-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512
Hey guys,
I've been running some exit nodes for some time now, and they're doing well. They've burned through many terabytes of bandwidth, and thanks to Tor's recommended reduced exit policy, complaints have been minimal. Clearly the vast majority of the Tor traffic is not malicious, but I have received some reports from other companies and from my ISP of hacking attempts: SQL Injection, XSS, botnet C&C, basic things like that. My ISP now tells me that they could reduce the reports even further by routing the exits through a "next-generation firewall" which apparently can detect an obvious clearnet attack and drop that connection a few milliseconds after the attack occurs. I don't know how the firewall works in detail, perhaps it has the ability to drop a specific connection rather than drop all access to the destination IP for a while, nor do I know how it would interact with Tor's traffic patterns out of an exit. I'm posting here for opinions.
My question is, is this a good idea, and if so, any advice? Does anyone have any experience with such a setup?
- -- Jesse V. /PGP 0xC20BEC80/
Hi Jesse,
On 07/11/2014 01:23 AM, Jesse Victors wrote:> can detect an obvious
clearnet attack and drop that connection a few milliseconds after the attack occurs
I would advise against anything that touches the traffic. There will be false positives, and I know quite a number of researchers that use Tor specifically to test infrastructure against exploits. What if I want to try and attack my own sites? Besides, maybe I'm old school about this, but I find it both unethical and against the law to interfere with user traffic. One might argue that if you take the law literally, for example DMCA 512, any interference makes you lose the "common carrier" status:
* the service provider does not select the recipients of the material * the material is transmitted through the system or network without modification of its content
http://www.law.cornell.edu/uscode/text/17/512
We are promoting free network access without interference. Yes, we see these kinds of "attacks" from time to time, but they should be handled on the destination side. It's not the network providers fault that endpoint security is so ridiculous.
Jesse Victors:
I've been running some exit nodes for some time now, and they're doing well. They've burned through many terabytes of bandwidth, and thanks to Tor's recommended reduced exit policy, complaints have been minimal. Clearly the vast majority of the Tor traffic is not malicious, but I have received some reports from other companies and from my ISP of hacking attempts: SQL Injection, XSS, botnet C&C, basic things like that. My ISP now tells me that they could reduce the reports even further by routing the exits through a "next-generation firewall" which apparently can detect an obvious clearnet attack and drop that connection a few milliseconds after the attack occurs.
You don't want that.
For Tor to work properly, once a packet is delivered to your exit (and the destination is accepted) the packet must be delivered. Otherwise, you are breaking the network and the relay will be a BadExit.
But you really don't want that because if you start looking at the traffic and selecting the traffic, then you become liable for what you transport (at least in Europe).
On 07/10/2014 07:23 PM, Jesse Victors wrote:
My ISP now tells me that they could reduce the reports even further by routing the exits through a "next-generation firewall" which apparently can detect an obvious clearnet attack and drop that connection a few milliseconds after the attack occurs.
A "next-generation firewall" uses deep packet inspection(DPI) to analyze content as it crosses the firewall. We don't want to promote DPI, given Tor is used in many parts of the world to bypass DPI filtering and censorship.
tor-relays@lists.torproject.org