[tor-relays] Intrusion Prevention System Software - Snort or Suricata

Markus Koch niftybunny at googlemail.com
Tue Oct 4 19:55:01 UTC 2016 

Everyone is running a reduced exit policy ... I only allow HTTP +
HTTPS and I know nobody who allows port 25 .... at the end of the day
we all shape our exit traffic.

Markus


2016-10-04 21:42 GMT+02:00 Roger Dingledine <arma at mit.edu>:
> On Tue, Oct 04, 2016 at 10:21:14AM -0500, BlinkTor wrote:
>> The technical problem is that implementing IPS in Tor would be massively non-trivial.[...]
>>
>> The political problem is, what gets blocked by TIPS and what doesn???t? Who gets to decide? What if some of those brute-force SSH or DOS attacks are ???good guys??? trying to crack the ???bad guy??? servers? Is that legitimate Tor traffic? Who gets to decide who are the good/bad guys? Could we agree on a base level of protection, perhaps by relay operator consensus? Etc.
>
> Another challenge here is that many lawyers have told us that you change
> your legal situation if you start choosing which traffic to allow
> through. Specifically, if you just pass bytes back and forth, you're
> essentially in the common carrier situation, like backbone telcos and
> backbone Internet providers. But if you make a list of topics or messages
> or patterns to block, then it becomes your responsibility to make that
> list perfect, and your fault if you leave something out of your list.
>
> So it would seem that using an IPS is fundamentally dangerous for relay
> operators.
>
> I've heard that this logic applies both in the US and in Europe. But
> it's been a while since we've had an actual lawyer look at the topic.
> Maybe this is a great question for each of the torservers.net umbrella
> orgs to ask their friendly nearby lawyers who are wanting to help them?
>
> There is also the separate but related question of wiretapping: blocking
> some traffic based on patterns in the request content implies looking at
> the traffic, which relay operators typically do not have permission to
> do. While ISPs typically make their customers sign an agreement that they
> will be surveilled (and I guess they ignore the concept of jurisdictions
> that require consent from both sides), Tor relay operators do not have
> that agreement -- and they can't really get it, because their 'users'
> are all the Tor users.
>
> In summary, I totally get why hosting providers would want to ask relay
> operators to monitor their traffic and block certain activities by
> examining connection payloads, and that's to make their lives easier,
> not for any legal requirement. But it would appear there are some legal
> reasons why Tor relay operators might (should?) hesitate to deploy
> an IPS on their traffic, and those legal reasons are probably not as
> well-understood as they could be.
>
> Do any of the torservers umbrella orgs want to pick this one up and do
> something with it? I remember hearing Pepijn cite a specific EU law that
> says European relay operators aren't liable for their traffic so long
> as they don't mess with it.
>
> One of the goals would be for relay operators to better understand the
> tradeoff they should consider when deciding whether to do the thing
> that their ISP asks for. Another goal would be for the ISP to better
> understand what they're asking from the relay operators.
>
> --Roger
>
> _______________________________________________
> tor-relays mailing list
> tor-relays at lists.torproject.org
> https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays

More information about the tor-relays mailing list