On 7/31/12 7:18 PM, amki wrote:
Hiho,
I am hosting a 3-5MB/s tor exit relay but as of today my hoster has closed my server because of network scanning. Is there a known proper way to protect yourself from being used as a network scan relay?
I've thought about constructing iptables rules to limit the number of SYN packets for the same host per second or such, but I'm not sure if this is allowed or will get me flagged as a bad exit node.
My hoster is quite ok with us generating some abuse complaints per month, but does not want to route network scanning traffic since it is a severe load to their routers. Any help would be appreciated
That's a problem i tried to address in several way using system administration tools (from portscan detectors to the most esoteric iptables modules/combination) but didn't succeed.
It would require probably custom software to be developed to detect outgoing portscan and then mark the traffic diverting it in an iptables rules that apply specific rate limiting/blocking.
The portscanning patterns that imho trigger abuses are mostly two: a) Multiple target IPs of the same netblock for a single TCP port within a short timeframe b) Multiple TCP port for a single target IP within a short timeframe
It would be reasonably easy to make such an algorithm that would detect outgoing portscan, with limited risks to hurt other Tor traffic, implement it with netfilter API, so that it would be possible to "mark" that traffic.
Then, what you want to do with "market traffic" maybe just log, or block, or rate limit, or limit the number of connections market in this way.
Imho finding a reasonably way and algorithm to detect outgoing portscan and shape them would be very useful, even if i know that it doesn't get that much community acceptance being blocking/limiting a controversial topic.
-naif