[tor-talk] exit ports to open in relay *without* issue...

Nathaniel Suchy me at lunorian.is
Fri Sep 7 17:05:39 UTC 2018


One suggestion I’ll add is
https://tornull.org has a huge exit policy with common sinkholes and other
abusive networks. You won’t stop them all BUT it may reduce the complaints
your ISP gets.

Cordially,
Nathaniel

On Fri, Sep 7, 2018 at 12:51 PM nusenu <nusenu-lists at riseup.net> wrote:

> before tackling the actual question, a short description of how detection
> of malware activity is
> usually performed in this context - at least in the context of these kinds
> of "abuse" emails:
>
> * organizations like shadowservers [1] and others operate sinkhole servers
> that listen
> for incoming connections on IPs or domains used by malware (i.e. former
> C&C server)
> * everytime they get a connection to their sinkhole systems they write
> down where the connection came from (i.e. your exit IP address)
> * then they automatically inform that IP holder (usually the AS abuse
> contact or a national CERT of the
> country where the AS is located) of that registered event since it is a
> sign of a potential
> infection of the source IP
>
> This makes sense for most of the internet, unfortunately this methodology
> of source IP based attribution
> causes "abuse" emails for Tor exits when infected clients (or security
> researchers or anyone) visits sinkhole IPs via
> their Tor.
>
>
> - you can not solve this based on a port level because ports 80 and 443 is
> frequently used
> by malware for outbound connections and 80+443 is required for the exit
> flag
>
> - there is a methodology to reduce the amount of such emails that does not
> get you the BadExit flag:
> blacklisting sinkhole IPs in your exit policy, but these are not generally
> public.
>
> There are lists of IP addresses of such sinkholes that exit operators
> could use in their exit policy but the problem is:
> - they can not be comprehensive (sinkhole IPs try to remain secret)
> - they can contain false positives
> - they might contain old IPs
> - there trustworthiness is unknown
>
> In a little side project I'm aiming to evaluate the effectiveness of these
> sinkhole lists
> by correlating them with such related "abuse" notifications to answer the
> questions:
>
> Do these public sinkhole IP list match IPs from actual sinkhole IPs
> mentioned in abuse notifications?
> How effective would using these IPs in a Tor exit relay's ExitPolicy be at
> reducing the amount of such notification emails?
> How much overblocking would occur?
> How static are these lists?
>
> If you are an exit operator and want to help with that little project you
> can submit information covering
> such cases in a specific CSV format to the email address bellow.
>
> To prevent getting spammed the email must be send from the email address
> mentioned in the relay's ContactInfo field following this spec:
>
> https://github.com/nusenu/ContactInfo-Information-Sharing-Specification#email
> and you should not send more than one email per day per sender. (plus
> points for DKIM signed emails)
>
> **Please do NOT submit data that is related to other types of abuse
> emails**
>
> CSV format:
>
> timestamp,destination IP address,destination port,feed-name
>
> timestamp: YYYY-MM (please do not include more fine grained time
> information)
> destination IP address: IPv4 or IPv6 address (mandatory)
> destination port (if available)
> feed-name (if available) example value: shadowserver-drone
>
> email address:
> sinkhole-malware-alerts riseup net
>
>
>
> [1]
> https://www.shadowserver.org/wiki/pmwiki.php/Services/Botnet-Drone-Hadoop
>
> --
> https://twitter.com/nusenu_
> https://mastodon.social/@nusenu
>
> --
> tor-talk mailing list - tor-talk at lists.torproject.org
> To unsubscribe or change other settings go to
> https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
>


More information about the tor-talk mailing list