Re: [tor-talk] Exit Traffic classification and discrimination

["Fabio Pietrosanti (naif) - lists" <lists@xxxxxxxxxxxxxxx>]

Answers in-line.

On 1/31/16 5:00 PM, amuse wrote:
> Hi Fabio:
> 
> TLDR: No, I haven't and wouldn't try this.
> 
> 
> If I understand, you're asking "Why don't TOR operators discriminate on
> traffic by passing packets to popular, acceptable sites and
> discriminating against traffic headed "elsewhere" by re-routing it.
> 
> This view ignores a few fundamental facts underlying the very existence
> of TOR.

From the point of view of a Tor users, there's absolutely no change in
the Threat Model.

From the point of view of a Tor Relay operator, there would be a better
resiliency against takedown due to Abuses.


> 
> 1) That tools such as TOR exist specifically to enable that last 10% of
> "dangerous" traffic - given that every political regime gets to decide
> what they think is "Dangerous".  In Saudia Arabia, criticism of the king
> is dangerous traffic. In China, discussion of the Tienanmen square
> massacre is also dangerous. TOR exists specifically to facilitate this
> traffic.

We are not speaking about whats "Dangerous" for a Tor user, but what's
"Abuse-Generating" for  Tor Operator.

I think that most of those discussions you're referring to:
- does not trigger abuses being sent to the ISPs
- happens mostly on major internet platforms (let's say the top-30)

> 
> 2) That the most objectionable traffic will probably be going to a lot
> of the top-30 websites, as that's where political discussions need to be
> brought to gain any sort of critical mass to bring them out of anonymous
> online enclaves and translate them into real political activity.
> 
> Finally, I wonder whether you have any experience actually, in practice,
> trying to differentiate traffic as "abuse" from "not abuse". If there
> were any even close-to-accurate ways of doing this, I suspect ISP's
> would already be doing it and even your abusive TOR traffic would get
> dropped at peering connections.

When i used to run Tor Exit relays, i never received abuses coming from
traffic being directed to major internet websites (ie: google, facebook,
wikipedia, etc).

The ISPs are already doing that, it's called "Traffic Engineering", but
it's not done due toe "abuse" or "not abuse", because the abuses are not
a major issues for an ISP.

Abuses are a major issues for Tor operators, not for ISPs.

> 
> In practice, it's very difficult to tell if even "clearly abusive"
> traffic - say, XSS attempts or SQL injection scanners - are abuse by
> some annoying hackers, or research by someone trying to assess how many
> home IP cameras are vulnerable to being part of a botnet, or even an
> authorized pen-tester just checking out their client's distributed offices.

Any digital attacks attempt going trough Tor, has to be considered
abusive, because it generate abuses.

Btw if you try to make a web attacks against:
- Facebook or Google or  (no abuse received)
- A major abuse (abuse received)

That's why traffic engineering with such a multi-homing approach, could
really works differentiating traffic designated to
top-internet-destination (that does not generate abuses but may
represent most of the traffic) vs. rest of the internet (that's likely a
minor part of the traffic, but in this chunk there's surely the
abuse-generating one).

Btw it's not easy to be technically implemented

Fabio
-- 
tor-talk mailing list - tor-talk@xxxxxxxxxxxxxxxxxxxx
To unsubscribe or change other settings go to
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk