On Mon, Dec 4, 2017 at 10:57 AM, Ralph Seichter <m16+tor@xxxxxxxxxxxxxxx> wrote:On 04.12.17 11:59, James wrote:As a private individual, after just receiving my 4th abuse complaintin as many days it's time to stop running my exit node.I've had an ongoing debate with a hosting service over a fresh exit nodebeing abused for network scans (ports 80 and 443) almost hourly for thelast few days. I can understand that they are pissed off, and the wholething resulted in this particular exit being shut down by the hoster. IfI could detect and prevent these scans, it would go a long way to avoidhaving my exit nodes shut down by hosting services. Previous proposals have become bogged down in the process of trying to define "abuse". Let's limit excessive use of scarce resources instead. It should have a similar effect, is easily made content-neutral, and doesn't require any agreed definition of legitimate and illegitimate uses. Here's a quick sketch of a proposal - I would be happy to work with others to turn it into a Tor proposal and post it to tor-dev@. Here's what Tor proposals look like: Background: Relays currently have token buckets that limit the number of bytes that can be sent per second. This limits relay bandwidth, but does not limit the use of other scarce resources, like file descriptors, TCP ports, and CPU time. (There is an existing file descriptor limit, but it is an absolute maximum, not a rate limit.) Proposal: We define relay-wide token buckets for circuit and stream creation. These token buckets are refilled on a regular basis. Every time a circuit or stream is created, a token is removed from the bucket. When the bucket is empty, the relay takes some action that slows down circuit or stream creation. (This could be a delay until the next refill, a randomised delay, or some more sophisticated exponential backoff system.) We set these limits at default values that are unlikely to be exceeded during normal exit usage. (This needs measurement on live exits.) This provides operators with tools to limit excessive usage, while we work on more fine-grained solutions. Alternatives: We could also define a stream limit per circuit, destination IP address, or destination port. However, this may be a level of complexity which we don't need. It also significantly increases the number of buckets required to implement the scheme. And it moves away from the original goal of limiting resource usage towards a scheme that allocates these resources more fairly between competing circuits or destinations. Designing a fairness scheme like this requires more research, including more sophisticated data collection on live exits. There are also privacy concerns inherent in storing destination IP addresses and ports which would have to be addressed. On 5 Dec 2017, at 06:00, Iain Learmonth <irl@xxxxxxxxxxxxxx> wrote: On 04/12/17 18:19, Ralph Seichter wrote: This is not about third party X complaining to the hoster about their network being scanned. The hoster itself is automatically monitoring all their machines for outgoing network scans, as these scans are prohibited by their terms of use. I do wonder how much of this is related to the scarcity of IPv4 address space, prevalence of reputation systems and fear of ending up being labeled as "bad". When we move to IPv6, perhaps hosting providers would be more relaxed knowing that it doesn't matter so much if a /64 or even a /56 ends up bad in a reputation system, because for other customers you have other address space. Tor already supports exiting over IPv6, and Tor Browser prefers IPv6 by default. Now we need Exit operators and major websites to enable IPv6. I suspect the IP reputation space may take a few years to catch up with IPv6 - we should take advantage of that as much as we can. T |
_______________________________________________ tor-relays mailing list tor-relays@xxxxxxxxxxxxxxxxxxxx https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays