Page MenuHomePhabricator

TorBlock extension causes collateral damage on shared IP addresses
Closed, ResolvedPublic

Description

Author: gnu1742

Description:
The TorBlock-Extension identifies the IP 212.204.66.66 as an TOR-Exitnode and therefore blocks anonymous write access to de-wp. The DNS-Entry for this IP is

nslookup 212.204.66.66

Non-authoritative answer:
66.66.204.212.in-addr.arpa name = proxy.nefonline.de.

In fact it is a normal customer proxy for M-NET (formerly NEFkom), a major internet provider in Bavaria/Germany. Access to it is restricted to private customers of this provider. None of the common TOR-Exit-checkers identifies this as an TOR-exit.

I became aware of this by an OTRS-ticket of a M-net customer who wanted to edit de-wp. I also live in that region also and asked some friends if they are M-NET-customers. A friend responded that he is and that he was able to confirm that false block.


Version: unspecified
Severity: normal

Details

Reference
bz14934

Event Timeline

bzimport raised the priority of this task from to Medium.Nov 21 2014, 10:15 PM
bzimport set Reference to bz14934.
bzimport added a subscriber: Unknown Object (MLST).

This is not a false block.

The reason that the other tor checkers don't detect it as an exit node is that our system gets the EXIT IP addresses, i.e. the IP that the request appears to come from. Presumably, somebody using M-NET is running a tor exit node, and M-Net uses a transparent proxy for HTTP traffic.

This seems to be the most likely explanation. Regrettably, I can't provide any more information at this time (despite spending a while trying to work through the code Tor uses to generate the list for us).

I am marking this as INVALID.

gnu1742 wrote:

This is actually wrong. M-NET does not use an transparent proxy as several tests bye colleagues of mine showed. This was confirmed by customer support.

Anyway: If you will not spend any time on this issue so at least provide an apropriate Block message that does not leave the well-meaning wannabee-wikipedian with the impression that he is blocked due to something that he never has heard of.

Well, presumably if you have numerous people aggregated between a single IP address which resolves to proxy.nefonline.de, it is not at all unreasonable to assume that one of those numerous people could be running a tor exit node.

I have spent time on the issue, as I mentioned above. I spent a good half-hour trying to track down the exact exit node which is being run. It is unfortunate that I haven't yet been able to do this. For your reference, a list of all tor exit nodes detected by the Tor people is at https://check.torproject.org/cgi-bin/TorBulkExitList.py?ip=208.80.152.2 . It should be noted that every single IP address in that list is checked automatically, by exiting through that IP address.

I have also spoken to some people from Tor, who indicate that my hypothesis is probably the best one. Unfortunately, the way that the exit list builder is set up makes it quite difficult to link the IP back to the exit node which it represents.

The simple fact is that the IP seems to aggregate multiple customers behind one IP address. When this is the case, a tor exit node run on any of the computers will cause all of them to be blocked. This is unavoidable.

gnu1742 wrote:

I have understood those things before. My main request in the last posting was "...at least provide an
apropriate Block message that does not leave the well-meaning wannabee-wikipedian with the impression that he is blocked due to something that he never has heard of."

hersfoldwiki wrote:

This is becoming a severe problem, and the extension needs to be shut off until these false positives stop coming up.

I received an email from the unblock-en-l list just now, from a user who attempted to create an account and could not because they were blocked. Some investigation led us to find that she was blocked by this extension, not directly, and not through a rangeblock. We ran some tests on the IP address (218.168.13.1) and it is neither a Tor node nor an open proxy. Some digging by east718 found that it's not only that one IP address blocked, but rather most of the country of Singapore. When I reported it to #wikimedia-tech, they informed me that sometimes this block can extend to several whole countries?

I can understand that programming such a tool may be difficult, and I don't want to seem as over-reacting, but if an extension has this much impact on this many innocent users who probably don't have a dang clue what they're being blocked for, it needs to be shut down immediately until a way is found to correct the issue. If it is blocking entire countries, this could also create a huge public relations backlash for the Foundation, creating more than just technical problems.

I've upgraded the priority on this to High, and the severity to Blocker, as I really feel this needs to be dealt with, and now. If nothing is done to shut this off or fix it, please at least look into Magnus's request to change the block message. I've seen it, and it's very unhelpful for those who aren't using Tor. Thank you.

Please don't use the priority/severity controls if you're not a developer. We will probably ignore you.

I assumed that somebody complaining about the message would fix it themselves (or ask an administrator to), as any administrator can. I have changed the message to this new version: http://en.wikipedia.org/wiki/MediaWiki:Torblock-blocked

Some issues here are caused by multiple users on the same IP, which the extension has legitimately detected as an exit node. Consequently, I have exempted IPs on the autoblock whitelist from tor blocks in r38853 (perhaps you'll agree, a much better approach than disabling the extension.

I now consider this issue closed.