[tor-talk] Limiting number of outbound TCP connection from One Circuit

Griffin Boyce griffinboyce at gmail.com
Tue Nov 20 14:11:19 UTC 2012


On 11/20/2012 08:02 AM, Fabio Pietrosanti (naif) wrote:
> Hi all,
>
> while discussing on twitter with the guy of http://cryptic.be it about
> "How to block outgoing portscan from a Tor Exit Node" it arise the idea
> that the best way would be to correlate the amount of "outgoing tcp
> connection/time" from a specific "Tor Circuit".
>
> So, rather than "Blocking" it would be really nice to be able to apply
> certain "Rate Limits" to the amount of outgoing, new TCP connection that
> can be done over an established circuit.
>
> Let's say that outgoing circuit change by default once every 10 minutes.
>
> To be able to block a portscan, it maybe interesting to have such a
> feature that would statically, or dynamically with a backoff algorithm,
> apply a outgoing connection rate limitation that can come from a
> specific circuit.
>
> That way it would be possible to identify what is a "normal and typical
> connection" and automatically filtering out aggressive traffic (an
> important amount of new TCP connections coming from that circuit).
>
> What does the list think about that kind of idea, both conceptually and
> from the possible implementation strategies?
>
> Fabio

Hi Fabio,

  To recap the discussion for everyone else, we were talking about
blocking portscans on exit nodes.  While it's possible to block a
targeted portscan by limiting what ports can be accessed in iptables,
blocking a broad vulnerability scan with many targets is trickier.

  I'm rather curious as to how a circuit would be effectively defined in
this case.  While Tor circuits do rotate every 10mins, it wouldn't
really be possible to map traffic to a single abusive user.  It would be
more of a guess.  So instead any rules apply to everyone using the exit
node.

One solution could be something like either:
    iptables -A inbound -p tcp -m state --state NEW -m limit \ --limit
5/s --limit-burst 3 -j ACCEPT
    iptables -A outbound -p tcp -m state --state NEW -m limit \ --limit
5/s --limit-burst 3 -j ACCEPT

  Limiting traffic to five packets a second would also shut down both
types of malicious scans.  Though the limit settings would be dependent
on how much traffic the server typically gets.  If the exit op is
graphing traffic, that would be helpful - how much traffic, how frequent
major spikes are, and perhaps any correlation between traffic quantity
and abuse complaints.  Finding the upper limit during peak (legitimate)
usage periods would be great, but it's also worth noting that I'm also a
graph nerd.

Best,
Griffin
"the guy of http://cryptic.be"

-- 
"I believe that usability is a security concern; systems that do 
not pay close attention to the human interaction factors involved 
risk failing to provide security by failing to attract users."
~Len Sassaman

PGP Key etc: https://www.noisebridge.net/wiki/User:Fontaine 



More information about the tor-talk mailing list