Thus spake Jacob Appelbaum (jacob@appelbaum.net):
I am attracted to cmeclax's idea of some form of torrc config option which could limit the potential for deliberate (or accidental but "reckless") scanning. Is there any mileage in pursuing something like that further? And if not, are there any other (current) recommended configurations which could mitigate possible problems?
I don't think such a configuration option makes any sense at all. We have many streams on a given circuit for load balancing. A clever scanner would simply use one circuit per connect attempt and it would generate a lot of load on the network.
Right. In fact, if you think of this from the perspective of the self-interest of a scanner, I think it is quite likely that most scanners who use Tor already use the Tor Control Port to optimally pre-build as many custom, fast circuits as they can, and then use these either in as optimally parallel configuration as they can, or in as randomized a configuration as they can, depending upon the desire for stealth versus speed.
Sophisticated people who use Tor to scan the Internet will likely just laugh at this thread, having defeated these measures already by accident while seeking either speed or stealth independently of them. They will have no problem using their custom Tor Controllers to port scan through your node using multiple circuits in parallel, bypassing the minimal protections provided by this torrc option by accident.
I say this because I personally know academic researchers who ethically use Tor to scan the Internet for malware, botnets, and other things. They have written their own Tor Controllers to build custom-chosen circuits optimally for them. Academics typically are considerate about the load they place on the network. They do not do this specifically to cause your node to show up in (laughably absurd) UK court proceedings, or to scan at optimal speed. Black hat scanners will be much less considerate.
So it comes down to this question: Are we only really interested in stopping the script kiddies? And can we even stop the script kiddies without opening up vulnerabilities and DoS conditions against regular Tor users that can be exploited at will by malicious websites and even other Tor clients?
So far, I think the answer is "no", and we need to look for better solutions. If nation-states and megacorps can't manage to properly implement filtering to avoid these conditions, it seems unlikely that Tor will be able to either.
But maybe we just need more tech savvy UK politicians to show us how to protect ourselves. They seem to be doing a great job with technology over there so far..