[tor-relays] Network Scan through Tor Exit Node (Port 80)

cmeclax-sazri cmeclax-sazri at ixazon.dynip.com
Mon Feb 28 05:19:34 UTC 2011


On Sunday 27 February 2011 11:59:47 mick wrote:
> Hmmm. Maybe I should have said "should" rather than "would". And you
> seem to have missed the point about network scanning being illegal
> in some jurisdictions. Section 3 of the UK Computer Misuse Act of 1990,
> as amended by the Police and Justice Act of 2006 makes such
> "reckless" activity an offence.
<snip>
> And regardless of the legality of the action, the AUPs of the service
> providers that most of us use for our tor nodes will specifically
> preclude network scanning (along with mail spamming etc). This means
> that providers could (as has been the case for Bianco Veigel) get
> irritated enough to shut down the service.
<snip>
> If my exit node was cited as the source of potentially
> hostile network scanning and my MSP /did/ pull the plug, I'd be
> disappointed, and tor would be shy of at least one exit
> node. But if I believed that the activity was the result of
> some "reputable" researcher simply using tor for his or her
> own ends /without/ warning tor relay owners, I'd be pretty
> pissed off.
>
> I'd welcome the views of other node providers here.

Here's my proposal: Add a parameter PortScanLimit to the relays section of 
torrc. It can be set to any nonnegative integer. If PortScanLimit is n>0, 
then as soon as a circuit has made n failed attempts to connect, the relay 
shuts down the circuit. If PortScanLimit is 0, there is no limit on failed 
attempts to connect. Relay operators in jurisdictions or ISPs that prohibit 
port scanning can set this to, say, 10, and relay operators not in such 
jurisdictions who have no qualms about their exit node being used for 
scanning can set it to 0. This parameter should not be listed in the 
directory; any client running a port scan will eventually find an exit that 
allows scanning, if there are any.

cmeclax


More information about the tor-relays mailing list