On Friday 25 February 2011 11:45:04 Bianco Veigel wrote:
Today I got the second abuse mail within two weeks from my hosting provider. They forced me to take down the exit node, otherwise they will shutdown my server.
How could I detect such a scan and take counter measures to prevent a network scan through tor? I've thougt about Snort, but I've never used it before. The exit node is running in a Xen-vm, behind a pfSense firewall.
I've attached the report from the abuse mail. Does anyone have an idea, what steps should/could be taken?
It may be possible to detect a scan by looking for RST packets coming back from computers that have the port closed. I saw something about that on snort.org, I wouldn't trust Snort to do the right thing in the case of someone portscanning through Tor. I suggest closing the circuit, and only Tor knows what the circuit is, so if an exit node notices several connection attempts in a row on the same circuit fail, it could close the circuit because it looks like a portscan.
cmeclax