[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

Re: [tor-relays] Network Scan through Tor Exit Node (Port 80)



On Mon, 28 Feb 2011 22:09:56 -0800
Chris Palmer <chris@xxxxxxx> allegedly wrote:

> On Feb 27, 2011, at 8:59 AM, mick wrote:
> 
> > in some jurisdictions. Section 3 of the UK Computer Misuse Act of
> > 1990, as amended by the Police and Justice Act of 2006 makes such
> > "reckless" activity an offence. 
> 
> I'm not sure how it counts as "reckless" to connect to a TCP port and
> then disconnect.

Chris

I used the word "reckless" because that is the wording used in the UK
CMA (as amended). See section 3 at:

http://www.legislation.gov.uk/ukpga/1990/18/section/3 which says:

"Unauthorised acts with intent to impair, or with recklessness as to
impairing, operation of computer, etc."

I agree that a single full TCP connect does not constitute such
"reckless" activity, but an aggressive, rapid, portscan, perhaps
using (deliberately) badly formed TCP packets which took no account of
the potential impact on the target, might. 

Some network devices may not handle such traffic well. Indeed, the
scan may cause a DOS. 

IANAL, but it seems to me the drafters of the amendments to the UK
legislation may have had such activity in mind when using the term
"reckless". The term implies to me a "lack of care or due diligence". 
I suspect that "intent to impair" may sometimes be difficult to prove
so lack of care was added.

> The kind of research I'm talking about — us, Kaminsky, Bernstein, et
> al. — involves simply talking to every server once. For example, the
> SSL Observatory does a "scan" that is very similar to what happens
> when a user clicks a link and then immediately clicks the Stop button
> in the browser: SYN, SYN/ACK, ACK, Client Hello, Server Hello +
> Certificate, goodbye. We do this once per IP every few months. Out of
> 4 billion IP addresses, we got one complaint that I know of.
>
> This work is not hostile or dangerous. It is clearly beneficial to
> the internet community. We've convinced CAs to tighten their loose
> certification standards, convinced them to meet the EV spec when we
> found they weren't, and provided hard evidence to fuel substantive
> debate on PKI policy. Nick and Jake are using the results to improve
> Tor. That's just to start.

I can't see that sort of activity as being deemed reckless - and it is
highly unlikely to be spotted anyway.

> It's also worth nothing that the various tricks to hide or evade IDSs
> that some scanners like Nmap can do, tend not to work over Tor since
> Tor normalizes TCP streams before exiting.
> 
> Port scanning can sometimes be the precursor to hostile activity, but
> it is not in itself hostile, and it is often either for a good cause
> or *indistinguishable from normal application activity*.
> 
I disagree. In my view, port scanning in and of itself can be hostile
if such activity is aggressive enough to cause difficulties - hence my
concern.

I am attracted to cmeclax's idea of some form of torrc config option
which could limit the potential for deliberate (or accidental but
"reckless") scanning. Is there any mileage in pursuing something like
that further? And if not, are there any other (current) recommended
configurations which could mitigate possible problems?

Mick

---------------------------------------------------------------------

The text file for RFC 854 contains exactly 854 lines. 
Do you think there is any cosmic significance in this?

Douglas E Comer - Internetworking with TCP/IP Volume 1

http://www.ietf.org/rfc/rfc854.txt
---------------------------------------------------------------------



Attachment: signature.asc
Description: PGP signature

_______________________________________________
tor-relays mailing list
tor-relays@xxxxxxxxxxxxxxxxxxxx
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays