[tor-relays] Network Scan through Tor Exit Node (Port 80)
Scott Bennett
bennett at cs.niu.edu
Tue Mar 29 09:06:15 UTC 2011
On Wed, 9 Mar 2011 19:18:34 -0500 cmeclax-sazri
<cmeclax-sazri at ixazon.dynip.com> wrote:
>On Wednesday 09 March 2011 17:20:17 Chris Palmer wrote:
>> On 03/09/2011 01:48 PM, Arjan wrote:
>> >> We are saying hello on port 443, and then saying goodbye. Once. Using
>> >> normal TCP and TLS handshaking, no tricks. For the good of the internet.
>> >
>> > That would be enough to get me in trouble with my ISP for performing
>> > portscans (if I were running an exit node).
>>
>> And how would you, or anyone else, differentiate that from normal web
>> browsing?
>
>If a lot of those connection attempts are going to IP addresses with no host
>present, or hosts not running a webserver, it looks like portscanning. If
>almost all of the connection attempts are to webservers that have port 443
>open, it looks like normal https web browsing.
Are you kidding? Closing a connection upon receipt of the ACK response
to the SYN you sent looks like normal HTTPS web browsing? On what planet?
Normal web browsing, whether HTTP or HTTPS, involves data transmission
occurring in both directions between receipt of that ACK and the closing of
the connection by the web browser. Closing the connection upon receipt of
the ACK response to the SYN without any intervening data transmission is,
OTOH, a characteristic behavior of port scanners. So you had it backwards.
Here's a tidbit for you to consider. pf offers an option on filtering
rules for inbound SSL connections called "synproxy", which relieves server
software of the effort of dealing with bogus connection attempts by handling
the SSL exchanges itself before passing the connection on to the server. It
also means that a connection from something that doesn't know how to perform
the SSL handshaking will sit until the timeout occurs, so the attacker is
stuck with an outstanding connection tying up resources until that happens.
That delay of a couple of minutes can be a long and wasteful nuisance to an
attacker. OTOH, a legitimate application, e.g., a tor client or relay trying
to connect to the ORPort of another relay, completes the handshake and begins
communicating with its peer with no delay, and the software accepting the
connection only deals with the legitimate connections. It works just great!
:-) I highly recommend it to anyone running a tor relay on a system that
supports pf.
>
>I have only one external address and only a few ports forwarded, so I can't
>detect portscans. I have noticed that an attempt to guess passwords on SSH is
>often, but not always, preceded by a connect and disconnect from the same IP
>address, which is probably part of a portscan. I don't block addresses that
>scan ports, but I do block addresses that try to guess passwords (not on the
>Tor box, just on the other one). The block expires in a day.
>
To each his/her own. Legitimate port scanning operations are typically
run by system/network administrators against the machines on their *own
networks*. I treat any others as attackers or at least attacker-wannabes,
and I keep track of such miscreants indefinitely against the possibility that
I might someday provide services other than tor relaying. The miscreants
will have no access to such services on general principles and will only
have access to the tor node if and when they are currently running a public
(i.e., not a bridge) tor node on the system with the IP address from which
their tor attempts to connect to mine.
Scott Bennett, Comm. ASMELG, CFIAG
**********************************************************************
* Internet: bennett at cs.niu.edu *
*--------------------------------------------------------------------*
* "A well regulated and disciplined militia, is at all times a good *
* objection to the introduction of that bane of all free governments *
* -- a standing army." *
* -- Gov. John Hancock, New York Journal, 28 January 1790 *
**********************************************************************
More information about the tor-relays
mailing list