[tor-relays] Traffic in port 9050 in a relay (denial of service attack?)

[Jeroen Massar]

On 2013-11-06 13:47 , mick wrote:
> On Wed, 06 Nov 2013 14:00:09 +0200
> Lars Noodén <lars.nooden at gmail.com> allegedly wrote:
> 
>> On 11/06/2013 01:26 PM, mick wrote:
>>> I disagree. Dropping all traffic other than that which is
>>> explicitly required is IMHO a better practice. (And how do you know
>>> in advance which ports get attacked?)
>>
>> Using reject instead of drop simplifies troubleshooting.
>>
>> http://www.chiark.greenend.org.uk/~peterb/network/drop-vs-reject
>>
>> Drop tends to get in the way.
> 
> Again, I disagree. But I recognise that this can be a religious
> decision. My default policy is to drop rather than reject. I know
> that strict adherence to standards implies we should “REJECT” with a
> helpful ICMP error message.

Configure your host with DROP, do an nmap, then configure it with REJECT
thus for Linux:

IPv4: -j REJECT --reject-with icmp-port-unreachable"
IPv6: -j REJECT --reject-with icmp6-port-unreachable"

Now repeat that nmap; indeed, for the DROP it is shown that these ports
are filtered, for REJECT the ports are just 'closed'.

Hence, the adversary did not learn anything in the REJECT case (services
apparently are not there), but in the DROP case they learned that you
have a firewall configured and that those services are likely there...

Hence, not only is reject good for the user (as they do not time out
connecting to the port), but it is also good against adversaries as they
do not learn anything.

As you say it is one of those 'religious' decisions, but in this, the
facts show what should be preferred for multiple reasons ;)

> But, doing that can mean that
> incoming packets with a spoofed source address can get replies sent
> back to that (innocent) source address. DDOS bots exploit this
> behaviour. 

As there is no amplification (only a portion of the incoming packet is
included) this is not used; there are much better sources of attack.

Greets,
 Jeroen