[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

Re: [tor-relays] Keeping an exit node off of blacklists due to botnet activity.




> I have a fairly high bandwidth exit node running for about a month now > that I'm having difficulty keeping off of the http://cbl.abuseat.org/ > blacklist and have been informed of this listing by the VPS provider. > The relay is running with a reduced exit policy -- and additionally I've
> blocked common mail ports, etc via IPFW so I know that no spam is
> actually being sent out of the relay. Still, various botnets connections
> are connecting to abuseat.org botnet sinkholes via port 80
> Command&Control connection attempts. I'm at a loss at how to stop this
> or somehow detect and filter botnet traffic.
>
> I've informed the VPS provider that I'm on top of it and have the
> machine configured to not actually allow this sort of malicious traffic > out and they seem to be generally happy with that explanation, but a
> better solution if one exists would be appreciated.
>
> Thanks,
>
> Julian Plamann
>
> julian (at) amity.be
> GPG: 0x96881D83

Don't know if this will help, but maybe:

ExitPolicy reject 85.159.211.119   # Cryptolocker
ExitPolicy reject 212.71.250.4     # Cryptolocker
ExitPolicy reject 54.83.43.69      # Cryptolocker
ExitPolicy reject 192.42.116.41    # Cryptolocker
ExitPolicy reject 192.42.119.41    # Cryptolocker
ExitPolicy reject 198.98.103.253   # Cryptolocker
ExitPolicy reject 208.64.121.161   # Cryptolocker
ExitPolicy reject 142.0.36.234     # Cryptolocker
ExitPolicy reject 173.193.197.194  # Cryptolocker

In general, I see complaints about abuse from the exit relays we run due to someone using Tor to try to exploit remote web server scripts and databases and the like. I don't think there's anything that can be done about it? I would say that it's just part of what you get coming out out of Tor exit nodes.

If anyone else has any better advice feel free to correct me but, I think it might be accurate to explain to the upstream that Tor exits will generate certain kinds of abuse complaints as part of normal operation. They open proxy web-related ports out, and some people abuse Tor for web hacking types of activity.

I would say that it is normal for Tor exits to live permanently on certain kinds of blacklists. They do not need to be on the spam email related ones (reject *:25 and other email ports), but they will land on other types of blacklists, and I don't think it can be helped.





_______________________________________________
tor-relays mailing list
tor-relays@xxxxxxxxxxxxxxxxxxxx
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays