[tor-relays] So long and thanks for all the abuse complaints

Mon Dec 4 18:00:15 UTC 2017

Zack Weinberg wrote:
> On Mon, Dec 4, 2017 at 10:57 AM, Ralph Seichter <m16+tor at monksofcool.net> wrote:
>> On 04.12.17 11:59, James wrote:
>>
>>> As a private individual, after just receiving my 4th abuse complaint
>>> in as many days it's time to stop running my exit node.
>>

Thanks for running the exit and I am sorry you took the decision to shut
it down. However, 4th abuse complaint in few days is really not a big
deal, I could say I swim in such reports, but then again it's up to each
and every one when to stop.

What I want to point out is a HUGE difference between:

1. *Abuse Reports* aka *Serious complaints*, those that are addressed
directly and formally, sent by a human, and explicitly require action or
at least reply with explanation. These are very rare.

2. *Junk NOTIFICATIONS* aka *WARNINGS* aka *Simple Notifications to
safely ignore*, those that are not addressed formally ("to whomever it
may concern..."), are sent by bots or automated scripts (firewalls,
intrusion systems, fail2ban, etc) which simply run a whois on an IP
address and bomb the abuse mailbox with spam, most sent from addresses
that even if a reply is sent the message is discarded - these DO NOT
require action nor reply. These are the 99% ones.

>> I've had an ongoing debate with a hosting service over a fresh exit node
>> being abused for network scans (ports 80 and 443) almost hourly for the
>> last few days. I can understand that they are pissed off, and the whole
>> thing resulted in this particular exit being shut down by the hoster. If
>> I could detect and prevent these scans, it would go a long way to avoid
>> having my exit nodes shut down by hosting services.
> 

This is just a defective policy of that hoster. If a hoster goes mad
because it receives some useless junk notifications, that is not much of
a hoster. The first problem is that one who feels port-scanned or probed
needs to implement defenses at their end, not bomb with automated spam
messages everyone that is connecting to them. You cannot rely on
everyone else doing something in order to ensure your security when you
can implement protections for yourself.

A large exit node (big consensus weight) is almost guaranteed a false
positive to trigger such a dumb warning system, even in legitimate cases
where simply more users pick it as Exit and the service (end point) is
popular.

> With my exit node operator hat on, I too would like to see some sort
> of port-scanning prevention built into the network.  In my case, I had
> to turn off exiting to the SSH port because we were getting daily
> complaints about abusive scanning for devices with weak admin
> passwords.  Which is a shame, since there are plenty of legitimate
> uses for SSH-over-Tor.
> 

I agree it's annoying but it is very hard to implement port-scanning
prevention directly in Tor especially because new connections should not
be distinguishable if they come from the same user or multiple users.
The exit relay should have no definition about this, otherwise you have
to go deeper into streams attached to each circuit which is totally
different. This will be over-engineering with absolutely no gains
because someone that wants to abuse simply does not care about the
network and will just keep port-scanning with isolated requests /
different circuits (might be slower, but still work) and will consume
even more resources in the network.

I don't think this is the way to go, under any circumstances. Better to
learn to make difference between junk notification and serious reports
that require action or reply.

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 488 bytes
Desc: OpenPGP digital signature
URL: <http://lists.torproject.org/pipermail/tor-relays/attachments/20171204/6d13e74f/attachment.sig>