[tor-relays] Network Scan through Tor Exit Node (Port 80)

Scott Bennett bennett at cs.niu.edu
Tue Mar 8 10:04:13 UTC 2011 

     On Sat, 26 Feb 2011 12:13:53 -0800 Chris Palmer <chris at eff.org> wrote:
>On Feb 26, 2011, at 9:53 AM, mick wrote:
>
>> No reputable security researcher would a) scan a network without that
>> network owner's explicit permission, nor b) use tor for that scan.
>
>Lots of reputable security researchers who scan the entire internet without getting permission. You can't get permission from every operator in the world, but you still need to do good and interesting research. Examples of reputable researchers who have scanned the whole internet include Dan Bernstein, Dan Kaminsky, and EFF. (At least I think we're reputable. :) ) I don't know for sure, but I can't imagine Arbor, CAIDA, and Renesys can do their jobs without scanning the internet.

     Well, as I've just finished describing in another topic here, I treat
scanning of my system as attempted security breaches.  Such scans will not
elicit any apparent response from my system, except that the scanner's
IP address will shortly be added to my "block" file, which will deny all future
access to my tor node's ORPort and DirPort.
>
>Using Tor to scan the internet is a good way to see how the internet looks from different perspectives at once, which can be quite valuable.
>
     I disagree and, as noted above, treat that as a cracking attempt.  tor
nodes that you abuse in such fashion will continue to function by the means
described below, provided they are listed in the current consensus document.
My current procedures are described in the next two paragraphs.  However,
your implication quoted above that EFF has/does/will abuse tor exits in this
manner suggests I may have to modify my treatment of tor exits from which
your scans emerge, given the increased likelihood that the offenses did not
originate from the exit node's system and that the exit node was instead
a victim as well.  Nevertheless, your scans will not get responses from my
system, except for connection attempts to the ORPort or the DirPort.
     First, I have set the sysctl variable called net.inet.tcp.blackhole to 2,
which causes the kernel to drop all incoming packets addressed to closed ports.
     The IP addresses of tor nodes, including exit nodes, listed in the
cached-consensus file on my system are placed into a "pass" file every 30
minutes, which temporarily exempts them from being checked against the
"block" file.  It is temporary in that the exemption lasts for 30 minutes
only, although it will be exempted for another 30 minutes whenever the
address exists in the cached-consensus file at the time the "pass" file is
rebuilt.
     Anyone who may be concerned that their IP address or address range might
be listed in my "block" file is welcome to write to me to inquire about it.
If it is, then I will offer to remove the block on an indefinitely
probationary basis.  However, if I encounter the same IP address in my pf log
again, then I will block the address permanently.
     Frankly, I think it's appalling that a previous sponsor organization for
the tor project should turn on the tor network in the fashion you've confessed
here that it has.  I'm tempted to dig out all of the EFF IP address ranges
and block them permanently, just as a matter of principle, although it would
obviously have little real effect upon your organization.  No wonder so many
of us have run afoul of our ISPs when trying to run exit nodes when even EFF
is trying to spoil the tor network for us.  Who needs enemies with "friends"
like EFF?


                                  Scott Bennett, Comm. ASMELG, CFIAG
**********************************************************************
* Internet:       bennett at cs.niu.edu                              *
*--------------------------------------------------------------------*
* "A well regulated and disciplined militia, is at all times a good  *
* objection to the introduction of that bane of all free governments *
* -- a standing army."                                               *
*    -- Gov. John Hancock, New York Journal, 28 January 1790         *
**********************************************************************

More information about the tor-relays mailing list