[tor-relays] Intrusion Prevention System Software - Snort or Suricata

[Jon Gardner]

> On Oct 6, 2016, at 7:45 AM, <oconor at email.cz> <oconor at email.cz> wrote:
> 
> - The traffic going out of tor exit nodes in our network is even worse that the one which is comming out of the internet. Paul who started this thread has constant flow over 50kpps. It consists mostly from various DoS attacks + exploits against many known CMS. I wouldn't wonder if there could come an attack against our infrastructure. Anyway it would be really interesting to analyze that flow completely.


This is a useful point. Tor IPS wouldn't need to "censor" anything, or even scan Tor traffic. Tor nodes are under constant attack, they're natural "honeypot" servers. TIPS could detect a base set of commonly-known malicious attacks _on_the_node_itself_ (not on internal Tor traffic), and then determine if those attacks were coming from another Tor node (easily done). If so, TIPS could "run it up the chain" to block the actual offending host at the other end of the Tor connection, (probably) without compromising anonymity, and without breaking the Tor network. Attacks coming from a non-Tor node could optionally be ignored or processed like a "standard" IPS, depending on how it's implemented.

I recognize that the actual implementation is still non-trivial, but this would at least give the Tor network a base level of IPS capability without breaking anything. More important, it would demonstrate to the Internet community that Tor is actually doing something proactive about abuse. Tor claims to operate like a specialized ISP, and any good ISP protects its own servers.

Jon