[tor-relays] Intrusion Prevention System Software - Snort or Suricata

Tristan supersluether at gmail.com
Wed Oct 5 19:17:14 UTC 2016 

Be that as it may, there must be *something* we can do about this as relay
operators. If you get caught doing something illegal on your home Internet
connection, there are warnings, and eventually consequences (like being
disconnected). Just because you run a Tor relay doesn't mean the rules
don't apply to you, and if we can't do anything to stop illegal activity,
eventually relays are going to be disconnected.

I understand both sides of the argument, and why no solution would be
perfect, but we need to figure something out. This problem will not go away
on its own, and I expect it to only get worse as time goes on.

Personally, I don't like the idea of filtering traffic at the exit node,
because it seems to undermine the whole purpose of Tor: unrestricted
anonymous access. However, there must be some way to identify at least some
malicious traffic, such as bots. If Tor relays start filtering traffic, I
think it should be opt-in, and it should happen at the guard relay. That
way not all relays filter by default, and if something gets blocked, it
happens *before* it gets routed through the network.

Of course, we could always identify what constitutes as filtering. As
already stated, each exit relay has its own exit policy, so technically
everyone already filters traffic based on port. If an IPS only logs
non-identifiable information, I don't think it would compromise anonymity,
but at the same time, people may not trust Tor if it starts scanning
traffic.

On Wed, Oct 5, 2016 at 1:58 PM, Green Dream <greendream848 at gmail.com> wrote:

> @Mirimir:
>
>
> >> IPS aren't perfect - they let some unwanted traffic through, and
> >> block other traffic that is totally ok.
>
>
> > That is an issue. But there are many exits, so eventually users should
> > find one that works well enough for their purposes.
>
>
> Re-read what you said and think about this from the user's
> perspective. This is a recipe for disaster when it comes to Tor user
> experience. Perhaps it seems suitable to you, as a technical person
> and a relay operator, but just think about this problem for a barely
> technical user, or someone new to Tor. What will actually happen is
> people will try Tor, hit a shitty exit with random performance
> problems from an IPS, log off and never use Tor again.
>
> Tor needs all the help it can get with regards to usability and
> reliability. It's gotten better over the years but I still get
> circuits that are borderline unusable. Adding a hodgepodge of blocking
> IPS systems into the mix isn't going to help this problem.
>
> No offense to the ISP here (I do think they are within their rights to
> take this position), but I think relay/exit operators should find ISPs
> that understand Tor and don't demand an IPS.
> _______________________________________________
> tor-relays mailing list
> tor-relays at lists.torproject.org
> https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
>



-- 
Finding information, passing it along. ~SuperSluether
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.torproject.org/pipermail/tor-relays/attachments/20161005/3f0b1ee8/attachment.html>

More information about the tor-relays mailing list