[tor-relays] Network Scan through Tor Exit Node (Port 80)

Mike Perry mikeperry at fscked.org
Fri Feb 25 23:02:39 UTC 2011


Thus spake Bianco Veigel (devel at zivillian.de):

> Today I got the second abuse mail within two weeks from my hosting
> provider. They forced me to take down the exit node, otherwise they will
> shutdown my server.
> 
> How could I detect such a scan and take counter measures to prevent a
> network scan through tor? I've thougt about Snort, but I've never used
> it before. The exit node is running in a Xen-vm, behind a pfSense firewall.

Unfortunately, you've hit a rather pedantic ISP (most VPS providers
are), and you're probably best off just not running an exit from
there.
https://trac.torproject.org/projects/tor/wiki/TheOnionRouter/GoodBadISPs

Snort might be able detect this attack and even block access to this
IP range on the fly, but putting any kind of filtering systems on exit
nodes is not something we really want to get into, for a few reasons.
The main one being that it never really works exactly as expected.

The Tor Exit Scanner already detects plenty of antivirus filters that
end up censoring urls on the web because they happen to contain
content that matches the AV javascript malware signatures in
legitimate computer security documents.. We've marked several of these
AV filterig nodes as BadExit already.

I'm guessing most/all IDS+IPSs will have similar issues with random
censorship, too.

I think the best recommendation is to run as non-exit, or find a new
ISP.


-- 
Mike Perry
Mad Computer Scientist
fscked.org evil labs
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: not available
URL: <http://lists.torproject.org/pipermail/tor-relays/attachments/20110225/c4db782f/attachment.pgp>


More information about the tor-relays mailing list