[tor-relays] How to protect yourself from network scanning

[Fabio Pietrosanti (naif)]

On 7/31/12 7:18 PM, amki wrote:
> Hiho,
> 
> I am hosting a 3-5MB/s tor exit relay but as of today my hoster has
> closed my server because of network scanning.
> Is there a known proper way to protect yourself from being used as a
> network scan relay?
> 
> I've thought about constructing iptables rules to limit the number of
> SYN packets for the same host per second or such, but I'm not sure if
> this is allowed or will get me flagged as a bad exit node.
> 
> My hoster is quite ok with us generating some abuse complaints per
> month, but does not want to route network scanning traffic since it is
> a severe load to their routers. Any help would be appreciated

That's a problem i tried to address in several way using system
administration tools (from portscan detectors to the most esoteric
iptables modules/combination) but didn't succeed.

It would require probably custom software to be developed to detect
outgoing portscan and then mark the traffic diverting it in an iptables
rules that apply specific rate limiting/blocking.

The portscanning patterns that imho trigger abuses are mostly two:
a) Multiple target IPs of the same netblock for a single TCP port within
a short timeframe
b) Multiple TCP port for a single target IP within a short timeframe

It would be reasonably easy to make such an algorithm that would detect
outgoing portscan, with limited risks to hurt other Tor traffic,
implement it with netfilter API, so that it would be possible to "mark"
that traffic.

Then, what you want to do with "market traffic" maybe just log, or
block, or rate limit, or limit the number of connections market in this way.

Imho finding a reasonably way and algorithm to detect outgoing portscan
and shape them would be very useful, even if i know that it doesn't get
that much community acceptance being blocking/limiting a controversial
topic.

-naif