[tor-relays] Network Scan through Tor Exit Node (Port 80) - PORTSCAN

Fabio Pietrosanti (naif) lists at infosecurity.ch
Wed Mar 9 09:19:54 UTC 2011


On 3/9/11 10:02 AM, Olaf Selke wrote:
> Am 09.03.2011 09:20, schrieb Fabio Pietrosanti (naif):
>>
>> We *really* need to find a technical way to be able to detect and block
>> outgoing portscan from the TOR exit nodes.
> 
> this might cause a lot of collateral damage. I don't think it's a good
> idea. How can we distinguish between legitimate Tor exit traffic and a
> someone scanning whole networks for certain applications?

That's the point, how to do it in the right way without creating
collateral damage.

Detecting a portscan is not rocket science, but the problem is imho:
- detection logic (based on destination and not on source of scan)
- tuning of detection logic (for example how wide the destination can be)
- dynamic blocking (which destination netblock to block? Several
portscan randomize across a Class-B network)
- tuning of dynamic blocking (for how much time to block destination
networks?)

And in such extremely finely tuned situation, block or
strongly-rate-limit the traffic to the destination?

Imho those are still unsolved technical problem because 100% of portscan
detection system are based on detecting "a single source of portscan and
block the source of portscan".

In that case "we are the source of portscan" and the destination can be
"randomized across a Class-B network".

So sounds more complex than what appear being able to block TOR exit
outgoing portscan in proper and clean way.

-naif
http://infosecurity.ch


More information about the tor-relays mailing list