Zack Weinberg wrote:
On Mon, Dec 4, 2017 at 10:57 AM, Ralph Seichter m16+tor@monksofcool.net wrote:
On 04.12.17 11:59, James wrote:
As a private individual, after just receiving my 4th abuse complaint in as many days it's time to stop running my exit node.
Thanks for running the exit and I am sorry you took the decision to shut it down. However, 4th abuse complaint in few days is really not a big deal, I could say I swim in such reports, but then again it's up to each and every one when to stop.
What I want to point out is a HUGE difference between:
1. *Abuse Reports* aka *Serious complaints*, those that are addressed directly and formally, sent by a human, and explicitly require action or at least reply with explanation. These are very rare.
2. *Junk NOTIFICATIONS* aka *WARNINGS* aka *Simple Notifications to safely ignore*, those that are not addressed formally ("to whomever it may concern..."), are sent by bots or automated scripts (firewalls, intrusion systems, fail2ban, etc) which simply run a whois on an IP address and bomb the abuse mailbox with spam, most sent from addresses that even if a reply is sent the message is discarded - these DO NOT require action nor reply. These are the 99% ones.
I've had an ongoing debate with a hosting service over a fresh exit node being abused for network scans (ports 80 and 443) almost hourly for the last few days. I can understand that they are pissed off, and the whole thing resulted in this particular exit being shut down by the hoster. If I could detect and prevent these scans, it would go a long way to avoid having my exit nodes shut down by hosting services.
This is just a defective policy of that hoster. If a hoster goes mad because it receives some useless junk notifications, that is not much of a hoster. The first problem is that one who feels port-scanned or probed needs to implement defenses at their end, not bomb with automated spam messages everyone that is connecting to them. You cannot rely on everyone else doing something in order to ensure your security when you can implement protections for yourself.
A large exit node (big consensus weight) is almost guaranteed a false positive to trigger such a dumb warning system, even in legitimate cases where simply more users pick it as Exit and the service (end point) is popular.
With my exit node operator hat on, I too would like to see some sort of port-scanning prevention built into the network. In my case, I had to turn off exiting to the SSH port because we were getting daily complaints about abusive scanning for devices with weak admin passwords. Which is a shame, since there are plenty of legitimate uses for SSH-over-Tor.
I agree it's annoying but it is very hard to implement port-scanning prevention directly in Tor especially because new connections should not be distinguishable if they come from the same user or multiple users. The exit relay should have no definition about this, otherwise you have to go deeper into streams attached to each circuit which is totally different. This will be over-engineering with absolutely no gains because someone that wants to abuse simply does not care about the network and will just keep port-scanning with isolated requests / different circuits (might be slower, but still work) and will consume even more resources in the network.
I don't think this is the way to go, under any circumstances. Better to learn to make difference between junk notification and serious reports that require action or reply.