[tor-relays] Filtering at Exit Node [was: Network Scan through Tor Exit Node (Port 80)]

Mon Mar 7 06:41:39 UTC 2011

On 3/5/11 9:21 AM, Mike Perry wrote:
> Thus spake Fabio Pietrosanti (naif) (lists at infosecurity.ch):
> 
>> So still my goal is to test, implement, document and create howto to:
>>
>> - Block P2P to avoid P2P related claims
> 
> Did you try doing this without doing iptables DPI? The Reduced Exit
> Policy should work fine for this by itself. 
> 
> DPI killing P2P connections is the least of my worries with your
> approach, though.. I feel like your node is a minefield of accidental
> censorship just waiting to explode on innocent users..

You are right that there's a risk of blocking traffic of innocent users.
Now it's just some early testing trying to refine the idea, i fully
agree that the approach must be as finely tuned and as precise as
possible in order just to drop the annoying things while leaving
'everything allowed'.

For example to be able to apply a transparent proxy to try to detect
bruteforce/web attacks in a effective it's required to patch TOR to be
able to bind the TOR Exit IP to a Virtual IP address.
Now there's no way to verify what's HTTP traffic on port 80 and what's
not, so if you put a transparent proxy in the middle you would break
part of the TOR node traffic.

Unfortunately i'm not that skilled at c coding, if someone would like to
do such a patch it would be cool.

Being able to bind to a dedicated IP address for TOR-Exit traffic would
allow also a TOR-maintainer to tunnel his Exit Traffic trough a VPN, or
even to route different kind of traffic trough different systems with
proper IP policy routing.

> 
>> - Block Portscan to avoid portscan related claims
> 
> I would be really surprised if this does not end up causing massive
> collateral damage to just about everything running through your exit
> node. Please keep a close eye on how often this goes off on killing
> sprees. I'm going to guess most of the time it will just end up
> censoring popular sites and dense colo facilities that happen to
> attract heavy amounts of legit Tor traffic.

Sure, now i tried it for 1 week with very bad results: