[tor-talk] Automatic vulnerability scanning of Tor Network?

Lee ler762 at gmail.com
Tue Dec 20 18:05:02 UTC 2011

On 12/20/11, Fabio Pietrosanti (naif) <lists at infosecurity.ch> wrote:
> I made a big portscan+app fingerprinting of all Tor exit and Relay:
>  [.. snip ..]

Which is why I stopped running a relay - waaaay too many people poking
at my machine.  In retrospect I was probably just incredibly naive,
but when I put up a tor relay I was expecting to just relay tor
traffic.  I did not sign up to be the target of any wannabe pen

> It would be interesting to analyze it to understand "what's running" on
> Tor Exit and Tor Relays, eventually make up some kind of network
> monitoring systems like it's done for Enterprise Security Monitoring
> Systems.

The difference being that enterprise security monitoring systems are
monitoring *enterprise* systems.  Tor exits and relays do not belong
to you; you have no right (certainly the ability, but NOT the right)
to run pen tests on those machines.

> IE (automatically):
> - Having a periodic portscan + application fingerprinting
> - Passing the result to a nessus vulnerability analyzer
> - Sending the results to the  contact info
> - Repeating the tests every 2 week, sending again the result to the
> contact info
> - If a "high" vulnerability it's not fixed automatically within 1
> months, publish it to the internet

Absolutely brilliant.  Someone donates to your cause and, if they
don't come up to your standards, you do your best to ensure they get
pwned instead of just dropping them from the donor list.

> Or a process like that to always know that the "System/Network" security
> of computers running Tor it's ok, and if not ok "do something".

It seems to me the only legitimate "do something" available to the Tor
community would be to drop the server from the list of tor nodes.

> Imho it would not be complicated to setup a stuff like that

It wouldn't be hard to set up, but absent an agreement with the owners
to allow scanning, how long do you thing it would last?  I kept adding
IPs to my blacklist until I got tired of it & turned the relay off.
(no, I didn't allow scanning my machine.  But I did log all attempts.
Blacklisted addresses got totally blocked)


More information about the tor-talk mailing list