[tor-relays] Traffic in port 9050 in a relay (denial of service attack?)

mick mbm at rlogin.net
Wed Nov 6 11:26:06 UTC 2013 

On Wed, 06 Nov 2013 10:30:30 +0000
Kevin Steen <ks at kevinsteen.net> allegedly wrote:

> On 06/11/13 06:09, Andreas Krey wrote:
> > On Tue, 05 Nov 2013 14:09:40 +0000, Thomas Hand wrote:
> > ...
> >> Also, use iptables! If it is a dedicated VPS then drop anything
> >> you dont recognize,
> > 
> > What for? The ports that you want to block are rejected by the
> > kernel anyway, as there is no one listening. (The minor added
> > protection that malware needs to be root to disable iptables and
> > effectively listen - is that worth the work?)
> 
> Dropping bad requests will reduce your bandwidth usage through not
> having to send TCP RST responses, and will also increase the workload
> of the attacker as they'll have to wait for a timeout on each
> connection.

It is also good practice to whitelist traffic inbound. The fact that
there is no service currently listening on port "N" does not mean that
there will /never/ be a service listening on port "N". Blocking by
default can protect you from that WTF moment when you find that some
system upgrade or reconfiguration has fired up a service you didn't
expect or thought you had removed.

I've been there. I also believe in belt and braces. 

> I wouldn't recommend dropping everything, though, as it makes
> troubleshooting very difficult - just drop connections to ports which
> get attacked.

I disagree. Dropping all traffic other than that which is explicitly
required is IMHO a better practice. (And how do you know in advance
which ports get attacked?)

Best

Mick
---------------------------------------------------------------------

 Mick Morgan
 gpg fingerprint: FC23 3338 F664 5E66 876B  72C0 0A1F E60B 5BAD D312
 http://baldric.net

---------------------------------------------------------------------

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 836 bytes
Desc: not available
URL: <http://lists.torproject.org/pipermail/tor-relays/attachments/20131106/58ec0a61/attachment.sig>

More information about the tor-relays mailing list