[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

Re: [tor-talk] exit ports to open in relay *without* issue...

before tackling the actual question, a short description of how detection of malware activity is
usually performed in this context - at least in the context of these kinds of "abuse" emails:

* organizations like shadowservers [1] and others operate sinkhole servers that listen
for incoming connections on IPs or domains used by malware (i.e. former C&C server)
* everytime they get a connection to their sinkhole systems they write down where the connection came from (i.e. your exit IP address)
* then they automatically inform that IP holder (usually the AS abuse contact or a national CERT of the
country where the AS is located) of that registered event since it is a sign of a potential
infection of the source IP

This makes sense for most of the internet, unfortunately this methodology of source IP based attribution
causes "abuse" emails for Tor exits when infected clients (or security researchers or anyone) visits sinkhole IPs via
their Tor.

- you can not solve this based on a port level because ports 80 and 443 is frequently used
by malware for outbound connections and 80+443 is required for the exit flag

- there is a methodology to reduce the amount of such emails that does not get you the BadExit flag:
blacklisting sinkhole IPs in your exit policy, but these are not generally public.

There are lists of IP addresses of such sinkholes that exit operators could use in their exit policy but the problem is:
- they can not be comprehensive (sinkhole IPs try to remain secret)
- they can contain false positives
- they might contain old IPs
- there trustworthiness is unknown

In a little side project I'm aiming to evaluate the effectiveness of these sinkhole lists
by correlating them with such related "abuse" notifications to answer the questions:

Do these public sinkhole IP list match IPs from actual sinkhole IPs mentioned in abuse notifications?
How effective would using these IPs in a Tor exit relay's ExitPolicy be at reducing the amount of such notification emails?
How much overblocking would occur?
How static are these lists?

If you are an exit operator and want to help with that little project you can submit information covering
such cases in a specific CSV format to the email address bellow.

To prevent getting spammed the email must be send from the email address mentioned in the relay's ContactInfo field following this spec:
and you should not send more than one email per day per sender. (plus points for DKIM signed emails)

**Please do NOT submit data that is related to other types of abuse emails**

CSV format:

timestamp,destination IP address,destination port,feed-name

timestamp: YYYY-MM (please do not include more fine grained time information)
destination IP address: IPv4 or IPv6 address (mandatory)
destination port (if available)
feed-name (if available) example value: shadowserver-drone

email address:
sinkhole-malware-alerts riseup net

[1] https://www.shadowserver.org/wiki/pmwiki.php/Services/Botnet-Drone-Hadoop


Attachment: signature.asc
Description: OpenPGP digital signature

tor-talk mailing list - tor-talk@xxxxxxxxxxxxxxxxxxxx
To unsubscribe or change other settings go to