[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

Re: [tor-relays] Network Scan through Tor Exit Node (Port 80)

To: tor-relays@xxxxxxxxxxxxxxxxxxxx
Subject: Re: [tor-relays] Network Scan through Tor Exit Node (Port 80)
From: cmeclax-sazri <cmeclax-sazri@xxxxxxxxxxxxxxxx>
Date: Fri, 25 Feb 2011 18:28:24 -0500
Delivered-to: archiver@xxxxxxxx
Delivery-date: Fri, 25 Feb 2011 18:36:35 -0500
In-reply-to: <4D67DC90.5010709@xxxxxxxxxxxx>
List-archive: <http://lists.torproject.org/pipermail/tor-relays>
List-help: <mailto:tor-relays-request@lists.torproject.org?subject=help>
List-id: "This mailing list is for support and questions about running Tor relays \(exit, non-exit, bridge\)." <tor-relays.lists.torproject.org>
List-post: <mailto:tor-relays@lists.torproject.org>
List-subscribe: <https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays>, <mailto:tor-relays-request@lists.torproject.org?subject=subscribe>
List-unsubscribe: <https://lists.torproject.org/cgi-bin/mailman/options/tor-relays>, <mailto:tor-relays-request@lists.torproject.org?subject=unsubscribe>
References: <4D67DC90.5010709@xxxxxxxxxxxx>
Reply-to: "This mailing list is for support and questions about running Tor relays \(exit, non-exit, bridge\)." <tor-relays@xxxxxxxxxxxxxxxxxxxx>
Sender: tor-relays-bounces@xxxxxxxxxxxxxxxxxxxx
User-agent: KMail/1.9.6 (enterprise 0.20070907.709405)

On Friday 25 February 2011 11:45:04 Bianco Veigel wrote:
> Today I got the second abuse mail within two weeks from my hosting
> provider. They forced me to take down the exit node, otherwise they will
> shutdown my server.
>
> How could I detect such a scan and take counter measures to prevent a
> network scan through tor? I've thougt about Snort, but I've never used
> it before. The exit node is running in a Xen-vm, behind a pfSense firewall.
>
> I've attached the report from the abuse mail. Does anyone have an idea,
> what steps should/could be taken?

It may be possible to detect a scan by looking for RST packets coming back 
from computers that have the port closed. I saw something about that on 
snort.org, I wouldn't trust Snort to do the right thing in the case of 
someone portscanning through Tor. I suggest closing the circuit, and only Tor 
knows what the circuit is, so if an exit node notices several connection 
attempts in a row on the same circuit fail, it could close the circuit 
because it looks like a portscan.

cmeclax
_______________________________________________
tor-relays mailing list
tor-relays@xxxxxxxxxxxxxxxxxxxx
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays

References:
- [tor-relays] Network Scan through Tor Exit Node (Port 80)
  - From: Bianco Veigel

Prev by Author: Re: Why so little bandwidth used?
Next by Author: Re: [tor-relays] Network Scan through Tor Exit Node (Port 80)
Previous by thread: Re: [tor-relays] Network Scan through Tor Exit Node (Port 80)
Next by thread: [tor-relays] Network Scan through Tor Exit Node (Port 80)
Index(es):
- Author
- Thread