[tor-talk] Automatic vulnerability scanning of Tor Network?

Fabio Pietrosanti (naif) lists at infosecurity.ch
Thu Dec 22 08:59:49 UTC 2011


I like seeing so much discussion on such a simple thing :-)

I remind that this portscan have been done:
- in 10-15 minutes
- while drinking early espresso coffee
- with 2 command line (wget+nmap)
- on a standard debian machine
- with standard apt-get package
- running a hetzner VPS of 6EUR/month

It's not a technically challenging operations and the rules that "if it
can be done, it will be done" apply.

Other people already have done it, but:
 * without good intention
 * without letting you know
Other people with "bad intention" typically target "a single port with a
mass Tor router scan".
The "bad intention portscan" are not detected by IDS and people are ok
with that.

That's not good because this situation trigger the approach:
"what you don't see don't hurt you".

While that full portscan "with good intention":
* is detected
* is publicly made available.
Then people "see it, perceive it" and so consider it like a risk.

That's just hypocrisy.

This situation remind me a thinking similar to supporting "closed source
 * It's better "not to see" so "you can feel more protected".
 * It's better "not to know" so "you can feel more protected".

But that's not the real world:
 * I prefer to keep my eyes open, not closed.
 * I hope anyone there would prefer to keep eyes open, not closed.

IMHO we should only consider, while debating about it, that this should
not be defined as "good or bad" but as "useful or not useful".

About portscan, some common point can be:
* A portscan it's not a sign of compromise *
* A portscan doesn't demonstrate intention to compromise the host, if
not followed by other sign of attacks *
* Any security operator running an Information Security Monitoring
system just know that. *
* Some people will just over-react to portscan (door-knocking effect) *
* Other people are already port scanning you privately (with the
intention to follow-up with an intrusion attempt).

Now i am even more convinced that it's good to do it.
Now i am even more convinced that's stupid to say:
		"Don't portscan me publicly!"
Now i am even more convinced that this activity has to be done, because
a "good intention proactive approach" it's better than just passively
waiting for "bad intention proactive approach".

However, within the next couple of week i will not have much time to
work on it, i hope others will do and i am willing to provide some help.

While doing, the following best practice should IMHO follow:
* Setup a web server explaining the action on the scanning IP
* setup a reverse DNS like

* Advice the IP address of scanning onto the mailing list

I am confident that, following that early over-reaction, it can be
reasonably agreed that the medium terms results of an initiative are
positive and not negative.

In the meantime if anyone is interested in making a lawsuit against me
due to a portscan: please do it!
But think twice before: As i will publicly ask for legal support from
EFF against censorship actions coming from Tor Operators! :P

Let's joke, don't be too much serious :-)
Roger rabbit said something like "If it's not fun, i cannot do it" :P


On 12/22/11 2:17 AM, Gozu-san wrote:
> That's good news.
> So, naif, what got you stirred up about this, if I may ask?
> On 22/12/11 01:09, andrew at torproject.org wrote:
>> On Thu, Dec 22, 2011 at 12:37:11AM +0000, gozu at xerobank.net wrote 0.3K bytes in 6 lines about:
>> : I trust that all with strong opinions on this issue are at least
>> : somewhat familiar with recent work by Eric Filiol's group.
>> https://blog.torproject.org/blog/rumors-tors-compromise-are-greatly-exaggerated
>> is still just as valid today as it was when originally written.
> _______________________________________________
> tor-talk mailing list
> tor-talk at lists.torproject.org
> https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk

More information about the tor-talk mailing list