[tor-relays] Network Scan through Tor Exit Node (Port 80)

[Jacob Appelbaum]

On 03/01/2011 11:36 AM, mick wrote:
> On Mon, 28 Feb 2011 22:09:56 -0800
> Chris Palmer <chris at eff.org> allegedly wrote:
> 
>> On Feb 27, 2011, at 8:59 AM, mick wrote:
>>
>>> in some jurisdictions. Section 3 of the UK Computer Misuse Act of
>>> 1990, as amended by the Police and Justice Act of 2006 makes such
>>> "reckless" activity an offence. 
>>
>> I'm not sure how it counts as "reckless" to connect to a TCP port and
>> then disconnect.
> 
> Chris
> 
> I used the word "reckless" because that is the wording used in the UK
> CMA (as amended). See section 3 at:
> 
> http://www.legislation.gov.uk/ukpga/1990/18/section/3 which says:
> 
> "Unauthorised acts with intent to impair, or with recklessness as to
> impairing, operation of computer, etc."
> 
> I agree that a single full TCP connect does not constitute such
> "reckless" activity, but an aggressive, rapid, portscan, perhaps
> using (deliberately) badly formed TCP packets which took no account of
> the potential impact on the target, might. 
> 
> Some network devices may not handle such traffic well. Indeed, the
> scan may cause a DOS. 
> 
> IANAL, but it seems to me the drafters of the amendments to the UK
> legislation may have had such activity in mind when using the term
> "reckless". The term implies to me a "lack of care or due diligence". 
> I suspect that "intent to impair" may sometimes be difficult to prove
> so lack of care was added.
> 

And the lawyers involved were likely not technologically literate. I'm
guessing none of them understand TCP/IP or BGP. There's a big disconnect
here and part of it is likely cultural.

Connection to the public internet requires that random people on the
internet be able to burn some CPU time on your machine. It takes a bit
of energy to process a packet, even if to discard it unless the machine
is otherwise protected. This is the nature of the internet - everyone
with a public and routed IP address signs up for this when they join the
network. If they don't like it, they should probably consider a solution
that actually scales or works - legislation like this doesn't change the
nature of the network.

>> The kind of research I'm talking about — us, Kaminsky, Bernstein, et
>> al. — involves simply talking to every server once. For example, the
>> SSL Observatory does a "scan" that is very similar to what happens
>> when a user clicks a link and then immediately clicks the Stop button
>> in the browser: SYN, SYN/ACK, ACK, Client Hello, Server Hello +
>> Certificate, goodbye. We do this once per IP every few months. Out of
>> 4 billion IP addresses, we got one complaint that I know of.
>>
>> This work is not hostile or dangerous. It is clearly beneficial to
>> the internet community. We've convinced CAs to tighten their loose
>> certification standards, convinced them to meet the EV spec when we
>> found they weren't, and provided hard evidence to fuel substantive
>> debate on PKI policy. Nick and Jake are using the results to improve
>> Tor. That's just to start.
> 
> I can't see that sort of activity as being deemed reckless - and it is
> highly unlikely to be spotted anyway.
> 

It depends entirely on how the scan is performed - sequential scans will
be discovered by an IDS. Even if it's undiscovered, I wouldn't consider
it reckless.

>> It's also worth nothing that the various tricks to hide or evade IDSs
>> that some scanners like Nmap can do, tend not to work over Tor since
>> Tor normalizes TCP streams before exiting.
>>
>> Port scanning can sometimes be the precursor to hostile activity, but
>> it is not in itself hostile, and it is often either for a good cause
>> or *indistinguishable from normal application activity*.
>>
> I disagree. In my view, port scanning in and of itself can be hostile
> if such activity is aggressive enough to cause difficulties - hence my
> concern.

A port scan is not aggressive in and of itself. The frequency of packets
might overwhelm a system and so the system, or an upstream system should
probably drop those packets on the floor.

> 
> I am attracted to cmeclax's idea of some form of torrc config option
> which could limit the potential for deliberate (or accidental but
> "reckless") scanning. Is there any mileage in pursuing something like
> that further? And if not, are there any other (current) recommended
> configurations which could mitigate possible problems?
> 

I don't think such a configuration option makes any sense at all. We
have many streams on a given circuit for load balancing. A clever
scanner would simply use one circuit per connect attempt and it would
generate a lot of load on the network.

I'd suggest that if you're concerned about someone making connections
from your computer, it's probably a bad idea to run an Exit node...

All the best,
Jaco