[tor-relays] Intrusion Prevention System Software - Snort or Suricata
BlinkTor
toradmin at brazoslink.net
Tue Oct 4 15:21:14 UTC 2016
> On Oct 4, 2016, at 7:48 AM, pa011 <pa011 at web.de> wrote:
>
> One of my main ISP is going mad with the number of abuses he gets from my Exits (currently most on port 80).
> He asks me to install "Intrusion Prevention System Software" or shutting down the servers.
> He personally recommends Snort or Suricata.
>
> As far as I understand implementing such a software is not going together with Tor - am I right?
> Somebody having same or any experience?
Yes, no, and maybe.
Yes, you can run IPS on a Tor relay, but you have to be very careful doing it, because a standard implementation of IPS would end up blocking Tor exits, which would obviously be problematic. You really need to exclude the (dynamic) Tor exit node list from IPS monitoring—which ends up not solving your problem…so, no, IPS won’t really help you.
Maybe IPS would be a fantastic thing to integrate into Tor, because it would answer the primary overall objection to Tor, which is that it enables abusive internet behavior. We market the “attractive” uses of Tor—personal privacy, protecting dissidents & whistleblowers, gathering intelligence—but when abuse issues arise (brute force SSH attacks, DOS attacks, HTTP/PHP hacks, copyright infringements, etc. etc.), we shrug them off as “the cost of freedom” and cite statistics to justify the status quo. The end result is that major players—even in the free world—completely block access to/from Tor nodes. Abuse issues create a very strong public perception that Tor has a high cost vs. benefit. If we’re fine with the status quo, no problem. But if we want broader adoption/acceptance of Tor, we need to address the abuse issue somehow.
The technical problem is that implementing IPS in Tor would be massively non-trivial. In order for IPS to function properly within Tor, while maintaining strict anonymity, a Tor node detecting an IPS trigger would have to pass the event back up the relay chain until the entry relay (the only node that “knows” the actual initiating host) was finally able to block the offending host/port.
The political problem is, what gets blocked by TIPS and what doesn’t? Who gets to decide? What if some of those brute-force SSH or DOS attacks are “good guys” trying to crack the “bad guy” servers? Is that legitimate Tor traffic? Who gets to decide who are the good/bad guys? Could we agree on a base level of protection, perhaps by relay operator consensus? Etc.
These problems are not insurmountable, but they are significant.
Jon
More information about the tor-relays
mailing list