Today I got the second abuse mail within two weeks from my hosting provider. They forced me to take down the exit node, otherwise they will shutdown my server.
How could I detect such a scan and take counter measures to prevent a network scan through tor? I've thougt about Snort, but I've never used it before. The exit node is running in a Xen-vm, behind a pfSense firewall.
I've attached the report from the abuse mail. Does anyone have an idea, what steps should/could be taken?
Thanks in advance,
Bianco Veigel
----- attachment -----
########################################################################## # Netscan detected from host 188.40.98.54 # ##########################################################################
time protocol src_ip src_port dest_ip dest_port --------------------------------------------------------------------------- Fri Feb 25 06:53:15 2011 TCP 188.40.98.54 45237 => 138.160.29.194 20019 Fri Feb 25 07:14:59 2011 TCP 188.40.98.54 27681 => 94.207.140.89 80 Fri Feb 25 07:15:00 2011 TCP 188.40.98.54 6869 => 94.207.140.93 80 Fri Feb 25 07:15:00 2011 TCP 188.40.98.54 33258 => 94.207.140.94 80 Fri Feb 25 07:15:00 2011 TCP 188.40.98.54 53464 => 94.207.140.95 80 Fri Feb 25 07:15:00 2011 TCP 188.40.98.54 31041 => 94.207.140.96 80 Fri Feb 25 07:15:00 2011 TCP 188.40.98.54 6299 => 94.207.140.97 80 Fri Feb 25 07:15:00 2011 TCP 188.40.98.54 40964 => 94.207.140.98 80 Fri Feb 25 07:15:00 2011 TCP 188.40.98.54 8703 => 94.207.140.99 80 Fri Feb 25 07:14:59 2011 TCP 188.40.98.54 56759 => 94.207.140.187 80 Fri Feb 25 07:14:56 2011 TCP 188.40.98.54 26247 => 94.207.140.227 80 Fri Feb 25 07:14:59 2011 TCP 188.40.98.54 26247 => 94.207.140.227 80 Fri Feb 25 07:14:56 2011 TCP 188.40.98.54 27847 => 94.207.140.228 80 Fri Feb 25 07:14:59 2011 TCP 188.40.98.54 27847 => 94.207.140.228 80 Fri Feb 25 07:14:56 2011 TCP 188.40.98.54 1219 => 94.207.140.229 80 Fri Feb 25 07:14:59 2011 TCP 188.40.98.54 1219 => 94.207.140.229 80 Fri Feb 25 07:14:57 2011 TCP 188.40.98.54 38929 => 94.207.140.230 80 Fri Feb 25 07:15:00 2011 TCP 188.40.98.54 38929 => 94.207.140.230 80 Fri Feb 25 07:15:00 2011 TCP 188.40.98.54 62958 => 94.207.140.235 80 Fri Feb 25 07:15:00 2011 TCP 188.40.98.54 46469 => 94.207.140.236 80 Fri Feb 25 07:15:00 2011 TCP 188.40.98.54 2704 => 94.207.140.237 80 Fri Feb 25 07:14:56 2011 TCP 188.40.98.54 17272 => 94.207.141.12 80 Fri Feb 25 07:14:59 2011 TCP 188.40.98.54 17272 => 94.207.141.12 80 Fri Feb 25 07:14:56 2011 TCP 188.40.98.54 32482 => 94.207.141.13 80 Fri Feb 25 07:14:59 2011 TCP 188.40.98.54 32482 => 94.207.141.13 80 Fri Feb 25 07:14:56 2011 TCP 188.40.98.54 55860 => 94.207.141.14 80 Fri Feb 25 07:14:59 2011 TCP 188.40.98.54 55860 => 94.207.141.14 80 Fri Feb 25 07:14:56 2011 TCP 188.40.98.54 43390 => 94.207.141.15 80 Fri Feb 25 07:14:59 2011 TCP 188.40.98.54 43390 => 94.207.141.15 80 Fri Feb 25 07:14:56 2011 TCP 188.40.98.54 31712 => 94.207.141.16 80 Fri Feb 25 07:14:59 2011 TCP 188.40.98.54 31712 => 94.207.141.16 80 Fri Feb 25 07:14:56 2011 TCP 188.40.98.54 29316 => 94.207.141.17 80 Fri Feb 25 07:14:59 2011 TCP 188.40.98.54 29316 => 94.207.141.17 80 Fri Feb 25 07:14:56 2011 TCP 188.40.98.54 5286 => 94.207.141.18 80 Fri Feb 25 07:14:59 2011 TCP 188.40.98.54 5286 => 94.207.141.18 80 Fri Feb 25 07:14:56 2011 TCP 188.40.98.54 45139 => 94.207.141.19 80 Fri Feb 25 07:14:59 2011 TCP 188.40.98.54 45139 => 94.207.141.19 80 Fri Feb 25 07:14:56 2011 TCP 188.40.98.54 25311 => 94.207.141.20 80 Fri Feb 25 07:14:59 2011 TCP 188.40.98.54 25311 => 94.207.141.20 80 Fri Feb 25 07:14:57 2011 TCP 188.40.98.54 3675 => 94.207.141.21 80 Fri Feb 25 07:15:00 2011 TCP 188.40.98.54 3675 => 94.207.141.21 80 Fri Feb 25 07:14:57 2011 TCP 188.40.98.54 51753 => 94.207.141.22 80 Fri Feb 25 07:15:00 2011 TCP 188.40.98.54 51753 => 94.207.141.22 80 Fri Feb 25 07:14:57 2011 TCP 188.40.98.54 8993 => 94.207.141.23 80 Fri Feb 25 07:15:00 2011 TCP 188.40.98.54 8993 => 94.207.141.23 80 Fri Feb 25 07:14:58 2011 TCP 188.40.98.54 48305 => 94.207.141.24 80 Fri Feb 25 07:15:00 2011 TCP 188.40.98.54 25717 => 94.207.141.25 80 Fri Feb 25 07:15:00 2011 TCP 188.40.98.54 15142 => 94.207.141.26 80 Fri Feb 25 07:15:00 2011 TCP 188.40.98.54 24618 => 94.207.141.27 80 Fri Feb 25 07:15:00 2011 TCP 188.40.98.54 43060 => 94.207.141.28 80 Fri Feb 25 07:14:59 2011 TCP 188.40.98.54 45003 => 94.207.141.45 80 Fri Feb 25 07:14:59 2011 TCP 188.40.98.54 18691 => 94.207.141.48 80 Fri Feb 25 07:14:56 2011 TCP 188.40.98.54 48452 => 94.207.141.60 80 Fri Feb 25 07:14:59 2011 TCP 188.40.98.54 48452 => 94.207.141.60 80 Fri Feb 25 07:14:57 2011 TCP 188.40.98.54 37237 => 94.207.141.61 80 Fri Feb 25 07:15:00 2011 TCP 188.40.98.54 37237 => 94.207.141.61 80 Fri Feb 25 07:14:57 2011 TCP 188.40.98.54 39153 => 94.207.141.62 80 Fri Feb 25 07:14:57 2011 TCP 188.40.98.54 10678 => 94.207.141.63 80 Fri Feb 25 07:14:57 2011 TCP 188.40.98.54 23127 => 94.207.141.64 80 Fri Feb 25 07:14:57 2011 TCP 188.40.98.54 10755 => 94.207.141.65 80 Fri Feb 25 07:14:57 2011 TCP 188.40.98.54 13206 => 94.207.141.66 80 Fri Feb 25 07:14:57 2011 TCP 188.40.98.54 32657 => 94.207.141.67 80 Fri Feb 25 07:14:57 2011 TCP 188.40.98.54 1909 => 94.207.141.68 80 Fri Feb 25 07:14:57 2011 TCP 188.40.98.54 3475 => 94.207.141.69 80 Fri Feb 25 07:15:00 2011 TCP 188.40.98.54 3475 => 94.207.141.69 80 Fri Feb 25 07:14:57 2011 TCP 188.40.98.54 1810 => 94.207.141.70 80 Fri Feb 25 07:15:00 2011 TCP 188.40.98.54 1810 => 94.207.141.70 80 Fri Feb 25 07:14:58 2011 TCP 188.40.98.54 52358 => 94.207.141.71 80 Fri Feb 25 07:14:58 2011 TCP 188.40.98.54 3828 => 94.207.141.72 80 Fri Feb 25 07:14:58 2011 TCP 188.40.98.54 46151 => 94.207.141.73 80 Fri Feb 25 07:14:59 2011 TCP 188.40.98.54 17930 => 94.207.141.74 80 Fri Feb 25 07:14:55 2011 TCP 188.40.98.54 4025 => 94.207.141.103 80 Fri Feb 25 07:14:58 2011 TCP 188.40.98.54 4025 => 94.207.141.103 80 Fri Feb 25 07:14:55 2011 TCP 188.40.98.54 48216 => 94.207.141.104 80 Fri Feb 25 07:14:58 2011 TCP 188.40.98.54 48216 => 94.207.141.104 80 Fri Feb 25 07:14:55 2011 TCP 188.40.98.54 61033 => 94.207.141.105 80 Fri Feb 25 07:14:58 2011 TCP 188.40.98.54 61033 => 94.207.141.105 80 Fri Feb 25 07:14:55 2011 TCP 188.40.98.54 35460 => 94.207.141.106 80 Fri Feb 25 07:14:58 2011 TCP 188.40.98.54 35460 => 94.207.141.106 80 Fri Feb 25 07:14:56 2011 TCP 188.40.98.54 34686 => 94.207.141.107 80 Fri Feb 25 07:14:59 2011 TCP 188.40.98.54 34686 => 94.207.141.107 80 Fri Feb 25 07:14:56 2011 TCP 188.40.98.54 8517 => 94.207.141.108 80 Fri Feb 25 07:14:59 2011 TCP 188.40.98.54 8517 => 94.207.141.108 80 Fri Feb 25 07:14:57 2011 TCP 188.40.98.54 34989 => 94.207.141.109 80 Fri Feb 25 07:14:57 2011 TCP 188.40.98.54 16795 => 94.207.141.110 80 Fri Feb 25 07:14:58 2011 TCP 188.40.98.54 54679 => 94.207.141.111 80 Fri Feb 25 07:14:58 2011 TCP 188.40.98.54 36103 => 94.207.141.112 80 Fri Feb 25 07:14:58 2011 TCP 188.40.98.54 59119 => 94.207.141.113 80 Fri Feb 25 07:14:58 2011 TCP 188.40.98.54 29831 => 94.207.141.114 80 Fri Feb 25 07:14:58 2011 TCP 188.40.98.54 24490 => 94.207.141.115 80 Fri Feb 25 07:14:58 2011 TCP 188.40.98.54 8880 => 94.207.141.116 80 Fri Feb 25 07:14:58 2011 TCP 188.40.98.54 43624 => 94.207.141.117 80 Fri Feb 25 07:14:58 2011 TCP 188.40.98.54 31266 => 94.207.141.118 80 Fri Feb 25 07:14:58 2011 TCP 188.40.98.54 33438 => 94.207.141.119 80 Fri Feb 25 07:14:58 2011 TCP 188.40.98.54 43359 => 94.207.141.120 80 Fri Feb 25 07:14:59 2011 TCP 188.40.98.54 8168 => 94.207.141.121 80 Fri Feb 25 07:14:59 2011 TCP 188.40.98.54 36716 => 94.207.141.122 80 Fri Feb 25 07:14:59 2011 TCP 188.40.98.54 5648 => 94.207.141.123 80 Fri Feb 25 07:15:00 2011 TCP 188.40.98.54 57277 => 94.207.141.124 80 Fri Feb 25 07:14:55 2011 TCP 188.40.98.54 20586 => 94.207.141.134 80 Fri Feb 25 07:14:58 2011 TCP 188.40.98.54 20586 => 94.207.141.134 80 Fri Feb 25 07:14:55 2011 TCP 188.40.98.54 29953 => 94.207.141.135 80 Fri Feb 25 07:14:58 2011 TCP 188.40.98.54 29953 => 94.207.141.135 80 Fri Feb 25 07:14:56 2011 TCP 188.40.98.54 10770 => 94.207.141.136 80 Fri Feb 25 07:14:59 2011 TCP 188.40.98.54 10770 => 94.207.141.136 80 Fri Feb 25 07:14:56 2011 TCP 188.40.98.54 4466 => 94.207.141.137 80 Fri Feb 25 07:14:59 2011 TCP 188.40.98.54 4466 => 94.207.141.137 80 Fri Feb 25 07:14:56 2011 TCP 188.40.98.54 27801 => 94.207.141.138 80 Fri Feb 25 07:14:59 2011 TCP 188.40.98.54 27801 => 94.207.141.138 80 Fri Feb 25 07:14:56 2011 TCP 188.40.98.54 14288 => 94.207.141.139 80 Fri Feb 25 07:14:59 2011 TCP 188.40.98.54 14288 => 94.207.141.139 80 Fri Feb 25 07:14:56 2011 TCP 188.40.98.54 11846 => 94.207.141.140 80 Fri Feb 25 07:14:59 2011 TCP 188.40.98.54 11846 => 94.207.141.140 80 Fri Feb 25 07:14:56 2011 TCP 188.40.98.54 42636 => 94.207.141.141 80 Fri Feb 25 07:14:59 2011 TCP 188.40.98.54 42636 => 94.207.141.141 80 Fri Feb 25 07:14:56 2011 TCP 188.40.98.54 7837 => 94.207.141.142 80 Fri Feb 25 07:14:59 2011 TCP 188.40.98.54 7837 => 94.207.141.142 80 Fri Feb 25 07:14:56 2011 TCP 188.40.98.54 62271 => 94.207.141.143 80 Fri Feb 25 07:14:59 2011 TCP 188.40.98.54 62271 => 94.207.141.143 80 Fri Feb 25 07:14:56 2011 TCP 188.40.98.54 6908 => 94.207.141.144 80 Fri Feb 25 07:14:59 2011 TCP 188.40.98.54 6908 => 94.207.141.144 80 Fri Feb 25 07:14:56 2011 TCP 188.40.98.54 29951 => 94.207.141.145 80 Fri Feb 25 07:14:59 2011 TCP 188.40.98.54 29951 => 94.207.141.145 80 Fri Feb 25 07:14:57 2011 TCP 188.40.98.54 10582 => 94.207.141.146 80 Fri Feb 25 07:15:00 2011 TCP 188.40.98.54 10582 => 94.207.141.146 80 Fri Feb 25 07:14:57 2011 TCP 188.40.98.54 61463 => 94.207.141.147 80 Fri Feb 25 07:15:00 2011 TCP 188.40.98.54 61463 => 94.207.141.147 80 Fri Feb 25 07:14:57 2011 TCP 188.40.98.54 32072 => 94.207.141.148 80 Fri Feb 25 07:15:00 2011 TCP 188.40.98.54 32072 => 94.207.141.148 80 Fri Feb 25 07:14:58 2011 TCP 188.40.98.54 31807 => 94.207.141.149 80 Fri Feb 25 07:15:00 2011 TCP 188.40.98.54 41404 => 94.207.141.152 80 Fri Feb 25 07:15:00 2011 TCP 188.40.98.54 6669 => 94.207.141.153 80 Fri Feb 25 07:14:55 2011 TCP 188.40.98.54 24449 => 94.207.141.172 80 Fri Feb 25 07:14:58 2011 TCP 188.40.98.54 24449 => 94.207.141.172 80 Fri Feb 25 07:14:55 2011 TCP 188.40.98.54 19439 => 94.207.141.173 80 Fri Feb 25 07:14:58 2011 TCP 188.40.98.54 19439 => 94.207.141.173 80 Fri Feb 25 07:14:56 2011 TCP 188.40.98.54 55637 => 94.207.141.174 80 Fri Feb 25 07:14:59 2011 TCP 188.40.98.54 55637 => 94.207.141.174 80 Fri Feb 25 07:14:58 2011 TCP 188.40.98.54 22382 => 94.207.141.175 80 Fri Feb 25 07:14:58 2011 TCP 188.40.98.54 25961 => 94.207.141.176 80 Fri Feb 25 07:14:58 2011 TCP 188.40.98.54 49493 => 94.207.141.177 80 Fri Feb 25 07:14:58 2011 TCP 188.40.98.54 10996 => 94.207.141.178 80 Fri Feb 25 07:14:59 2011 TCP 188.40.98.54 52247 => 94.207.141.179 80 Fri Feb 25 07:14:59 2011 TCP 188.40.98.54 26122 => 94.207.141.180 80 Fri Feb 25 07:15:00 2011 TCP 188.40.98.54 44654 => 94.207.141.181 80
Hi,
On 25.02.2011 17:32, Bianco Veigel wrote:
How could I detect such a scan and take counter measures to prevent a network scan through tor?
This is a dangerous route to go. At least I consider exits that filter security scans are "bad" and would want them to be flagged accordingly.
I've attached the report from the abuse mail. Does anyone have an idea, what steps should/could be taken?
Try to explain to them why network scans are not illegal, and might as well be part of some security researcher activity. Change your hosting provider.
On Sat, 26 Feb 2011 18:34:48 +0100 Moritz Bartl moritz@torservers.net allegedly wrote:
Hi,
On 25.02.2011 17:32, Bianco Veigel wrote:
How could I detect such a scan and take counter measures to prevent a network scan through tor?
This is a dangerous route to go. At least I consider exits that filter security scans are "bad" and would want them to be flagged accordingly.
I agree.
I've attached the report from the abuse mail. Does anyone have an idea, what steps should/could be taken?
Try to explain to them why network scans are not illegal, and might as well be part of some security researcher activity. Change your hosting provider.
But here I disagree. In many jurisdictions network scans /are/ illegal. No reputable security researcher would a) scan a network without that network owner's explicit permission, nor b) use tor for that scan.
Mick
---------------------------------------------------------------------
The text file for RFC 854 contains exactly 854 lines. Do you think there is any cosmic significance in this?
Douglas E Comer - Internetworking with TCP/IP Volume 1
http://www.ietf.org/rfc/rfc854.txt ---------------------------------------------------------------------
On Feb 26, 2011, at 9:53 AM, mick wrote:
No reputable security researcher would a) scan a network without that network owner's explicit permission, nor b) use tor for that scan.
Lots of reputable security researchers who scan the entire internet without getting permission. You can't get permission from every operator in the world, but you still need to do good and interesting research. Examples of reputable researchers who have scanned the whole internet include Dan Bernstein, Dan Kaminsky, and EFF. (At least I think we're reputable. :) ) I don't know for sure, but I can't imagine Arbor, CAIDA, and Renesys can do their jobs without scanning the internet.
Using Tor to scan the internet is a good way to see how the internet looks from different perspectives at once, which can be quite valuable.
On Sat, 26 Feb 2011 12:13:53 -0800 Chris Palmer chris@eff.org allegedly wrote:
On Feb 26, 2011, at 9:53 AM, mick wrote:
No reputable security researcher would a) scan a network without that network owner's explicit permission, nor b) use tor for that scan.
Lots of reputable security researchers who scan the entire internet without getting permission. You can't get permission from every operator in the world, but you still need to do good and interesting research. Examples of reputable researchers who have scanned the whole internet include Dan Bernstein, Dan Kaminsky, and EFF. (At least I think we're reputable. :) ) I don't know for sure, but I can't imagine Arbor, CAIDA, and Renesys can do their jobs without scanning the internet.
Using Tor to scan the internet is a good way to see how the internet looks from different perspectives at once, which can be quite valuable.
Hmmm. Maybe I should have said "should" rather than "would". And you seem to have missed the point about network scanning being illegal in some jurisdictions. Section 3 of the UK Computer Misuse Act of 1990, as amended by the Police and Justice Act of 2006 makes such "reckless" activity an offence.
I cannot believe I am entirely alone in taking network scanning as potentially hostile activity, or at least as potentially the precursor to hostile activity. UK pen testers and researchers are usually pretty careful to ensure that they have written authority from owners of networks they wish to test before undertaking any remote scanning. Further, they will undertake that scanning from known, identifiable networks of their own. Hiding behind tor (or any other anonymising service) is not a good idea. At the least it could result in tor being seen as the source of hostile activity when we all recognise that is unhelpful.
And regardless of the legality of the action, the AUPs of the service providers that most of us use for our tor nodes will specifically preclude network scanning (along with mail spamming etc). This means that providers could (as has been the case for Bianco Veigel) get irritated enough to shut down the service.
I run (currently) three exit nodes which I provide on VPSs and pay for out of my own pocket because I believe that tor offers a valuable service. I can (and have) defend what appears to be hostile action emerging from my node as the action of "bad guys" beyond my control. In a particular recent case I was lucky to have an understanding MSP willing to listen to my explanation rather than just pulling the plug.
If my exit node was cited as the source of potentially hostile network scanning and my MSP /did/ pull the plug, I'd be disappointed, and tor would be shy of at least one exit node. But if I believed that the activity was the result of some "reputable" researcher simply using tor for his or her own ends /without/ warning tor relay owners, I'd be pretty pissed off.
I'd welcome the views of other node providers here.
Mick
---------------------------------------------------------------------
The text file for RFC 854 contains exactly 854 lines. Do you think there is any cosmic significance in this?
Douglas E Comer - Internetworking with TCP/IP Volume 1
http://www.ietf.org/rfc/rfc854.txt ---------------------------------------------------------------------
On Sunday 27 February 2011 11:59:47 mick wrote:
Hmmm. Maybe I should have said "should" rather than "would". And you seem to have missed the point about network scanning being illegal in some jurisdictions. Section 3 of the UK Computer Misuse Act of 1990, as amended by the Police and Justice Act of 2006 makes such "reckless" activity an offence.
<snip>
And regardless of the legality of the action, the AUPs of the service providers that most of us use for our tor nodes will specifically preclude network scanning (along with mail spamming etc). This means that providers could (as has been the case for Bianco Veigel) get irritated enough to shut down the service.
<snip>
If my exit node was cited as the source of potentially hostile network scanning and my MSP /did/ pull the plug, I'd be disappointed, and tor would be shy of at least one exit node. But if I believed that the activity was the result of some "reputable" researcher simply using tor for his or her own ends /without/ warning tor relay owners, I'd be pretty pissed off.
I'd welcome the views of other node providers here.
Here's my proposal: Add a parameter PortScanLimit to the relays section of torrc. It can be set to any nonnegative integer. If PortScanLimit is n>0, then as soon as a circuit has made n failed attempts to connect, the relay shuts down the circuit. If PortScanLimit is 0, there is no limit on failed attempts to connect. Relay operators in jurisdictions or ISPs that prohibit port scanning can set this to, say, 10, and relay operators not in such jurisdictions who have no qualms about their exit node being used for scanning can set it to 0. This parameter should not be listed in the directory; any client running a port scan will eventually find an exit that allows scanning, if there are any.
cmeclax
Thus spake cmeclax-sazri (cmeclax-sazri@ixazon.dynip.com):
Here's my proposal: Add a parameter PortScanLimit to the relays section of torrc. It can be set to any nonnegative integer. If PortScanLimit is n>0, then as soon as a circuit has made n failed attempts to connect, the relay shuts down the circuit. If PortScanLimit is 0, there is no limit on failed attempts to connect. Relay operators in jurisdictions or ISPs that prohibit port scanning can set this to, say, 10, and relay operators not in such jurisdictions who have no qualms about their exit node being used for scanning can set it to 0. This parameter should not be listed in the directory; any client running a port scan will eventually find an exit that allows scanning, if there are any.
This isn't a bad idea on face, but it has some finer points that need a little thought. For instance, what if n connections have failed, but some are still alive? And what if this behavior is triggered by a malicious or broken website with tons of external, broken elements.
If the circuit is just forcibly closed, streams that did carry traffic could be cut short.. If the circuit is not closed, the client will wonder why all of their future Tor streams are now failing. Which one do we choose? Is the first really that bad? It seems in this case, the website is already broken, so no one should mind.. But what about other protocols?
The other problem is that one could imagine a port scanner or attacker that pre-builds all of the circuits it needs.. Does this mean that this defense is pointless, or will only stopping the script kiddies be enough here? What is the likelyhood that someone will distribute a Tor Controller specifically designed to use tor in an optimal fashion with nmap? This would be the way that this defense gets broken, possibly even unintentionally.
Note that we can try to solve this problem in a more general sense: https://blog.torproject.org/blog/research-problem-adaptive-throttling-tor-cl...
But if a client is only sending RELAY_BEGIN cells, it can still send a lot of them before any of these throttling limits kick in. I would be surprised if this was enough for an effective synflood, but it is enough to portscan.
On Feb 27, 2011, at 8:59 AM, mick wrote:
in some jurisdictions. Section 3 of the UK Computer Misuse Act of 1990, as amended by the Police and Justice Act of 2006 makes such "reckless" activity an offence.
I'm not sure how it counts as "reckless" to connect to a TCP port and then disconnect.
The kind of research I'm talking about — us, Kaminsky, Bernstein, et al. — involves simply talking to every server once. For example, the SSL Observatory does a "scan" that is very similar to what happens when a user clicks a link and then immediately clicks the Stop button in the browser: SYN, SYN/ACK, ACK, Client Hello, Server Hello + Certificate, goodbye. We do this once per IP every few months. Out of 4 billion IP addresses, we got one complaint that I know of.
This work is not hostile or dangerous. It is clearly beneficial to the internet community. We've convinced CAs to tighten their loose certification standards, convinced them to meet the EV spec when we found they weren't, and provided hard evidence to fuel substantive debate on PKI policy. Nick and Jake are using the results to improve Tor. That's just to start.
It's also worth nothing that the various tricks to hide or evade IDSs that some scanners like Nmap can do, tend not to work over Tor since Tor normalizes TCP streams before exiting.
Port scanning can sometimes be the precursor to hostile activity, but it is not in itself hostile, and it is often either for a good cause or *indistinguishable from normal application activity*.
On Mon, 28 Feb 2011 22:09:56 -0800 Chris Palmer chris@eff.org allegedly wrote:
On Feb 27, 2011, at 8:59 AM, mick wrote:
in some jurisdictions. Section 3 of the UK Computer Misuse Act of 1990, as amended by the Police and Justice Act of 2006 makes such "reckless" activity an offence.
I'm not sure how it counts as "reckless" to connect to a TCP port and then disconnect.
Chris
I used the word "reckless" because that is the wording used in the UK CMA (as amended). See section 3 at:
http://www.legislation.gov.uk/ukpga/1990/18/section/3 which says:
"Unauthorised acts with intent to impair, or with recklessness as to impairing, operation of computer, etc."
I agree that a single full TCP connect does not constitute such "reckless" activity, but an aggressive, rapid, portscan, perhaps using (deliberately) badly formed TCP packets which took no account of the potential impact on the target, might.
Some network devices may not handle such traffic well. Indeed, the scan may cause a DOS.
IANAL, but it seems to me the drafters of the amendments to the UK legislation may have had such activity in mind when using the term "reckless". The term implies to me a "lack of care or due diligence". I suspect that "intent to impair" may sometimes be difficult to prove so lack of care was added.
The kind of research I'm talking about — us, Kaminsky, Bernstein, et al. — involves simply talking to every server once. For example, the SSL Observatory does a "scan" that is very similar to what happens when a user clicks a link and then immediately clicks the Stop button in the browser: SYN, SYN/ACK, ACK, Client Hello, Server Hello + Certificate, goodbye. We do this once per IP every few months. Out of 4 billion IP addresses, we got one complaint that I know of.
This work is not hostile or dangerous. It is clearly beneficial to the internet community. We've convinced CAs to tighten their loose certification standards, convinced them to meet the EV spec when we found they weren't, and provided hard evidence to fuel substantive debate on PKI policy. Nick and Jake are using the results to improve Tor. That's just to start.
I can't see that sort of activity as being deemed reckless - and it is highly unlikely to be spotted anyway.
It's also worth nothing that the various tricks to hide or evade IDSs that some scanners like Nmap can do, tend not to work over Tor since Tor normalizes TCP streams before exiting.
Port scanning can sometimes be the precursor to hostile activity, but it is not in itself hostile, and it is often either for a good cause or *indistinguishable from normal application activity*.
I disagree. In my view, port scanning in and of itself can be hostile if such activity is aggressive enough to cause difficulties - hence my concern.
I am attracted to cmeclax's idea of some form of torrc config option which could limit the potential for deliberate (or accidental but "reckless") scanning. Is there any mileage in pursuing something like that further? And if not, are there any other (current) recommended configurations which could mitigate possible problems?
Mick
---------------------------------------------------------------------
The text file for RFC 854 contains exactly 854 lines. Do you think there is any cosmic significance in this?
Douglas E Comer - Internetworking with TCP/IP Volume 1
http://www.ietf.org/rfc/rfc854.txt ---------------------------------------------------------------------
On 03/01/2011 11:36 AM, mick wrote:
On Mon, 28 Feb 2011 22:09:56 -0800 Chris Palmer chris@eff.org allegedly wrote:
On Feb 27, 2011, at 8:59 AM, mick wrote:
in some jurisdictions. Section 3 of the UK Computer Misuse Act of 1990, as amended by the Police and Justice Act of 2006 makes such "reckless" activity an offence.
I'm not sure how it counts as "reckless" to connect to a TCP port and then disconnect.
Chris
I used the word "reckless" because that is the wording used in the UK CMA (as amended). See section 3 at:
http://www.legislation.gov.uk/ukpga/1990/18/section/3 which says:
"Unauthorised acts with intent to impair, or with recklessness as to impairing, operation of computer, etc."
I agree that a single full TCP connect does not constitute such "reckless" activity, but an aggressive, rapid, portscan, perhaps using (deliberately) badly formed TCP packets which took no account of the potential impact on the target, might.
Some network devices may not handle such traffic well. Indeed, the scan may cause a DOS.
IANAL, but it seems to me the drafters of the amendments to the UK legislation may have had such activity in mind when using the term "reckless". The term implies to me a "lack of care or due diligence". I suspect that "intent to impair" may sometimes be difficult to prove so lack of care was added.
And the lawyers involved were likely not technologically literate. I'm guessing none of them understand TCP/IP or BGP. There's a big disconnect here and part of it is likely cultural.
Connection to the public internet requires that random people on the internet be able to burn some CPU time on your machine. It takes a bit of energy to process a packet, even if to discard it unless the machine is otherwise protected. This is the nature of the internet - everyone with a public and routed IP address signs up for this when they join the network. If they don't like it, they should probably consider a solution that actually scales or works - legislation like this doesn't change the nature of the network.
The kind of research I'm talking about — us, Kaminsky, Bernstein, et al. — involves simply talking to every server once. For example, the SSL Observatory does a "scan" that is very similar to what happens when a user clicks a link and then immediately clicks the Stop button in the browser: SYN, SYN/ACK, ACK, Client Hello, Server Hello + Certificate, goodbye. We do this once per IP every few months. Out of 4 billion IP addresses, we got one complaint that I know of.
This work is not hostile or dangerous. It is clearly beneficial to the internet community. We've convinced CAs to tighten their loose certification standards, convinced them to meet the EV spec when we found they weren't, and provided hard evidence to fuel substantive debate on PKI policy. Nick and Jake are using the results to improve Tor. That's just to start.
I can't see that sort of activity as being deemed reckless - and it is highly unlikely to be spotted anyway.
It depends entirely on how the scan is performed - sequential scans will be discovered by an IDS. Even if it's undiscovered, I wouldn't consider it reckless.
It's also worth nothing that the various tricks to hide or evade IDSs that some scanners like Nmap can do, tend not to work over Tor since Tor normalizes TCP streams before exiting.
Port scanning can sometimes be the precursor to hostile activity, but it is not in itself hostile, and it is often either for a good cause or *indistinguishable from normal application activity*.
I disagree. In my view, port scanning in and of itself can be hostile if such activity is aggressive enough to cause difficulties - hence my concern.
A port scan is not aggressive in and of itself. The frequency of packets might overwhelm a system and so the system, or an upstream system should probably drop those packets on the floor.
I am attracted to cmeclax's idea of some form of torrc config option which could limit the potential for deliberate (or accidental but "reckless") scanning. Is there any mileage in pursuing something like that further? And if not, are there any other (current) recommended configurations which could mitigate possible problems?
I don't think such a configuration option makes any sense at all. We have many streams on a given circuit for load balancing. A clever scanner would simply use one circuit per connect attempt and it would generate a lot of load on the network.
I'd suggest that if you're concerned about someone making connections from your computer, it's probably a bad idea to run an Exit node...
All the best, Jaco
Thus spake Jacob Appelbaum (jacob@appelbaum.net):
I am attracted to cmeclax's idea of some form of torrc config option which could limit the potential for deliberate (or accidental but "reckless") scanning. Is there any mileage in pursuing something like that further? And if not, are there any other (current) recommended configurations which could mitigate possible problems?
I don't think such a configuration option makes any sense at all. We have many streams on a given circuit for load balancing. A clever scanner would simply use one circuit per connect attempt and it would generate a lot of load on the network.
Right. In fact, if you think of this from the perspective of the self-interest of a scanner, I think it is quite likely that most scanners who use Tor already use the Tor Control Port to optimally pre-build as many custom, fast circuits as they can, and then use these either in as optimally parallel configuration as they can, or in as randomized a configuration as they can, depending upon the desire for stealth versus speed.
Sophisticated people who use Tor to scan the Internet will likely just laugh at this thread, having defeated these measures already by accident while seeking either speed or stealth independently of them. They will have no problem using their custom Tor Controllers to port scan through your node using multiple circuits in parallel, bypassing the minimal protections provided by this torrc option by accident.
I say this because I personally know academic researchers who ethically use Tor to scan the Internet for malware, botnets, and other things. They have written their own Tor Controllers to build custom-chosen circuits optimally for them. Academics typically are considerate about the load they place on the network. They do not do this specifically to cause your node to show up in (laughably absurd) UK court proceedings, or to scan at optimal speed. Black hat scanners will be much less considerate.
So it comes down to this question: Are we only really interested in stopping the script kiddies? And can we even stop the script kiddies without opening up vulnerabilities and DoS conditions against regular Tor users that can be exploited at will by malicious websites and even other Tor clients?
So far, I think the answer is "no", and we need to look for better solutions. If nation-states and megacorps can't manage to properly implement filtering to avoid these conditions, it seems unlikely that Tor will be able to either.
But maybe we just need more tech savvy UK politicians to show us how to protect ourselves. They seem to be doing a great job with technology over there so far..
On Tue, 01 Mar 2011 13:34:23 -0800 Jacob Appelbaum jacob@appelbaum.net allegedly wrote:
<snipped>
I am attracted to cmeclax's idea of some form of torrc config option which could limit the potential for deliberate (or accidental but "reckless") scanning. Is there any mileage in pursuing something like that further? And if not, are there any other (current) recommended configurations which could mitigate possible problems?
I don't think such a configuration option makes any sense at all. We have many streams on a given circuit for load balancing. A clever scanner would simply use one circuit per connect attempt and it would generate a lot of load on the network.
I'd suggest that if you're concerned about someone making connections from your computer, it's probably a bad idea to run an Exit node...
OK, so that idea may not be a runner - but surely the whole purpose of the exit policy system is to allow us to run exit nodes which /do/ limit activity to that which we deem acceptable (or legal).
Mick
---------------------------------------------------------------------
The text file for RFC 854 contains exactly 854 lines. Do you think there is any cosmic significance in this?
Douglas E Comer - Internetworking with TCP/IP Volume 1
http://www.ietf.org/rfc/rfc854.txt ---------------------------------------------------------------------
Hi
On 03.03.2011 11:43, mick wrote:
OK, so that idea may not be a runner - but surely the whole purpose of the exit policy system is to allow us to run exit nodes which /do/ limit activity to that which we deem acceptable (or legal).
Exactly. The *exit policy* is there to limit exit activity. Not iptables or "IDS" afterwards.
On 3/3/11 12:13 PM, Moritz Bartl wrote:
Hi
On 03.03.2011 11:43, mick wrote:
OK, so that idea may not be a runner - but surely the whole purpose of the exit policy system is to allow us to run exit nodes which /do/ limit activity to that which we deem acceptable (or legal).
Exactly. The *exit policy* is there to limit exit activity. Not iptables or "IDS" afterwards.
I know and fully understand your point, it's a controversial issue the filtering or not at exit node level.
The TOR ExitPolicy provide a too reduced degree of flexibility to properly fine tune the risks/exit policy decision of a person just basing on IP/port and with a limitation on how many IP/port can be allowed/filtered.
Still i would like to point out a *practical* feeling that i got from a lot of person i tried to say "hey, run an exit node!".
Some person tried to run an exit node, then they got their internet connection disconnected due to high number of claim. Such person think that if they would be able to remove the claims that cause their internet connection being cutted off, they would be happy to run a server.
Some other person just does not run TOR exit node due to the perceived and concrete risks that their node will be used to start cyber-attacks and that they will have trouble because of this. That person would be happy to support Freedom of Speech and fight for anti-censorship in support to people living in non-free world. At the same time they don't want to get involved in cyber attacks.
Some other person, like me, live in country where the justice and judicial system is in a drammatic situation. In italy if you have legal problem you will take between 5 up to 10 years to solve the issue. In such condition I DO NOT WANT any traffic to go to italian networks, because a stupid and dumb prosecutor would probably raise my home at morning and i will have to manage 5-10 years of legal handling. Unfortunately there's no way to create an exit policy that's able to load the blocking destinated to a specific country (Tor just crash and there's an issue about it due to the high number of ExitPolicy statements).
I think that all those issues are absolutely reasonable and understandable and, if properly managed without a technology-taliban approach, would allow a lot of more person to run exit node.
So still my goal is to test, implement, document and create howto to:
- Block P2P to avoid P2P related claims - Block Portscan to avoid portscan related claims - Block web attacks to avoid web attacks related claims - Block traffic going to the country where i live to avoid stupid prosecutor causing me 5-10 years of legal trouble
Yes, i understand that this is outside the concept of *perfect freedom* related to TOR, but still it would be an answer to the many persons that would be happy to run an Exit Node to support freedom of speech limiting their risks, personal feeling and effort for maintance and running a TOR node.
If that's something not acceptable for the community i accept to be marked as a untrusted node, or rough node or whatever.
Still i think that this approach is reasonable and can create value for the TOR project grow.
-naif http://infosecurity.ch
Hi,
On 03.03.2011 12:29, Fabio Pietrosanti (naif) wrote:
Still i would like to point out a *practical* feeling that i got from a lot of person i tried to say "hey, run an exit node!".
I fully accept and understand your point. That's exactly why I started Torservers.net, so you can "run" a Tor exit without having to bother with complaints. That's the "low maintainance Tor exit" you are talking about. :)
Centralization IS bad. That's why the purpose of Torservers.net is to also want to encourage other people to follow our example, form organizations etc. We were able to find a pro-bono lawyer, our headquarters are based in his office etc, and bandwidth bought in bulk is much cheaper. Hopefully I can publish some more guides, but a few are already available in our wiki: https://www.torservers.net/wiki/
e.g. the complete server setup we use: https://www.torservers.net/wiki/setup/server
Some person tried to run an exit node, then they got their internet connection disconnected due to high number of claim.
Most people are better of by running a node with a very limited exit policy. I get NO complaints whasoever for the exit that only allows 22, 53 and 443, for example.
That person would be happy to support Freedom of Speech and fight for anti-censorship in support to people living in non-free world. At the same time they don't want to get involved in cyber attacks.
You can show your support for Freedom Of Speech in a lot of ways.
Money: Some people feel their purpose in life is to make a lot of dough. Most "full time activists" live off nearly nothing. They NEED you the same way you need them, and will be much better at fighting for the cause than you are. A LOT of people are willing to give up their lifes for some organizations, if only they had some money for their food.
Be Public: Spend a couple of bucks on printouts, flyers, whatever. Distribute them. Go out, hold workshops. Write an excellent blog. In general: SHOW your opinion. FIGHT propaganda. Our world is in such a bad shape because people stay quiet, not because too few people run exits.
etc etc.
In such condition I DO NOT WANT any traffic to go to italian networks,
Italy has worse problems than someone trying to run an exit. Work on those. Make people understand that looking at half-naked women on government TV isn't something that helps.
You can still form an organization that lobbies for Tor, organizes local Tor user groups, coding sessions etc. This is time much better spent than fighting for the right to run some [relatively] small exit.
Again, I understand your thoughts. For example, a list of public bittorrent trackers that lead to DMCA complaints would be excellent to have. Unfortunately, we don't have an ISP that allows us to test this. I would begin by using a public tracker list, block all, and gradually unblock trackers until you receive DMCA complaints again. I do not need to block P2P as a whole. I need to block those that are being monitored by the "entertainment" industry, and that can be done using Tor's ExitPolicy.
Moritz Bartl wrote: [...]
Some other person, like me, live in country where the justice and judicial system is in a drammatic situation. In italy if you have legal problem you will take between 5 up to 10 years to solve the issue. In such condition I DO NOT WANT any traffic to go to italian networks,
Italy has worse problems than someone trying to run an exit. Work on those. Make people understand that looking at half-naked women on government TV isn't something that helps.
but the point is: while we try to change the existing in Italy is there a manner to run an exit node where "in the exit-policy" (and not blocking packets after the exit that, i agree, is bad) is defined a sort of GeoIP "exit-rule"? The circuit build should consider the "countries-enabled tag" of an exit node as a further criteria (?!?).
After all, in another thread you suggested to "do not run exits in your own country", that could be "do not allow exit for IP addresses in your country".
-tazoi
Hi,
On 04.03.2011 14:52, tazoi wrote:
After all, in another thread you suggested to "do not run exits in your own country", that could be "do not allow exit for IP addresses in your country".
These are two different things completely.
GeoIP does not work. Do not allow all the services around it make you believe it really works as expected. For example, our Gbit/s exit is physically located in the Czech Republic, but uses IPs owned by FDC in the US. GeoIP thus shows USA as location.
On 3/3/11 12:50 PM, Moritz Bartl wrote:
Hi,
On 03.03.2011 12:29, Fabio Pietrosanti (naif) wrote:
Still i would like to point out a *practical* feeling that i got from a lot of person i tried to say "hey, run an exit node!".
I fully accept and understand your point. That's exactly why I started Torservers.net, so you can "run" a Tor exit without having to bother with complaints. That's the "low maintainance Tor exit" you are talking about. :)
You right, but a lot of nerds are willing to do 'something fun' by installing and running a TOR node and less committed to only providing financial support trough donation. The feeling of the gratification and satisfaction of doing something good (and fun) come also from your hands-on hacking by playing out with the technology. You see your graph of bandwidth that satisfy you, you do some basic maintenance task like upgrading tor and you got also gratification for the fact that you installed/manage and it works ;-) . Additionally you are taking "some risks" and you tell that you run your tor node to your friends, speaking about it, etc, etc (sounds like a psycoanalitical point of part of a nerd attitude in the participation to oss/freedom of speech/anonimity projects).
Centralization IS bad. That's why the purpose of Torservers.net is to also want to encourage other people to follow our example, form organizations etc. We were able to find a pro-bono lawyer, our headquarters are based in his office etc, and bandwidth bought in bulk is much cheaper. Hopefully I can publish some more guides, but a few are already available in our wiki: https://www.torservers.net/wiki/
And that's a really cool approach! I find that creating a model of organization with the goal to build up the knowledge and tool to allow an easier fork of similar community it's a very intelligent move! Here in italy german hackers are really perceived like "very cool in the organization". German production quality :-)
e.g. the complete server setup we use: https://www.torservers.net/wiki/setup/server
Some person tried to run an exit node, then they got their internet connection disconnected due to high number of claim.
Most people are better of by running a node with a very limited exit policy. I get NO complaints whasoever for the exit that only allows 22, 53 and 443, for example.
With ssh i got several portscan notice (at least once per week), but most of them are on port 80 sweeping networks for web attacks. I keep that ExitPolicy of https://blog.torproject.org/blog/tips-running-exit-node-minimal-harassment even if just now i temporary disabled ssh in the meantime trying to find a good way to detect outgoing portscan.
With standard iptables related tools i am not finding a reasonable (from system administration point of view) way to be able to detect OUTGOING portscan originating from your own host.
Almost most tools and techniques are for detecting INGOING portscan and filtering the source of the portscan. But here WE are the source of the portscan, we cannot just block outself!
That's an interesting technical issue to be analyzed and solved!
Be Public: Spend a couple of bucks on printouts, flyers, whatever. Distribute them. Go out, hold workshops. Write an excellent blog. In general: SHOW your opinion. FIGHT propaganda. Our world is in such a bad shape because people stay quiet, not because too few people run exits.
You right but also a lot of things may depend on your time availability or just your attitude. You may find difficult to organize public activities or even non-nerd activity requiring to go around, organize people, goods, doing the startup and management of a local community can be a difficult (or just annoying) task for a lot of people. Part the hacking environments maybe just be out of time availability (due to work for example) or just lazy.
etc etc.
In such condition I DO NOT WANT any traffic to go to italian networks,
Italy has worse problems than someone trying to run an exit. Work on those. Make people understand that looking at half-naked women on government TV isn't something that helps.
You can still form an organization that lobbies for Tor, organizes local Tor user groups, coding sessions etc. This is time much better spent than fighting for the right to run some [relatively] small exit.
Eh, damn, that's a cool things but you really need to be able to dedicate and if you don't have enough time (like me) you keep spending your remaining free time at home just at night (after work) or during the weekend. That's a pain!
In past i've done several groups organization but it still require a very important effort that if you can't afford it will not work (still have few time trying to start www.globaleaks.org.
So, i am finding some fun stuff to do related with tor in my not-that-much-free-time (damn!) that i think could be useful.
Again, I understand your thoughts. For example, a list of public bittorrent trackers that lead to DMCA complaints would be excellent to have. Unfortunately, we don't have an ISP that allows us to test this.
Mmmm to setup something like this it would be probably interesting.
However my point is to work around the fact that the current ExitPolicy method is relatively weak if you want to properly fine tune what a person, as tor exit-node, would allow to get out from the node.
-naif http://infosecurity.ch
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
Am 03.03.2011 12:29, schrieb Fabio Pietrosanti (naif):
On 3/3/11 12:13 PM, Moritz Bartl wrote:
Hi
On 03.03.2011 11:43, mick wrote:
OK, so that idea may not be a runner - but surely the whole purpose of the exit policy system is to allow us to run exit nodes which /do/ limit activity to that which we deem acceptable (or legal).
Exactly. The *exit policy* is there to limit exit activity. Not iptables or "IDS" afterwards.
I know and fully understand your point, it's a controversial issue the filtering or not at exit node level.
The TOR ExitPolicy provide a too reduced degree of flexibility to properly fine tune the risks/exit policy decision of a person just basing on IP/port and with a limitation on how many IP/port can be allowed/filtered.
Still i would like to point out a *practical* feeling that i got from a lot of person i tried to say "hey, run an exit node!".
Some person tried to run an exit node, then they got their internet connection disconnected due to high number of claim. Such person think that if they would be able to remove the claims that cause their internet connection being cutted off, they would be happy to run a server.
Some other person just does not run TOR exit node due to the perceived and concrete risks that their node will be used to start cyber-attacks and that they will have trouble because of this. That person would be happy to support Freedom of Speech and fight for anti-censorship in support to people living in non-free world. At the same time they don't want to get involved in cyber attacks.
Some other person, like me, live in country where the justice and judicial system is in a drammatic situation. In italy if you have legal problem you will take between 5 up to 10 years to solve the issue. In such condition I DO NOT WANT any traffic to go to italian networks, because a stupid and dumb prosecutor would probably raise my home at morning and i will have to manage 5-10 years of legal handling. Unfortunately there's no way to create an exit policy that's able to load the blocking destinated to a specific country (Tor just crash and there's an issue about it due to the high number of ExitPolicy statements).
I think that all those issues are absolutely reasonable and understandable and, if properly managed without a technology-taliban approach, would allow a lot of more person to run exit node.
So still my goal is to test, implement, document and create howto to:
- Block P2P to avoid P2P related claims
- Block Portscan to avoid portscan related claims
- Block web attacks to avoid web attacks related claims
- Block traffic going to the country where i live to avoid stupid
prosecutor causing me 5-10 years of legal trouble
Yes, i understand that this is outside the concept of *perfect freedom* related to TOR, but still it would be an answer to the many persons that would be happy to run an Exit Node to support freedom of speech limiting their risks, personal feeling and effort for maintance and running a TOR node.
If that's something not acceptable for the community i accept to be marked as a untrusted node, or rough node or whatever.
Being marked as a bad exit means that clients won't choose you for exit connections. So why not save the trouble and run a non-exit-node instead?
According to http://infosecurity.ch/20110124/my-tor-exit-node-experience-trying-to-filter...
the node concerned is https://torstatus.blutmagie.de/router_detail.php?FP=a65b8fdc571220dbf80fd409...
Still i think that this approach is reasonable and can create value for the TOR project grow.
-naif http://infosecurity.ch _______________________________________________ tor-relays mailing list tor-relays@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
Thus spake Fabio Pietrosanti (naif) (lists@infosecurity.ch):
So still my goal is to test, implement, document and create howto to:
- Block P2P to avoid P2P related claims
Did you try doing this without doing iptables DPI? The Reduced Exit Policy should work fine for this by itself.
DPI killing P2P connections is the least of my worries with your approach, though.. I feel like your node is a minefield of accidental censorship just waiting to explode on innocent users..
- Block Portscan to avoid portscan related claims
I would be really surprised if this does not end up causing massive collateral damage to just about everything running through your exit node. Please keep a close eye on how often this goes off on killing sprees. I'm going to guess most of the time it will just end up censoring popular sites and dense colo facilities that happen to attract heavy amounts of legit Tor traffic.
- Block web attacks to avoid web attacks related claims
I think that Mortiz is right, you're unlikely to stop most of the annoying web shit you get with snort. By complaint volume, it's mostly comment spam. I suppose there are worm probes and such it might catch, but snort seems unlikely to stop very dumb attacks, nor very sophisticated ones.
It does seem likely to censor random docs about computer security, as well as computer security mailinglists. I suppose it depends on which rules you enable, though.
- Block traffic going to the country where i live to avoid stupid
prosecutor causing me 5-10 years of legal trouble
Tor actually does have some slightly more sophisticated machinery already in place to communicate this sort of filtering to clients.. Tor nodes can send "EXITPOLICY" reason codes when they close streams that got created to them despite being forbidden by their exit policy. Clients would then automatically retry on a different circuit.
This would work for your country blocking. It would make Italian sites slower for Tor users who chose your node, but at least it wouldn't effectively censor them.
However, it is not possible to do this EXITPOLICY rejection code once data has already begun flowing on the tcp stream, because at that point it is up to the application to retry, not Tor. In otherwords, this technique won't work for DPI.
Yes, i understand that this is outside the concept of *perfect freedom* related to TOR, but still it would be an answer to the many persons that would be happy to run an Exit Node to support freedom of speech limiting their risks, personal feeling and effort for maintance and running a TOR node.
I think you're right, and we should suport this idea where we can. However, we *must* find ways to do this that are 100% transparent to users. If a user experiences censorship because of this, we're doing it wrong, and such a node should be BadExited.
I think your approaches here are going to lead to situations where users who try to view legitimate content are going to become randomly censored through your node and not understand why. I don't think this is acceptable.
It might be *barely* acceptable if it didn't happen very often, and when it did, you somehow redirected users to a web page that gave them instructions on how to use the "New Identity" button to avoid your exit.. I doubt this is possible in all cases, and I'm still not sure it's a valid solution.
P.S. Is your contact email correct for the node? Otherwise, as soon as the Tor Exit Scanner notices anything fishy from your node, you will be BadExited without notice.
On 3/5/11 9:21 AM, Mike Perry wrote:
Thus spake Fabio Pietrosanti (naif) (lists@infosecurity.ch):
So still my goal is to test, implement, document and create howto to:
- Block P2P to avoid P2P related claims
Did you try doing this without doing iptables DPI? The Reduced Exit Policy should work fine for this by itself.
DPI killing P2P connections is the least of my worries with your approach, though.. I feel like your node is a minefield of accidental censorship just waiting to explode on innocent users..
You are right that there's a risk of blocking traffic of innocent users. Now it's just some early testing trying to refine the idea, i fully agree that the approach must be as finely tuned and as precise as possible in order just to drop the annoying things while leaving 'everything allowed'.
For example to be able to apply a transparent proxy to try to detect bruteforce/web attacks in a effective it's required to patch TOR to be able to bind the TOR Exit IP to a Virtual IP address. Now there's no way to verify what's HTTP traffic on port 80 and what's not, so if you put a transparent proxy in the middle you would break part of the TOR node traffic.
Unfortunately i'm not that skilled at c coding, if someone would like to do such a patch it would be cool.
Being able to bind to a dedicated IP address for TOR-Exit traffic would allow also a TOR-maintainer to tunnel his Exit Traffic trough a VPN, or even to route different kind of traffic trough different systems with proper IP policy routing.
- Block Portscan to avoid portscan related claims
I would be really surprised if this does not end up causing massive collateral damage to just about everything running through your exit node. Please keep a close eye on how often this goes off on killing sprees. I'm going to guess most of the time it will just end up censoring popular sites and dense colo facilities that happen to attract heavy amounts of legit Tor traffic.
Sure, now i tried it for 1 week with very bad results:
From 500k up to 1000k connection blocked per day.
Unfortunately this method is absolutely not good, i disabled it.
The issue of detecting and blocking outgoing portscan remain open and till now i am not able to block it with iptables.
Question to the list: How to implement some hackish techniques to block outgoing portscan from the exit node? I tried everything with iptables but without success!
- Block web attacks to avoid web attacks related claims
I think that Mortiz is right, you're unlikely to stop most of the annoying web shit you get with snort. By complaint volume, it's mostly comment spam. I suppose there are worm probes and such it might catch, but snort seems unlikely to stop very dumb attacks, nor very sophisticated ones.
It does seem likely to censor random docs about computer security, as well as computer security mailinglists. I suppose it depends on which rules you enable, though.
Maybe snort will not be the right tool, but eventually some other approach like using modproxy+modsecurity with a transparent proxy for web attacks and properly finely tuned rules.
Detecting brute force, known attack pattern related to SQL injection should be easier.
Detecting comment spam sounds a little bit more complex, but it would be also very useful for tor-exit node maintainer. Any idea on which tricks to try to implement comment spamming filters?
- Block traffic going to the country where i live to avoid stupid
prosecutor causing me 5-10 years of legal trouble
Tor actually does have some slightly more sophisticated machinery already in place to communicate this sort of filtering to clients.. Tor nodes can send "EXITPOLICY" reason codes when they close streams that got created to them despite being forbidden by their exit policy. Clients would then automatically retry on a different circuit.
This would work for your country blocking. It would make Italian sites slower for Tor users who chose your node, but at least it wouldn't effectively censor them.
However, it is not possible to do this EXITPOLICY rejection code once data has already begun flowing on the tcp stream, because at that point it is up to the application to retry, not Tor. In otherwords, this technique won't work for DPI.
I know that the DPI approach it's not clean, but still it's not possible with current TOR to do country black/whitelisting.
To properly implement this we would really need to be able to: a) OR load-up ExitPolicy with 3-5k lines b) OR implement some geo-ip logic in the cached-descriptors
It will not be in both case a perfect implementation (i have an italian registered netblock configured on a swiss provider in switzerland) but still provide a good level of protection for who can stay in such kind of conditions.
Yes, i understand that this is outside the concept of *perfect freedom* related to TOR, but still it would be an answer to the many persons that would be happy to run an Exit Node to support freedom of speech limiting their risks, personal feeling and effort for maintance and running a TOR node.
I think you're right, and we should suport this idea where we can. However, we *must* find ways to do this that are 100% transparent to users. If a user experiences censorship because of this, we're doing it wrong, and such a node should be BadExited.
I think your approaches here are going to lead to situations where users who try to view legitimate content are going to become randomly censored through your node and not understand why. I don't think this is acceptable.
Fully agree. The methods being implemented now are very rough and the most important improvement would come when i'll be able to cleanly transparent proxy the TOR web traffic.
For example on the basis of your idea maybe it would be also possible to inject some javascript that connect to ControlPort and issue a NewNym to automatically allow the Client to go trough another node while telling to the client what's happening, or instead of blocking just re-tunnelling the request inside TOR (doubling the latency of such specific circuit/request) ?
Again there's no simple idea, i will try to rationalize all such discussion on a Wiki one of those days.
It would be fine to try to collect all the consideration (good and bad) related to filtering at TOR exit node.
It might be *barely* acceptable if it didn't happen very often, and when it did, you somehow redirected users to a web page that gave them instructions on how to use the "New Identity" button to avoid your exit.. I doubt this is possible in all cases, and I'm still not sure it's a valid solution.
P.S. Is your contact email correct for the node? Otherwise, as soon as the Tor Exit Scanner notices anything fishy from your node, you will be BadExited without notice.
Sure, everything properly setup, just now i have the node hibernated that should resurrect today (i have a 1TB/month bandwidth with weekly quota configured).
Which are the kind of control applied by Tor Exit Scanner? I mean, my node is not doing SSL MITM or stuff like that, the traffic "blocked" is very reduced compared to the amount of traffic that get trough.
-naif http://infosecurity.ch
Connection to the public internet requires that random people on the internet be able to burn some CPU time on your machine. This is the nature of the internet - everyone with a public and routed IP address signs up for this when they join the network.
Though surely speaking to the choir on here, it is precisely this end to end connectivity that should be fought ever so strongly for. Equally as strongly and if nor more than anonymity. Because without that, anonymity would never reach it's destination. Well said, OP.
Hi!
On Tue, Mar 1, 2011 at 7:09 AM, Chris Palmer chris@eff.org wrote:
For example, the SSL Observatory does a "scan" that is very similar to what happens when a user clicks a link and then immediately clicks the Stop button in the browser: SYN, SYN/ACK, ACK, Client Hello, Server Hello + Certificate, goodbye. We do this once per IP every few months. Out of 4 billion IP addresses, we got one complaint that I know of.
Interesting. We were doing the very same thing (opening only 80 and 443 ports to check for certificates) just few weeks ago over whole IP space and got a few complaints: from ATT, usu.edu and usi.com.
Maybe the difference was in speed of scanning? We randomized order of scanning but still some networks detected us as scanning their whole ranges.
And what is even more interesting is that our ISP was much more eager for us to reply to those complaints than to complaints for us running a Tor exit node some time ago. At that time they didn't even require from us to respond. They just forwarded us e-mails in a FYI manner. Maybe they changed some policies in meantime.
Mitar
On Mar 2, 2011, at 5:04 AM, Mitar wrote:
And what is even more interesting is that our ISP was much more eager for us to reply to those complaints than to complaints for us running a Tor exit node some time ago. At that time they didn't even require from us to respond. They just forwarded us e-mails in a FYI manner. Maybe they changed some policies in meantime.
Beats me. I hypothesize that some people think scanning is the same as fuzzing or DoSing or sending actual attack packets or something, because they don't know the difference.
On Wed, 2 Mar 2011 10:39:44 -0800 Chris Palmer chris@eff.org wrote:
On Mar 2, 2011, at 5:04 AM, Mitar wrote:
And what is even more interesting is that our ISP was much more eager for us to reply to those complaints than to complaints for us running a Tor exit node some time ago. At that time they didn't even require from us to respond. They just forwarded us e-mails in a FYI manner. Maybe they changed some policies in meantime.
Beats me. I hypothesize that some people think scanning is the same as fuzzing or DoSing or sending actual attack packets or something, because they don't know the difference.
That's probably because 'intrusion detection' tools report network scans as attacks. Unfortunately, an IDS's author has an incentive to continue misrepresenting scans as attacks because if he/she/it does not, his/her/its competitors will advertize the fact that their software detects more types of 'attacks'.
Robert Ransom
On 3/2/11 2:04 PM, Mitar wrote:
Interesting. We were doing the very same thing (opening only 80 and 443 ports to check for certificates) just few weeks ago over whole IP space and got a few complaints: from ATT, usu.edu and usi.com.
Maybe the difference was in speed of scanning? We randomized order of scanning but still some networks detected us as scanning their whole ranges.
Hi,
i am trying to create a low-responsibility TOR exit node that would allow the node to run without too much issue for the maintainer (few claim from operators).
I wrote something about it here: http://infosecurity.ch/20110124/my-tor-exit-node-experience-trying-to-filter...
I am now struggling to be able to filter outgoing portscan but i am not finding an effective way to do it without affecting good traffic.
P2P is out (OpenIPS), traffic to my originating country is out (iptables), i am testing removal of web attacks (trough snort inline) but i am not able to remove outgoing portscan that are now generating at least 1-2 claim per week.
My attempt now has been done with: ######### ANTI PORSCAN ##################### # Allow up to 3 pkts / seconds for a class C / 24 network: Block hard portscan # iptables -A OUTPUT -o eth0 -p tcp -m state --state NEW -s 88.198.109.35/32 --syn -m hashlimit --hashlimit-upto 3/s --hashlimit-mode dstip --hashlimit-dstmask 24 --hashlimit-name everything_else_fast_scan -j ACCEPT
# iptables -A OUTPUT -o eth0 -p tcp -m state --state NEW -s 88.198.109.35/32 --syn -m hashlimit --hashlimit-upto 5/s --hashlimit-mode dstip --hashlimit-dstmask 16 --hashlimit-name everything_else_fast_scan_very_randomized -j ACCEPT
# Allow many connection (50/s) to the same IP (ex: facebook or google main site) # iptables -A OUTPUT -o eth0 -p tcp -m state --state NEW -s 88.198.109.35/32 --syn -m hashlimit --hashlimit-upto 50/s --hashlimit-mode dstip --hashlimit-dstmask 32 --hashlimit-name everything-unique-ip -j ACCEPT
# Allow up to 5 pkts / minute for a class C / 24 network: Block slow and steady portscan iptables -A OUTPUT -o eth0 -p tcp -m state --state NEW -s 88.198.109.35/32 --syn -m hashlimit --hashlimit-upto 5/min --hashlimit-mode dstip --hashlimit-dstmask 24 --hashlimit-name everything_else_slow_scan -j ACCEPT
iptables -A OUTPUT -o eth0 -p tcp -m state --state NEW -s 88.198.109.35/32 --syn -j LOG --log-prefix "Limit reached: " iptables -A OUTPUT -o eth0 -p tcp -m state --state NEW -s 88.198.109.35/32 --syn -j REJECT --reject-with tcp-reset
Does anyone have already tried and has been successful in blocking outgoing portscan?
I know that my approach could be considered not-good by someone, but still i am carrying on an experiment to create a: - long-lived tor exit node - low-maintenance tor exit node - a tor exit node that cannot be used for P2P, Web attacks and Portscan - a tor exit node that generate very few claims (that means more resiliency against carrier/hosting disconnecting hte server)
Cheers -naif http://infosecurity.ch
Hi,
On 03.03.2011 07:32, Fabio Pietrosanti (naif) wrote:
i am trying to create a low-responsibility TOR exit node that would allow the node to run without too much issue for the maintainer (few claim from operators).
Sounds interesting.
P2P is out (OpenIPS), traffic to my originating country is out (iptables), i am testing removal of web attacks (trough snort inline) but i am not able to remove outgoing portscan that are now generating at least 1-2 claim per week.
You know that your exit will be chosen based on your ExitPolicy, and not anything you do with iptables? I encourage you to play with different exit policies, but ANYTHING you do after already receiving the packets will hurt the network and should be badexited.
- long-lived tor exit node
What properties does a "long-lived tor exit node" have, other than being up for a long time?
- low-maintenance tor exit node
Run stable Tor. Use a limited Exit Policy. Hire an admin. Donate to Torservers.
- a tor exit node that cannot be used for P2P, Web attacks and Portscan
Tor exit nodes (and the Tor network as a whole) should be seen as an ISP. I would not want my ISP to filter or block anything, especially when I have NO CHANCE but to manually build a new circuit and retry. Like Mike Perry said, it will only make those laugh that run portscans or "web attacks" over Tor.
How do you plan on filtering "web attacks"?
Let me give you an example: We run the "limited exit policy" on a number of exits [1]. Most of the complaints we are getting for our exits are stupid web spams (forum posts etc) and mail spam sent through webmailers. How are you going to stop them?
Suggestion:
ExitPolicy reject *:80
- a tor exit node that generate very few claims (that means more
resiliency against carrier/hosting disconnecting hte server)
See above.
:-(
[1] https://www.torservers.net/services.html#servers
El 2011-02-25 17.32, Bianco Veigel escribió:
Today I got the second abuse mail within two weeks from my hosting provider. They forced me to take down the exit node, otherwise they will shutdown my server.
How could I detect such a scan and take counter measures to prevent a network scan through tor? I've thougt about Snort, but I've never used it before. The exit node is running in a Xen-vm, behind a pfSense firewall.
I've attached the report from the abuse mail. Does anyone have an idea, what steps should/could be taken?
Only one: re-read your provider contract. It's a contractual issue, no more. If they permit such activities, remain them about; if not, your batlle is lost.
tor-relays@lists.torproject.org