to this discussion.)

The problem with CloudFlare and Tor is a well-understood and
well-documented one that is under active discussion between the Tor
Project and CloudFlare.[1][2]

Exit nodes are blocked by CloudFlare based on heuristics.  If an exit
node is flagged for whatever reason (often due to high traffic), then
any user of that exit node is affected.  It's annoying, and it's a big
problem, but a non-trivial one to solve.  I deal with their CAPTCHAs
every single day.

But it is not denying access to any particular people or country.  It is
(primarily) a DDoS attack mitigation---one of the primary reasons
website owners use CloudFlare is for precisely this protection.  And
under most circumstances, this is desirable.

Consider the FSF's webserver.  Back in May of last year, they were hit
by a large DDoS attack peaking at 200Gbps.[3]  In a situation like this,
you have no choice but to start blacklisting.  So let's say IP X was
blacklisted because there was traffic coming from it that was slamming
the FSF's servers.  Let's also say that X was a Tor exit node (since
exit nodes are often used for attacks, unfortunately).  Let's say that
you, as a Tor user, were using exit node X.  You try to visit the FSF's
website and you're blocked.

Have you been discriminated against?  Denied service for unjust reasons?
No, you haven't.  It's completely justified.

Unfortunately, Tor being what it is, is host to some malicious
traffic.[4]  Combined with the fact that there are far more Tor users
than exit nodes, Tor users will disproportionately be served
CAPTCHAs.  If you are driving down a highway on New Year's at midnight
and are stuck in a line of people being given tests for drunk driving,
you can't claim discrimination for being one of the people in that line
being questioned.

CloudFlare could do much better at deciding when to serve such CAPTCHAs,
but that's not entirely relevant for this discussion.

I don't like CloudFlare.  I don't think people should use CloudFlare.  I
use Tor for all of my Web traffic.  But my negative bias doesn't change
the facts of the matter.  If you are going to proxy your connections
through others' servers that others are also using, and by design you
cannot be distinguished from those others, then you will be treated as
part of that group.

So:

  - The page you are seeing is an attack mitigation from CloudFlare
    because the Tor exit node you were using was flagged (different exit
    nodes will give you different results);
  - "Denial of Service" means something else;[0] and
  - While there are innocent users caught in the line of fire, there is
    no discrimination against any particular people.


[0]: https://en.wikipedia.org/wiki/Denial-of-service_attack
[1]: https://trac.torproject.org/projects/tor/ticket/18361
[2]: https://github.com/cloudflare/challenge-bypass-specification
[3]: 
http://krebsonsecurity.com/2016/09/ddos-mitigation-firm-has-history-of-hijacks/
[4]: https://blog.torproject.org/blog/trouble-cloudflare

-- 
Mike Gerwitz
Free Software Hacker+Activist | GNU Maintainer & Volunteer
GPG: D6E9 B930 028A 6C38 F43B  2388 FEF6 3574 5E6F 6D05
Old: 2217 5B02 E626 BC98 D7C0  C2E5 F22B B815 8EE3 0EAB
https://mikegerwitz.com

signature.asc
Description: PGP signature