[tor-relays] Intrusion Prevention System Software - Snort or Suricata

Moritz Bartl moritz at torservers.net
Tue Oct 4 16:46:03 UTC 2016


On 10/04/2016 06:23 PM, Tristan wrote:
> Wouldn't it be interesting if we could set up some kind of central "Tor
> Abuse Center" where all the complaints go, and all the relay operators
> can help respond to them. I suppose it would be pretty chaotic though...

We actually discussed this briefly again at the recent Tor developers
meeting, and it comes up every once in a while. It's an interesting
thought experiment, and it would not take much to turn ourselves into an
Abuse Management provider. I've seen this actually exists in the
commercial space.

One thing that makes it hard is that there's no assurance that someone
is really only running an exit on a certain IP address; even if the
Abuse Management Service verified that that IP address was a Tor exit at
that point in time, it cannot in all honesty state that in fact the exit
relay process caused a particular network activity or not.

I do think we can operate this "in good faith", and we simply cannot set
it up in a way that we can make it impossible to misuse.

Still, this will not help in this (and related) cases: I have not yet
seen proven cases where the reputation of the netblock was endangered,
but if an ISP is afraid of that, there's no good way to cooperate. An
IDS is their obvious suggestion, which just shows that they don't
understand how Tor works. I argue strongly against deploying such
systems on Tor exits. It will mess up more than it does good, and it
won't be able to reliably detect *and block* bad behaviour.

-- 
Moritz Bartl
https://www.torservers.net/


More information about the tor-relays mailing list