[tor-relays] Simplifying ExoneraTor

teor teor2345 at gmail.com
Tue Jul 7 14:02:59 UTC 2015 

> On 7 Jul 2015, at 23:23 , josh at tucker.wales wrote:
> 
> 
>>>> 
>>>> For c), we'd just check if there's a "p reject 1-65535" line or not.
>>> 
>>> I think this is a perfectly OK way of doing this considering the use case.
>> 
>> I agree, as long as we document what "Exit" means, and that there are edge cases where a relay could be used to exit to a small number of IPs, yet not have "yes" in the "Exit" column. (A false negative.)
>> 
>> It may be worth documenting the false positives as well, that is, that there are many ways a packet could appear to be from an IP, yet not have come via Tor.
>> 
>> Are we going to provide a list of exit ports, or does Exonerator not go into that level of detail?
> 
> I'm also a little concerned by this, but I think the acceptable solution is:
> 
> If a relay can exit on any port at all, it should have "Exit: Yes", because from an investigatory point of view, it CAN act as an exit.
> 
> However, I'm a little worried that this will lead people to think that the relay can act as a general exit to the web (80, 443). I think it's important that we specify the ports that existed in the exit policy for that relay at that point in time.
> 
> What's your opinion on this Karsten, Tim?

Consider two use cases:

Organisation X experiences an attack on their website via an IP address, and they want to identify the origin of the attack. Exonerator tells them that the IP was used by a Tor Exit that permitted port 80. (This is a very likely scenario.)

Organisation X experiences a SSH login/password scan via an IP address, and they want to identify the origin of the attack. Exonerator tells them that the IP was used by a Tor Exit that permitted port 22. (This is perhaps a less likely scenario, but still well worth knowing about.)

We could split the Exit column in two (web ports, other ports), but I'd prefer to provide the list of ports in a detail page, and let the analyst do their own triage. But if we only have one page, perhaps the split is worthwhile.

Tim


Tim Wilson-Brown (teor)

teor2345 at gmail dot com
pgp ABFED1AC
https://gist.github.com/teor2345/d033b8ce0a99adbc89c5

teor at blah dot im
OTR D5BE4EC2 255D7585 F3874930 DB130265 7C9EBBC7

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 832 bytes
Desc: Message signed with OpenPGP using GPGMail
URL: <http://lists.torproject.org/pipermail/tor-relays/attachments/20150708/7aea50cd/attachment.sig>

More information about the tor-relays mailing list