How to protect yourself from network scanning
Hiho, I am hosting a 3-5MB/s tor exit relay but as of today my hoster has closed my server because of network scanning. Is there a known proper way to protect yourself from being used as a network scan relay? I've thought about constructing iptables rules to limit the number of SYN packets for the same host per second or such, but I'm not sure if this is allowed or will get me flagged as a bad exit node. My hoster is quite ok with us generating some abuse complaints per month, but does not want to route network scanning traffic since it is a severe load to their routers. Any help would be appreciated Cheers amki -- "Whatever the reason you're on Mars, I'm glad you're there, and I wish I was with you." - Carl Sagan
I've thought about constructing iptables rules to limit the number of SYN packets for the same host per second or such
Multiple flows to the same host don't really bother routers of any class. Old routers choke when looking up many hosts in the routing table. So your proposed rules against port-scanning single hosts wouldn't help. Unless each SYN to a host is generated from multiple Tor-based IP-scanner's, in which case your node or Tor would probably be underwater from the parallel scans anyways.
Is there a known proper way to protect yourself from being used as a network scan relay?
You can't really implement rules to block IP-scanning because you'll just take yourself offline. Which is exactly what ISP's do when their router falls over. The problem is fixed at the source, not the dest. In the TCP only case of Tor, best you can easily do is 'reject *:port' the ports being scanned, thus denying service to the scanner's Tor client and thus emitting no such traffic yourself. If it's well-known ports, such is life for your relay.
I am hosting a 3-5MB/s tor exit relay ... does not want to route network scanning traffic since it is a severe load to their routers.
If they can't deal with a single host doing IP-routing lookups, sounds like they need to replace their 10yr old Crisco routers or exit the biz.
2012/7/31 grarpamp <grarpamp@gmail.com>:
I've thought about constructing iptables rules to limit the number of SYN packets for the same host per second or such
Multiple flows to the same host don't really bother routers of any class. Old routers choke when looking up many hosts in the routing table. So your proposed rules against port-scanning single hosts wouldn't help. Unless each SYN to a host is generated from multiple Tor-based IP-scanner's, in which case your node or Tor would probably be underwater from the parallel scans anyways.
Or perhaps their network is perfectly able to take that, but their staff is unwilling to look beyond « I recieved a mail on abuse@ » ...
On 7/31/12 7:18 PM, amki wrote:
Hiho,
I am hosting a 3-5MB/s tor exit relay but as of today my hoster has closed my server because of network scanning. Is there a known proper way to protect yourself from being used as a network scan relay?
I've thought about constructing iptables rules to limit the number of SYN packets for the same host per second or such, but I'm not sure if this is allowed or will get me flagged as a bad exit node.
My hoster is quite ok with us generating some abuse complaints per month, but does not want to route network scanning traffic since it is a severe load to their routers. Any help would be appreciated
That's a problem i tried to address in several way using system administration tools (from portscan detectors to the most esoteric iptables modules/combination) but didn't succeed. It would require probably custom software to be developed to detect outgoing portscan and then mark the traffic diverting it in an iptables rules that apply specific rate limiting/blocking. The portscanning patterns that imho trigger abuses are mostly two: a) Multiple target IPs of the same netblock for a single TCP port within a short timeframe b) Multiple TCP port for a single target IP within a short timeframe It would be reasonably easy to make such an algorithm that would detect outgoing portscan, with limited risks to hurt other Tor traffic, implement it with netfilter API, so that it would be possible to "mark" that traffic. Then, what you want to do with "market traffic" maybe just log, or block, or rate limit, or limit the number of connections market in this way. Imho finding a reasonably way and algorithm to detect outgoing portscan and shape them would be very useful, even if i know that it doesn't get that much community acceptance being blocking/limiting a controversial topic. -naif
an easy way is to limit the amount of tcp connections at the same time on a edge router. this is usualy done to get rid of script kiddies which try to break into ssh by trying every possible password for root. if tcp init is however rate limited then its like a slow connection for opening sessions. this could affect outgoing http though so its smarter to exclude port 80 and 443 from it. Sent from my iPhone 5 Am 01.08.2012 um 09:19 schrieb "Fabio Pietrosanti (naif)" <lists@infosecurity.ch>:
On 7/31/12 7:18 PM, amki wrote:
Hiho,
I am hosting a 3-5MB/s tor exit relay but as of today my hoster has closed my server because of network scanning. Is there a known proper way to protect yourself from being used as a network scan relay?
I've thought about constructing iptables rules to limit the number of SYN packets for the same host per second or such, but I'm not sure if this is allowed or will get me flagged as a bad exit node.
My hoster is quite ok with us generating some abuse complaints per month, but does not want to route network scanning traffic since it is a severe load to their routers. Any help would be appreciated
That's a problem i tried to address in several way using system administration tools (from portscan detectors to the most esoteric iptables modules/combination) but didn't succeed.
It would require probably custom software to be developed to detect outgoing portscan and then mark the traffic diverting it in an iptables rules that apply specific rate limiting/blocking.
The portscanning patterns that imho trigger abuses are mostly two: a) Multiple target IPs of the same netblock for a single TCP port within a short timeframe b) Multiple TCP port for a single target IP within a short timeframe
It would be reasonably easy to make such an algorithm that would detect outgoing portscan, with limited risks to hurt other Tor traffic, implement it with netfilter API, so that it would be possible to "mark" that traffic.
Then, what you want to do with "market traffic" maybe just log, or block, or rate limit, or limit the number of connections market in this way.
Imho finding a reasonably way and algorithm to detect outgoing portscan and shape them would be very useful, even if i know that it doesn't get that much community acceptance being blocking/limiting a controversial topic.
-naif _______________________________________________ tor-relays mailing list tor-relays@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
On 8/1/12 9:24 AM, Administrator wrote:
an easy way is to limit the amount of tcp connections at the same time on a edge router. this is usualy done to get rid of script kiddies which try to break into ssh by trying every possible password for root. if tcp init is however rate limited then its like a slow connection for opening sessions. this could affect outgoing http though so its smarter to exclude port 80 and 443 from it.
That way you will not catch scanning that goes across an entire netblock on port 80 to look for a possible specific vulnerable web applications (portscanning + application vulnerability check). You need to look at very specific portscanning pattern, finely tuned so that it would not risk to match also good tor traffic. -naif
participants (5)
-
Administrator -
amki -
Fabio Pietrosanti (naif) -
grarpamp -
Nicolas Braud-Santoni