On 3/9/11 10:02 AM, Olaf Selke wrote:
Am 09.03.2011 09:20, schrieb Fabio Pietrosanti (naif):
We *really* need to find a technical way to be able to detect and block outgoing portscan from the TOR exit nodes.
this might cause a lot of collateral damage. I don't think it's a good idea. How can we distinguish between legitimate Tor exit traffic and a someone scanning whole networks for certain applications?
That's the point, how to do it in the right way without creating collateral damage.
Detecting a portscan is not rocket science, but the problem is imho: - detection logic (based on destination and not on source of scan) - tuning of detection logic (for example how wide the destination can be) - dynamic blocking (which destination netblock to block? Several portscan randomize across a Class-B network) - tuning of dynamic blocking (for how much time to block destination networks?)
And in such extremely finely tuned situation, block or strongly-rate-limit the traffic to the destination?
Imho those are still unsolved technical problem because 100% of portscan detection system are based on detecting "a single source of portscan and block the source of portscan".
In that case "we are the source of portscan" and the destination can be "randomized across a Class-B network".
So sounds more complex than what appear being able to block TOR exit outgoing portscan in proper and clean way.
-naif http://infosecurity.ch