Filter Tor Exit Node for blatant attacks on servers
It is heresy to suggest that Exit relays do anything of a sort, that is attempt to reject obvious attackers on an IP? Tor is neutral. Once TOR exits attempts any filtering where would it stop? It is a slippery slope. I think not, as to extend to other areas would far too complex and have diminishing returns. DMCA complaints for example was waste of time, and not all counties have copyright laws. I know that everyone on the internet should secure their servers, and take their own measures to block attacks, but too often those corporate measures include an automated abuse complaint being sent out. No explaining to ISP on what it means helps, as many of their staff are just too dumb and have to play safe. It is more than embarrassing to run an exit node and get abuse complaints about persistent and repeated attacks on an IP. The intent is clearly criminal. VPS providers in the UK are increasing intolerant in receiving such complaints. The whole VPS can be closed down by the ISP/VPS provider not forcing a closure of the TOR exit. Fewer ISPs will allow you to install an exit node at all. I am only wondering about blocking the obvious attacks or mass attacks to block. Is anyone developing such tools? Is it even possible? Those of us who would wish to enact such software, if it could be made, would have a flag on Tor Atlas stating that there is such a filter in place. Gerry
A while ago I had a lengthy dicussion with my ISP about this. They wanted me to run Snort on my exit to shut off variuos types of traffic coming from it. In the end I agreed only to allow encrypted protocols to exit, which placated them (and a subsequent bandwith limitation booted me out of the exit pool in any case). But along the way I asked some others about the legal implications of doing what the ISP had asked. The rough consensus was that in the UK at least, I would only be able to evesdrop on traffic once consent had been given by those being monitored. Otherwise I'd be illegally wiretapping and open to prosecution. But it was far from clear what would happen if somebody took me a court! On 12 June 2016 at 16:12, Dr Gerard Bulger <gerard@bulger.co.uk> wrote:
On 12 Jun 2016 5:49 p.m., "Jonathan Baker-Bates" <jonathan@bakerbates.com> wrote:
Indeed the Regulation of Investigatory Powers Act 2000 and the Investigatory Powers Bill contain offences relating to surveillance of traffic without a warrant / permission etc. (Caveats etc apply)
FWIW one of the reasons we have the "pirate" blocks (in the UK) is that the High Court Judge (Hon. justice Arnold) in the case was informed that the ISPs in question had the ability to block sites (e.g. Cleanfeed) therefore it was possible for them to block more. Had this ISP level censorship technology not existed then we wouldn't be in *quite* the situation we are now.
This is one of the reasons why I started a UK ISP (AS28715) - I now run UK exits and don't have issues with them getting shutdown because the ISP got cold feet / got bored of abuse emails / complaints from other customers (entire /24 blocked by anti-tor blacklists) etc etc. Good ISPs don't deploy web filtering, transparent proxies or IDS' that interfere with traffic. IMHO well behaved Tor Exits shouldn't either.
Not sure eavesdrop is the right word, since ISPs throttle all sorts of traffic by inspecting it such as torrent, let alone TOR. I suppose we could argue that in signing up for an internet connection, deep in the ISP’s small print, we consent to that behaviour. Is it really true that consent has to be sought by every router on the way? Inspecting packets for obvious things like denial of service attacks and brute force logins would seem very legitimate to me and I doubt that the law would be such an ass, since we cannot gain consent. I know there is a fine line but looking at how packets are behaving and looking for repetitive logins is not the same as watching the content and censoring that. Then an exit node could only inspect what EXITS onto the internet. Gerry From: tor-relays [mailto:tor-relays-bounces@lists.torproject.org] On Behalf Of Gareth Llewellyn Sent: 12 June 2016 18:38 To: tor-relays@lists.torproject.org Subject: Re: [tor-relays] Filter Tor Exit Node for blatant attacks on servers On 12 Jun 2016 5:49 p.m., "Jonathan Baker-Bates" <jonathan@bakerbates.com <mailto:jonathan@bakerbates.com> > wrote:
But along the way I asked some others about the legal implications of doing what the ISP had asked. The rough consensus was that in the UK at least, I would only be able to evesdrop on traffic once consent had been given by those being monitored. Otherwise I'd be illegally wiretapping and open to prosecution. But it was far from clear what would happen if somebody took me a court!
Indeed the Regulation of Investigatory Powers Act 2000 and the Investigatory Powers Bill contain offences relating to surveillance of traffic without a warrant / permission etc. (Caveats etc apply)
FWIW one of the reasons we have the "pirate" blocks (in the UK) is that the High Court Judge (Hon. justice Arnold) in the case was informed that the ISPs in question had the ability to block sites (e.g. Cleanfeed) therefore it was possible for them to block more. Had this ISP level censorship technology not existed then we wouldn't be in *quite* the situation we are now.
This is one of the reasons why I started a UK ISP (AS28715) - I now run UK exits and don't have issues with them getting shutdown because the ISP got cold feet / got bored of abuse emails / complaints from other customers (entire /24 blocked by anti-tor blacklists) etc etc. Good ISPs don't deploy web filtering, transparent proxies or IDS' that interfere with traffic. IMHO well behaved Tor Exits shouldn't either.
In the past when I've tried thinking about this it has been too fraught with moral hazard for me. Morally, Tor is about keeping private communications private, in the hope that more good than bad will come of it. On 12 Jun 2016 8:40 p.m., "Dr Gerard Bulger" <gerard@bulger.co.uk> wrote:
There is a moral problem to know that the service you are running as an exit, for the sake of the mythical T-shirt, internet freedom and lack of censorship, is being abused to such an extent. I increased my exit speed from 2.5mbs to 5mbs and rose up the exit rankings such that abuse emails went from one every two months to 2-3 a day. Some serious, many were automated crap where I wanted to tell the wimps to get a grip and welcome to the internet. When tapped on the shoulder by the ISP which is pointing out obvious abuse and attacks coming from my exit IP, it’s not enough to shrug my shoulders and claim overall good of TOR. All I can do is block the offended IP address after the event (without consent). I can do that in TORRC. If I can do that why is it reprehensible in TOR lore to attempt something more subtle and pre-emptive? Of course much internet traffic is repugnant, but Tor attracts a higher proportion. Tor is being strangled by the abuse. It is the login and other attacks on servers that could be blocked of hindered. Tor is getting a bad press and law makers respond impetuously to make bad laws making matters worse. Gerry From: tor-relays [mailto:tor-relays-bounces@lists.torproject.org] On Behalf Of Jonathan Baker-Bates Sent: 12 June 2016 21:01 To: tor-relays <tor-relays@lists.torproject.org> Subject: Re: [tor-relays] Filter Tor Exit Node for blatant attacks on servers In the past when I've tried thinking about this it has been too fraught with moral hazard for me. Morally, Tor is about keeping private communications private, in the hope that more good than bad will come of it. On 12 Jun 2016 8:40 p.m., "Dr Gerard Bulger" <gerard@bulger.co.uk <mailto:gerard@bulger.co.uk> > wrote: Not sure eavesdrop is the right word, since ISPs throttle all sorts of traffic by inspecting it such as torrent, let alone TOR. I suppose we could argue that in signing up for an internet connection, deep in the ISP’s small print, we consent to that behaviour. Is it really true that consent has to be sought by every router on the way? Inspecting packets for obvious things like denial of service attacks and brute force logins would seem very legitimate to me and I doubt that the law would be such an ass, since we cannot gain consent. I know there is a fine line but looking at how packets are behaving and looking for repetitive logins is not the same as watching the content and censoring that. Then an exit node could only inspect what EXITS onto the internet. Gerry From: tor-relays [mailto:tor-relays-bounces@lists.torproject.org <mailto:tor-relays-bounces@lists.torproject.org> ] On Behalf Of Gareth Llewellyn Sent: 12 June 2016 18:38 To: tor-relays@lists.torproject.org <mailto:tor-relays@lists.torproject.org> Subject: Re: [tor-relays] Filter Tor Exit Node for blatant attacks on servers On 12 Jun 2016 5:49 p.m., "Jonathan Baker-Bates" <jonathan@bakerbates.com <mailto:jonathan@bakerbates.com> > wrote:
But along the way I asked some others about the legal implications of doing what the ISP had asked. The rough consensus was that in the UK at least, I would only be able to evesdrop on traffic once consent had been given by those being monitored. Otherwise I'd be illegally wiretapping and open to prosecution. But it was far from clear what would happen if somebody took me a court!
Indeed the Regulation of Investigatory Powers Act 2000 and the Investigatory Powers Bill contain offences relating to surveillance of traffic without a warrant / permission etc. (Caveats etc apply)
FWIW one of the reasons we have the "pirate" blocks (in the UK) is that the High Court Judge (Hon. justice Arnold) in the case was informed that the ISPs in question had the ability to block sites (e.g. Cleanfeed) therefore it was possible for them to block more. Had this ISP level censorship technology not existed then we wouldn't be in *quite* the situation we are now.
This is one of the reasons why I started a UK ISP (AS28715) - I now run UK exits and don't have issues with them getting shutdown because the ISP got cold feet / got bored of abuse emails / complaints from other customers (entire /24 blocked by anti-tor blacklists) etc etc. Good ISPs don't deploy web filtering, transparent proxies or IDS' that interfere with traffic. IMHO well behaved Tor Exits shouldn't either. _______________________________________________ tor-relays mailing list tor-relays@lists.torproject.org <mailto:tor-relays@lists.torproject.org> https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
On 06/13/2016 12:53 AM, Dr Gerard Bulger wrote:
TORRC. If I can do that why is it reprehensible in TOR lore to attempt something more subtle and pre-emptive?
Because you're introducing defects into the network. A client has no way of knowing what happens, and there is no way of identifying "malicious traffic" reliably. What does malicious even mean. Plus the legal implications, the "you're the network layer passing data because that's the definition of the Internet" argument, etc etc.
Of course much internet traffic is repugnant, but Tor attracts a higher proportion.
How do you know that? You don't. When I talk to "regular" ISPs and access providers, they also see a lot of abuse. It used to be case until recently that a lot of access providers in Germany did not store which of their users was using a particular IP, so they also couldn't do much about it. Same with all the VPN providers.
Tor is being strangled by the abuse.
You say that. I say it's not. If your ISP does not like that you cannot do more than block destinations or ports, then find another.
Tor is getting bad press because it does not have a magic filter that filters bad traffic. Okay. It does not get bad press because it is not using any existing filters that you seem to be proposing. More specifically, which events and types of traffic would you plan to filter, and how? Have you looked at the capabilities of these types of systems? -- Moritz Bartl https://www.torservers.net/
Some thoughts about "bad press," when was the last time you saw an article about how awesome Siri is? Or read a review on how good a restaurant is? Or anything good about anything on the Internet? People like to complain, and use the Internet to do it. Just look at Twitter. "Bad press" happens because nobody wants to hear boring news about people needing Tor because of oppressing government or what have you. Let's be honest. Gossip is much more fun when you find some dirt. It just so happens that Tor's services are a good place to attract such dirt. It takes a single drop of dye to color a glass of water.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Abuse will always be there, and isn't bound by Tor exits only. There is lots of this "malicious" traffic on the internet. Mainly new/small ISPs will react heavily to abuse complaints because they don't wanna end up on certain lists (IP ranges, bad name, w/e you want to call it) Big ISPs usually are way softer on abuse and they forward it most likely to the person and you have to respond within certain amount of time. And then there are these certain systems that go off if you scan their IP ranges or ports( or something else )and they automatically send abuse complaints to your ISP. Good ISPs should never interfere with traffic they should just route and switch. On June 13, 2016 12:53:04 AM GMT+02:00, Dr Gerard Bulger <gerard@bulger.co.uk> wrote:
- -- PGP : 29A4CE52 -----BEGIN PGP SIGNATURE----- iQI4BAEBCgAiGxxEbyA8eWFuZGVyZXNvbkByaXNldXAubmV0PgUCV14GWQAKCRBI of/XNyszSqy6EACMLgCmnKcCvgpLusrlLIA93Bg6fxESfkyk30hxv6gxDpgtll8Y t8Hnf0lcNO8PbHkIG0fGw2BGovXUtNfZAQpfvNiThPfieq1Zd9p/xCxesq/DXoJd Wz5u8pbVO2ETq/4L635l+94kmU4PkP+QMsxsXkxtihA6AdLe7PDIjEm03txpbt0d pmcHOaVZf7d36HqonV3lKXd9ir1C+/kqQzNTpREDMxMf7m0tUX7cQe/3fNDVGMKL v5F++9uwYnZQGFyrDuW6SQJBLTNy2NQ2HJH4g6gVQmGqK+3+J/8srU+cgVItw+dy mVrgKPfSeJjS552Ommeu1OoRVUPN3qkkZp1j/9mj418XD/CVWiGok+SxbLcyOVjU Cv/0RVuAgzZWLKZ1VSI3t2k3cADdl4Ri/j+1MU23G3ptvetQxoMQlCIfT79+qqED T7NiyQ++ecHqNTIhzf0NE2sM72Ht32mSrnrBP8Y60opqYD8tjwVmNfzcP6u+BaMS bCowPwwCYIaMW3YkjxdCBsayaamS6J1YrF9O9+mtAA2sm840xSOCA+Peo0XSZFE2 Rf+YT2Wv2Z1XNo4iHpHN3FYoIMHI7SC6yfGhvyQFlfrPwFA+3GpBaffNDhpcJXV+ uab+BojoDr5id2ZjWXN0D5/jZeXmzXHwbCGMTs4t42aTZMgvOa0I3N1O/Q== =ZUP4 -----END PGP SIGNATURE-----
On 06/12/2016 09:39 PM, Dr Gerard Bulger wrote:
Not sure eavesdrop is the right word, since ISPs throttle all sorts of traffic by inspecting it such as torrent, let alone TOR.
Even that is highly controversial, and several countries have tried to develop "net neutrality" laws to stop it. And obviously throttling, or prioritization of certain types of data, is different. The other difference is that you can detect torrent traffic by looking at some level of "meta data", whereas most attacks require you to look at "content", too.
The customer has a contract relationship with its access provider. And access providers have contracts with other transit/peering providers. Also, most "attack prevention" mechanisms that I know of require more than just "you run it and it will magically filter bad traffic". Also, what if I want to portscan my own network over Tor? There's a lot of legitimate research and analysis I can think of that will trigger simple filter mechanisms. Yes, it makes finding ISPs for exits harder, but certainly not impossible. If everyone who on this list has thought about content filtering and blocking would instead spend some time researching ISPs and adding options to the GoodBadISPs wiki, there would be enough to pick from. It does not take too long to find 50 support email addresses of hosters, and mass mail them to ask whether they offer WHOIS reassignment. -- Moritz Bartl https://www.torservers.net/
participants (6)
-
Dr Gerard Bulger -
Gareth Llewellyn -
Jonathan Baker-Bates -
Moritz Bartl -
Tristan -
Xza