[tor-relays] Filtering at Exit Node [was: Network Scan through Tor Exit Node (Port 80)]

[Fabio Pietrosanti (naif)]

On 3/3/11 12:50 PM, Moritz Bartl wrote:
> Hi,
> 
> On 03.03.2011 12:29, Fabio Pietrosanti (naif) wrote:
>> Still i would like to point out a *practical* feeling that i got from a
>> lot of person i tried to say "hey, run an exit node!".
> 
> I fully accept and understand your point. That's exactly why I started
> Torservers.net, so you can "run" a Tor exit without having to bother
> with complaints. That's the "low maintainance Tor exit" you are talking
> about. :)

You right, but a lot of nerds are willing to do 'something fun' by
installing and running a TOR node and less committed to only providing
financial support trough donation.
The feeling of the gratification and satisfaction of doing something
good (and fun) come also from your hands-on hacking by playing out with
the technology.
You see your graph of bandwidth that satisfy you, you do some basic
maintenance task like upgrading tor and you got also gratification for
the fact that you installed/manage and it works ;-) .
Additionally you are taking "some risks" and you tell that you run your
tor node to your friends, speaking about it, etc, etc
(sounds like a psycoanalitical point of part of a nerd attitude in the
participation to oss/freedom of speech/anonimity projects).

> Centralization IS bad. That's why the purpose of Torservers.net is to
> also want to encourage other people to follow our example, form
> organizations etc. We were able to find a pro-bono lawyer, our
> headquarters are based in his office etc, and bandwidth bought in bulk
> is much cheaper. Hopefully I can publish some more guides, but a few are
> already available in our wiki:
> https://www.torservers.net/wiki/
And that's a really cool approach!
I find that creating a model of organization with the goal to build up
the knowledge and tool to allow an easier fork of similar community it's
a very intelligent move!
Here in italy german hackers are really perceived like "very cool in the
organization". German production quality :-)
> 
> e.g. the complete server setup we use:
> https://www.torservers.net/wiki/setup/server
> 
>> Some person tried to run an exit node, then they got their internet
>> connection disconnected due to high number of claim.
> 
> Most people are better of by running a node with a very limited exit
> policy. I get NO complaints whasoever for the exit that only allows 22,
> 53 and 443, for example.
With ssh i got several portscan notice (at least once per week), but
most of them are on port 80 sweeping networks for web attacks.
I keep that ExitPolicy of
https://blog.torproject.org/blog/tips-running-exit-node-minimal-harassment
even if just now i temporary disabled ssh in the meantime trying to find
a good way to detect outgoing portscan.

With standard iptables related tools i am not finding a reasonable (from
system administration point of view) way to be able to detect OUTGOING
portscan originating from your own host.

Almost most tools and techniques are for detecting INGOING portscan and
filtering the source of the portscan.
But here WE are the source of the portscan, we cannot just block outself!

That's an interesting technical issue to be analyzed and solved!

> Be Public: Spend a couple of bucks on printouts, flyers, whatever.
> Distribute them. Go out, hold workshops. Write an excellent blog. In
> general: SHOW your opinion. FIGHT propaganda. Our world is in such a bad
> shape because people stay quiet, not because too few people run exits.

You right but also a lot of things may depend on your time availability
or just your attitude.
You may find difficult to organize public activities or even non-nerd
activity requiring to go around, organize people, goods, doing the
startup and management of a local community can be a difficult (or just
annoying) task for a lot of people.
Part the hacking environments maybe just be out of time availability
(due to work for example) or just lazy.

> 
> etc etc.
> 
>> In such condition I DO NOT WANT any traffic to go to italian networks,
> 
> Italy has worse problems than someone trying to run an exit. Work on
> those. Make people understand that looking at half-naked women on
> government TV isn't something that helps.
> 
> You can still form an organization that lobbies for Tor, organizes local
> Tor user groups, coding sessions etc. This is time much better spent
> than fighting for the right to run some [relatively] small exit.

Eh, damn, that's a cool things but you really need to be able to
dedicate and if you don't have enough time (like me) you keep spending
your remaining free time at home just at night (after work) or during
the weekend. That's a pain!

In past i've done several groups organization but it still require a
very important effort that if you can't afford it will not work (still
have few time trying to start www.globaleaks.org.

So, i am finding some fun stuff to do related with tor in my
not-that-much-free-time (damn!) that i think could be useful.

> 
> Again, I understand your thoughts. For example, a list of public
> bittorrent trackers that lead to DMCA complaints would be excellent to
> have. Unfortunately, we don't have an ISP that allows us to test this.
Mmmm to setup something like this it would be probably interesting.

However my point is to work around the fact that the current ExitPolicy
method is relatively weak if you want to properly fine tune what a
person, as tor exit-node, would allow to get out from the node.

-naif
http://infosecurity.ch