[tor-relays] Network Scan through Tor Exit Node (Port 80)
Fabio Pietrosanti (naif)
lists at infosecurity.ch
Thu Mar 3 06:32:58 UTC 2011
On 3/2/11 2:04 PM, Mitar wrote:
>
> Interesting. We were doing the very same thing (opening only 80 and
> 443 ports to check for certificates) just few weeks ago over whole IP
> space and got a few complaints: from ATT, usu.edu and usi.com.
>
> Maybe the difference was in speed of scanning? We randomized order of
> scanning but still some networks detected us as scanning their whole
> ranges.
Hi,
i am trying to create a low-responsibility TOR exit node that would
allow the node to run without too much issue for the maintainer (few
claim from operators).
I wrote something about it here:
http://infosecurity.ch/20110124/my-tor-exit-node-experience-trying-to-filter-out-noisy-traffic/
I am now struggling to be able to filter outgoing portscan but i am not
finding an effective way to do it without affecting good traffic.
P2P is out (OpenIPS), traffic to my originating country is out
(iptables), i am testing removal of web attacks (trough snort inline)
but i am not able to remove outgoing portscan that are now generating at
least 1-2 claim per week.
My attempt now has been done with:
######### ANTI PORSCAN #####################
# Allow up to 3 pkts / seconds for a class C / 24 network: Block hard
portscan
# iptables -A OUTPUT -o eth0 -p tcp -m state --state NEW -s
88.198.109.35/32 --syn -m hashlimit --hashlimit-upto 3/s
--hashlimit-mode dstip --hashlimit-dstmask 24 --hashlimit-name
everything_else_fast_scan -j ACCEPT
# iptables -A OUTPUT -o eth0 -p tcp -m state --state NEW -s
88.198.109.35/32 --syn -m hashlimit --hashlimit-upto 5/s
--hashlimit-mode dstip --hashlimit-dstmask 16 --hashlimit-name
everything_else_fast_scan_very_randomized -j ACCEPT
# Allow many connection (50/s) to the same IP (ex: facebook or google
main site)
# iptables -A OUTPUT -o eth0 -p tcp -m state --state NEW -s
88.198.109.35/32 --syn -m hashlimit --hashlimit-upto 50/s
--hashlimit-mode dstip --hashlimit-dstmask 32 --hashlimit-name
everything-unique-ip -j ACCEPT
# Allow up to 5 pkts / minute for a class C / 24 network: Block slow and
steady portscan
iptables -A OUTPUT -o eth0 -p tcp -m state --state NEW -s
88.198.109.35/32 --syn -m hashlimit --hashlimit-upto 5/min
--hashlimit-mode dstip --hashlimit-dstmask 24 --hashlimit-name
everything_else_slow_scan -j ACCEPT
iptables -A OUTPUT -o eth0 -p tcp -m state --state NEW -s
88.198.109.35/32 --syn -j LOG --log-prefix "Limit reached: "
iptables -A OUTPUT -o eth0 -p tcp -m state --state NEW -s
88.198.109.35/32 --syn -j REJECT --reject-with tcp-reset
Does anyone have already tried and has been successful in blocking
outgoing portscan?
I know that my approach could be considered not-good by someone, but
still i am carrying on an experiment to create a:
- long-lived tor exit node
- low-maintenance tor exit node
- a tor exit node that cannot be used for P2P, Web attacks and Portscan
- a tor exit node that generate very few claims (that means more
resiliency against carrier/hosting disconnecting hte server)
Cheers
-naif
http://infosecurity.ch
More information about the tor-relays
mailing list