[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

Re: [tor-talk] Limiting number of outbound TCP connection from One Circuit

To: tor-talk@xxxxxxxxxxxxxxxxxxxx
Subject: Re: [tor-talk] Limiting number of outbound TCP connection from One Circuit
From: "Fabio Pietrosanti (naif)" <lists@xxxxxxxxxxxxxxx>
Date: Tue, 20 Nov 2012 15:22:39 +0100
Delivered-to: archiver@xxxxxxxx
Delivery-date: Tue, 20 Nov 2012 09:22:58 -0500
In-reply-to: <50AB8F87.6000601@xxxxxxxxx>
List-archive: <http://lists.torproject.org/pipermail/tor-talk>
List-help: <mailto:tor-talk-request@lists.torproject.org?subject=help>
List-id: "all discussion about theory, design, and development of Onion Routing" <tor-talk.lists.torproject.org>
List-post: <mailto:tor-talk@lists.torproject.org>
List-subscribe: <https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk>, <mailto:tor-talk-request@lists.torproject.org?subject=subscribe>
List-unsubscribe: <https://lists.torproject.org/cgi-bin/mailman/options/tor-talk>, <mailto:tor-talk-request@lists.torproject.org?subject=unsubscribe>
References: <50AB7F56.8090108@xxxxxxxxxxxxxxx> <50AB8F87.6000601@xxxxxxxxx>
Reply-to: tor-talk@xxxxxxxxxxxxxxxxxxxx
Sender: tor-talk-bounces@xxxxxxxxxxxxxxxxxxxx
User-agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.8; rv:16.0) Gecko/20121026 Thunderbird/16.0.2

Hi Griffin,

my comments below.

On 11/20/12 3:11 PM, Griffin Boyce wrote:
> Hi Fabio,
>
>   To recap the discussion for everyone else, we were talking about
> blocking portscans on exit nodes.  While it's possible to block a
> targeted portscan by limiting what ports can be accessed in iptables,
> blocking a broad vulnerability scan with many targets is trickier.
>
>   I'm rather curious as to how a circuit would be effectively defined in
> this case.  While Tor circuits do rotate every 10mins, it wouldn't
> really be possible to map traffic to a single abusive user.  It would be
> more of a guess.  So instead any rules apply to everyone using the exit
> node.
>
> One solution could be something like either:
>     iptables -A inbound -p tcp -m state --state NEW -m limit \ --limit
> 5/s --limit-burst 3 -j ACCEPT
>     iptables -A outbound -p tcp -m state --state NEW -m limit \ --limit
> 5/s --limit-burst 3 -j ACCEPT

This would not scale for two reason:
1 - This is not specifically targeting "Exit Traffic" because currently
there is no way to distinguish between OR traffic and Exit Traffic.
2 - This would hurt "valid traffic too" because it's absolutely
reasonable for a 10Mbit Tor Exit Node to have big spike of new connections

So a "polite" approach to "block/mitigate" outgoing portscan should goes:
- only match Tor Exit Node traffic (and not Tor Relay or Directory traffic)
- be dynamic, in order to handle normal burst of traffic

On 1st point we would probably need some kind of Tor patch to have
"ExitAddress" configuration settings in a similar way to
"OutBoundAddress" (that also does OR/relay traffic).

On 2nd point, it's a quite complicated stuff, as we need some-how need
to link iptables actions to the originating Tor-client activity,
otherwise we will hurt real user traffic.

What do you think?
Fabio
_______________________________________________
tor-talk mailing list
tor-talk@xxxxxxxxxxxxxxxxxxxx
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk

References:
- [tor-talk] Limiting number of outbound TCP connection from One Circuit
  - From: Fabio Pietrosanti (naif)
- Re: [tor-talk] Limiting number of outbound TCP connection from One Circuit
  - From: Griffin Boyce

Prev by Author: [tor-talk] Limiting number of outbound TCP connection from One Circuit
Next by Author: Re: [tor-talk] Limiting number of outbound TCP connection from One Circuit
Previous by thread: Re: [tor-talk] Limiting number of outbound TCP connection from One Circuit
Next by thread: Re: [tor-talk] Limiting number of outbound TCP connection from One Circuit
Index(es):
- Author
- Thread