[tor-relays] Network Scan through Tor Exit Node (Port 80)
cmeclax-sazri
cmeclax-sazri at ixazon.dynip.com
Fri Feb 25 23:28:24 UTC 2011
On Friday 25 February 2011 11:45:04 Bianco Veigel wrote:
> Today I got the second abuse mail within two weeks from my hosting
> provider. They forced me to take down the exit node, otherwise they will
> shutdown my server.
>
> How could I detect such a scan and take counter measures to prevent a
> network scan through tor? I've thougt about Snort, but I've never used
> it before. The exit node is running in a Xen-vm, behind a pfSense firewall.
>
> I've attached the report from the abuse mail. Does anyone have an idea,
> what steps should/could be taken?
It may be possible to detect a scan by looking for RST packets coming back
from computers that have the port closed. I saw something about that on
snort.org, I wouldn't trust Snort to do the right thing in the case of
someone portscanning through Tor. I suggest closing the circuit, and only Tor
knows what the circuit is, so if an exit node notices several connection
attempts in a row on the same circuit fail, it could close the circuit
because it looks like a portscan.
cmeclax
More information about the tor-relays
mailing list