[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

Re: [tor-relays] Keeping an exit node off of blacklists due to botnet activity.

To: <tor-relays@xxxxxxxxxxxxxxxxxxxx>
Subject: Re: [tor-relays] Keeping an exit node off of blacklists due to botnet activity.
From: tor@xxxxxxx
Date: Fri, 05 Jun 2015 09:21:24 -0400
Delivered-to: archiver@xxxxxxxx
Delivery-date: Fri, 05 Jun 2015 09:21:38 -0400
Dkim-signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=t-3.net; s=default; t=1433510486; bh=UP4lLjTe0T8klWj5T7HY40rFq4fnOFUNp/W8O1daLvg=; h=From:To:Subject:Date; b=o9NzXW/ag/ryDudnVVD3LiiXd+rn0wWaxhp7XrDrDYeaE0RjwyzNrHsWysDwkpIU1 E5pN9FW9rgT/5tAFtiy3DTyocfJ7QhTR2VM1lKiaHBajCc54OfoWNZ3EgDELcVE2D1 VS4u0f3vw4lpUMMWrflryBnBznRzIb+Qhn4p16iU=
List-archive: <http://lists.torproject.org/pipermail/tor-relays/>
List-help: <mailto:tor-relays-request@lists.torproject.org?subject=help>
List-id: "support and questions about running Tor relays \(exit, non-exit, bridge\)" <tor-relays.lists.torproject.org>
List-post: <mailto:tor-relays@lists.torproject.org>
List-subscribe: <https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays>, <mailto:tor-relays-request@lists.torproject.org?subject=subscribe>
List-unsubscribe: <https://lists.torproject.org/cgi-bin/mailman/options/tor-relays>, <mailto:tor-relays-request@lists.torproject.org?subject=unsubscribe>
Reply-to: tor-relays@xxxxxxxxxxxxxxxxxxxx
Sender: "tor-relays" <tor-relays-bounces@xxxxxxxxxxxxxxxxxxxx>

> I have a fairly high bandwidth exit node running for about a monthnow> that I'm having difficulty keeping off of thehttp://cbl.abuseat.org/> blacklist and have been informed of this listing by the VPSprovider.> The relay is running with a reduced exit policy -- and additionallyI've

> blocked common mail ports, etc via IPFW so I know that no spam is

> actually being sent out of the relay. Still, various botnetsconnections

> are connecting to abuseat.org botnet sinkholes via port 80

> Command&Control connection attempts. I'm at a loss at how to stopthis

> or somehow detect and filter botnet traffic.
>
> I've informed the VPS provider that I'm on top of it and have the

> machine configured to not actually allow this sort of malicioustraffic> out and they seem to be generally happy with that explanation, buta

> better solution if one exists would be appreciated.
>
> Thanks,
>
> Julian Plamann
>
> julian (at) amity.be
> GPG: 0x96881D83

Don't know if this will help, but maybe:

ExitPolicy reject 85.159.211.119   # Cryptolocker
ExitPolicy reject 212.71.250.4     # Cryptolocker
ExitPolicy reject 54.83.43.69      # Cryptolocker
ExitPolicy reject 192.42.116.41    # Cryptolocker
ExitPolicy reject 192.42.119.41    # Cryptolocker
ExitPolicy reject 198.98.103.253   # Cryptolocker
ExitPolicy reject 208.64.121.161   # Cryptolocker
ExitPolicy reject 142.0.36.234     # Cryptolocker
ExitPolicy reject 173.193.197.194  # Cryptolocker

In general, I see complaints about abuse from the exit relays we rundue to someone using Tor to try to exploit remote web server scriptsand databases and the like. I don't think there's anything that can bedone about it? I would say that it's just part of what you get comingout out of Tor exit nodes.

If anyone else has any better advice feel free to correct me but, Ithink it might be accurate to explain to the upstream that Tor exitswill generate certain kinds of abuse complaints as part of normaloperation. They open proxy web-related ports out, and some peopleabuse Tor for web hacking types of activity.

I would say that it is normal for Tor exits to live permanently oncertain kinds of blacklists. They do not need to be on the spam emailrelated ones (reject *:25 and other email ports), but they will landon other types of blacklists, and I don't think it can be helped.






_______________________________________________
tor-relays mailing list
tor-relays@xxxxxxxxxxxxxxxxxxxx
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays

Prev by Author: Re: [tor-relays] No Exit flag on Exit node
Next by Author: Re: [tor-relays] How to use our own TOR relay as entry node for local network hosts
Previous by thread: Re: [tor-relays] Updating tor to get fix for #15083? (Elliott Jin)
Next by thread: [tor-relays] BWAUTH weightings too volatile. . ."twitchy"
Index(es):
- Author
- Thread