It's apparent, that you're definitely not going to solve that ... you're more into searching reasons why not to do that, than possibility how to do that :) (btw you haven't mentioned you IPS experiences)
I just say facts
- the amount of malicious traffic is rising (during last 5 years it's multiplying its volume) - to be exact in last two years we filtered just in our network over 300000 various DDOS attack - before we used non automated system (tcpdump on backbone routers and iptables) because anything automated wasn't necessary!, the amount of malicious traffic (not DDoS) against our webhosting servers is nowadays ~15% (that's 300Mbit/s), in last year it rised 3x.
- I know about every tor server in our VPS segment - it's not difficult - the warnings about malicious traffic keeps comming. The amount of reported problems grows with the same trend as the amount of the malicious traffic on the internet.
- The traffic going out of tor exit nodes in our network is even worse that the one which is comming out of the internet. Paul who started this thread has constant flow over 50kpps. It consists mostly from various DoS attacks + exploits against many known CMS. I wouldn't wonder if there could come an attack against our infrastructure. Anyway it would be really interesting to analyze that flow completely.
- The next thing (already mentioned) is that these Pauls tor nodes in our case can worse reputation of one /22 and one /21 subnets. That's a crucial problem for us, nineties are bye bye, we got just few 21 subnets and we can't afford to have IP banned by some widely used authority.
This is the short summary ... the only thing I say as an ISP is, that if this is not going to change, we're going to ban tor in our network. The amount of resources we have to give for managing something like that, doesn't have economical sense for us. I would wonder if there will be an ISP in 3-5 years who is going to have another oppinion.
---------- Původní zpráva ----------
Od: Ralph Seichter <tor-relays-ml@horus-it.de>
Komu: tor-relays@lists.torproject.org
Datum: 6. 10. 2016 13:39:54
Předmět: Re: [tor-relays] Intrusion Prevention System Software - Snort or
Suricata
On 06.10.16 12:57, oconor@email.cz wrote:
> You probably will invest your time, but the ISP won't. The amount of
> the problems is multiplying. Tor should evolve, or it will extinct
> like dinosaurs.
I don't think that Tor has a problem. It works as designed. One might
say that service providers have a problem dealing with Tor, because of
the effort involved, or that complaining parties have a problem with
Tor, because they don't understand or care that a Tor exit is not the
real source of "bad traffic", or that they can block Tor based traffic
by using the already existing information provided by the Tor project
(see https://www.torproject.org/docs/faq-abuse.html.en#Bans).
Pointing fingers is not going to help, and neither is implementing
automated self-censorship on Tor exits. If somebody wants me to block
his destination IP on my Tor exit nodes, he'll have to explicitly tell
me so, and explain why he's not blocking my exit nodes instead.
-Ralph
_______________________________________________
tor-relays mailing list
tor-relays@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays