On Mon, Dec 4, 2017 at 10:57 AM, Ralph Seichter m16+tor@monksofcool.net wrote:
On 04.12.17 11:59, James wrote:
As a private individual, after just receiving my 4th abuse complaint in as many days it's time to stop running my exit node.
I've had an ongoing debate with a hosting service over a fresh exit node being abused for network scans (ports 80 and 443) almost hourly for the last few days. I can understand that they are pissed off, and the whole thing resulted in this particular exit being shut down by the hoster. If I could detect and prevent these scans, it would go a long way to avoid having my exit nodes shut down by hosting services.
With my exit node operator hat on, I too would like to see some sort of port-scanning prevention built into the network. In my case, I had to turn off exiting to the SSH port because we were getting daily complaints about abusive scanning for devices with weak admin passwords. Which is a shame, since there are plenty of legitimate uses for SSH-over-Tor.
The tricky part is designing some sort of exit-node-controlled new-connection rate limiting that's content-blind and won't interfere with legitimate uses. And "legitimate uses" include things like a web browser generating a burst of TCP connections to the same HTTP/1.1 server cluster, exitmap connecting to the same test server repeatedly via every exit node in the network, and so on. I would want to see any proposal document include a long list of known non-abusive traffic scenarios and an argument that the mechanism would not interfere with each.
zw