[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]
Re: [tor-talk] exit ports to open in relay *without* issue...
- To: tor-talk@xxxxxxxxxxxxxxxxxxxx
- Subject: Re: [tor-talk] exit ports to open in relay *without* issue...
- From: nusenu <nusenu-lists@xxxxxxxxxx>
- Date: Fri, 07 Sep 2018 16:50:00 +0000
- Autocrypt: addr=nusenu-lists@xxxxxxxxxx; prefer-encrypt=mutual; keydata= xsFNBFj53gUBEADYKwT0pW1yiqt6UReZW8T2nXVCyeVT2G6z7AvW69afp82uthRH237pQ7Qs 5vq91DivN6fGN6cVksp0N9Yv+5HEQAwUxpLfcNDcGzmHMd0JMItEtozGv3a4FuiUoHAqeGXM 6Kzi3v5F2PZGF+U4QaGKEZq6u50gO/ZFy4GfC9z9tsO6Cm7s7KldVHMGx/a0MEGMwh6ZI9x2 hGXSSAKu58KRUkEpHzDiQTj+/j58ndNfZRQv6P5BLppHADRPqwEOm4RQcQYskyM0FdKXbJ8E 5GW268meflfv2BASsl3X/Xqxp+LNrstXIbFZ+38hVlQDDmdvaASpPTzIAxf8FxMYZqI+K1UE kP5nU45q84KiZoXwT6YYJDKToLSDnYkKlsrCSnLkE3Nb/IexgNoYO4nE6lT9BDV3athQCWw1 FwB5idRYWnIqbVgUFgYZDUdZBJmeTEeI+Wn5hFz6HvFVc/+haMVTcoEKSkG/tsSGsKOc2mp6 z+71io9JWrVQGmw7OeZeE4TvkF9GhwS8jrKO4E0crfcT/zT6368PZCO6Wpir8+po/ZfOWbbh 1hi3MxmXn4Fki55Zrvhy3sf28U+H/nByQV4CssYv/xVhIZsN/wNQLcDLgVs4JTBUik8eQR0Y Qrq9lG3ZVtbpEi7ZTJ6BOGIn2TKHsVIVGSQA0PdKpKYV45Lc4QARAQABzSBudXNlbnUgPG51 c2VudS1saXN0c0ByaXNldXAubmV0PsLBfQQTAQgAJwUCWPneBQIbAwUJBaOagAULCQgHAgYV CAkKCwIEFgIDAQIeAQIXgAAKCRCtYTjCRc1Cfq/kD/sHx+mnL6OLwJvBj1rVTyoHJYJARajz Go0yRlbrZSH6Z05OD3SDR9UVpWOZeY8JyFoTyCFQjAbIVjKifj0uSmi0j1iahrAgGGfik0cN XUkCxrW6jcJQ37EbvYWu4PryqLuC7IeQW1wCcB1ioyGYKkm2K6LZ9rzZPVYSmPohJ+gVI0Jt EdlNZl4JuZot9eA5w/22uvcStQHzXDsUxfqK8OAJpU8E3iBBdNpLPMDWpFz4g2yw5PD6jZ+K Q39PYMUFULaKe4YCw1O+0MFhZJI4KEcRYHuVy1b3cJjxzgVfEyFctLDsO1sh07vBhoVKUi8W e00pvGtv8QYxxMYIA3iACbsjGEr69GvvZ2pAnu9vT9OUCaES4riDCxbkMxK/Cbwk8F6mo0eq HDQ7sOZWQv81ncdG9ovlA7Pj96cEXgdtbbllF1aUZ8sAmT14YjGzhArGv7kyJ1imH5tX3OXk hBGA9JTk2mDNjEpFaTEajSvDiKyeEhWNTLm15siWkpg1124yjUkhQ3OCkw7aUDMiVn8+DQHo J2pP/84uUvngbhm1jV7nk8mxTUFgppUePkb5hhnRRzeK72QY00EwRdn7qnpNgijMJ3Fpjfy2 EeCEl3nNdcB7U0F+0ijA6P/+DROldxNr4eiP50RvV8XiW/yi2IkKBk50GNB87yYnDETxxx/c 2i00AM7BTQRY+d4FARAAwJZ6U7UT8uB1WCfLK3AOR1Wa9bzOAghlTR4WXbHB4ajQKG7/Fzud 99bnwD0V3/AOVz/SbGDyHe+7HMvd1A0Ll4NgyH6OpxY7wOwCXAYTAbcXLpM7eKTjjsb9A9XG 3FcIGvjcy76OkaewqhiABaShlStEYcPkRusHZuecXtCnfCjJKihU/kinWpBO9gY6SrF2KFCw aeS4r37brXQ9y8uy3gZ168QFuIa5AKfL0r5YN3k4StNSA2p5Z/pufWXMN3B03QC+3fireiz3 dinlHK6XjUW8oWSdNxJhexT/lUw+episNuWTQruy7PD+HeohYGXqjggmPUiWc171Sewb2f8H CHViHMee8QXqo/LSRkYVrtsx0HUSMKsVQOma/u2By03ucroIkQJQQfqX3YpK1i3EpUO2L0/m E8UpBvUm1vrst54EFym4tYNJTj9reVffFKh2cczmPVN5o8v3RrdTF96mGtcb9EJbGV4277ZE LqUspviEBXynqU3yZ48JhIWHj22/ha6TeBpapYZDOJ8lePed8E34J/GYE2YXl65LhpXAKvWz O3KiByGMysb9Li6zqZ9/BYQtg5CA6Q8Oo7pBxK4iiDH3GX2WvymmLoaOBpOaIYdvKr39fajE mzfbg7TdZKXxqp2KDrbw7vUJLDyrmPWpxHyhKHItzoi1Y59wzYSq3h0AEQEAAcLBZQQYAQgA DwUCWPneBQIbDAUJBaOagAAKCRCtYTjCRc1CfpfgEAC3tXZzhgKbF6fx5gMNDp/9MBpialvu k69UaGL3HUqM0/ytiT4FjYUmOK2mk37iop46GivsOC50PykG9gjbg9/QKUqgsZzJ8LJ+ldY4 /GKtiP5JoO59Obj8MJJ5Ta8yPfZiiNx/I8ydqd18E4PmQUCPlEKhett81t3+8R/mGwG72TaA hHwDjZAEjiXdnXh+z0AKpflCnYQafq0V73ofzuw4KovpJWMk/WPs5oSHhuV4TZ8nRkF6BR4y rEvs1kq8Y6DuNqQGwY3yilpnmqfMzzlWo7MlY657domU54bhGOsvNuZZsFDlcBczQo6h9OKq ckkVHUMAw38pX+EghzEfhYVWYmLNv5G9TA/M2s3frO3aN7ukNDq7CKIwfVz71/VfPaLQMY7/ jirzp9yIBZEi4E+PwP38FAGiD+nxzuUJv1rvxf6koqUGoHRvdppju2JLrC2nKW0La7RX7uZJ esCVkamT/XaXPROBTrZZqwbIXh2uSMzgXkC2mE1dsBf2rdsJ4y73+0DYq7YE52OV9MNoCYLH vpkapmD00svsP4sskRsrquPHkBBVCJa22lTaS8Oow9hGQe7BDjEhsVoPol889F0mbTRb3klv mGQ6/B/HA0pGWR9wISY8a7D40/qz6eE6+Yg22mtN1T8FFlNbyVmtBj0R/2HfJYhGBElLPefH jhF0TA==
- Delivered-to: archiver@xxxxxxxx
- Delivery-date: Fri, 07 Sep 2018 12:51:01 -0400
- Dkim-signature: v=1; a=rsa-sha256; c=relaxed/simple; d=riseup.net; s=squak; t=1536339050; bh=kqslyG2nxZgEUGx/yJBm+43rpxTfP+p4D1wo4ItzVPY=; h=To:References:From:Subject:Date:In-Reply-To:From; b=a6UrCJKEZLkH6CiOtD+cmJEfstbTSPzPZkzdEqYWsHa4TmwSJHpp8OAp3IzcKDcKG CU+bnZ+LdPUTlkFV6vhvQEs7gEyepBzXsyqjZ+YL8UsyhrvH9YEOH3+WfjgLKg7T6y AL0sbMb3D4Y9N8ZD7nNqFmgMDkUZXn1ZT1L9+xYs=
- In-reply-to: <e56ecfbe-6887-c0e5-23e4-e8c4524f0f2c@xs4all.nl>
- List-archive: <http://lists.torproject.org/pipermail/tor-talk/>
- List-help: <mailto:tor-talk-request@lists.torproject.org?subject=help>
- List-id: "all discussion about theory, design, and development of Onion Routing" <tor-talk.lists.torproject.org>
- List-post: <mailto:tor-talk@lists.torproject.org>
- List-subscribe: <https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk>, <mailto:tor-talk-request@lists.torproject.org?subject=subscribe>
- List-unsubscribe: <https://lists.torproject.org/cgi-bin/mailman/options/tor-talk>, <mailto:tor-talk-request@lists.torproject.org?subject=unsubscribe>
- Openpgp: preference=signencrypt
- References: <e56ecfbe-6887-c0e5-23e4-e8c4524f0f2c@xs4all.nl>
- Reply-to: tor-talk@xxxxxxxxxxxxxxxxxxxx
- Sender: "tor-talk" <tor-talk-bounces@xxxxxxxxxxxxxxxxxxxx>
before tackling the actual question, a short description of how detection of malware activity is
usually performed in this context - at least in the context of these kinds of "abuse" emails:
* organizations like shadowservers [1] and others operate sinkhole servers that listen
for incoming connections on IPs or domains used by malware (i.e. former C&C server)
* everytime they get a connection to their sinkhole systems they write down where the connection came from (i.e. your exit IP address)
* then they automatically inform that IP holder (usually the AS abuse contact or a national CERT of the
country where the AS is located) of that registered event since it is a sign of a potential
infection of the source IP
This makes sense for most of the internet, unfortunately this methodology of source IP based attribution
causes "abuse" emails for Tor exits when infected clients (or security researchers or anyone) visits sinkhole IPs via
their Tor.
- you can not solve this based on a port level because ports 80 and 443 is frequently used
by malware for outbound connections and 80+443 is required for the exit flag
- there is a methodology to reduce the amount of such emails that does not get you the BadExit flag:
blacklisting sinkhole IPs in your exit policy, but these are not generally public.
There are lists of IP addresses of such sinkholes that exit operators could use in their exit policy but the problem is:
- they can not be comprehensive (sinkhole IPs try to remain secret)
- they can contain false positives
- they might contain old IPs
- there trustworthiness is unknown
In a little side project I'm aiming to evaluate the effectiveness of these sinkhole lists
by correlating them with such related "abuse" notifications to answer the questions:
Do these public sinkhole IP list match IPs from actual sinkhole IPs mentioned in abuse notifications?
How effective would using these IPs in a Tor exit relay's ExitPolicy be at reducing the amount of such notification emails?
How much overblocking would occur?
How static are these lists?
If you are an exit operator and want to help with that little project you can submit information covering
such cases in a specific CSV format to the email address bellow.
To prevent getting spammed the email must be send from the email address mentioned in the relay's ContactInfo field following this spec:
https://github.com/nusenu/ContactInfo-Information-Sharing-Specification#email
and you should not send more than one email per day per sender. (plus points for DKIM signed emails)
**Please do NOT submit data that is related to other types of abuse emails**
CSV format:
timestamp,destination IP address,destination port,feed-name
timestamp: YYYY-MM (please do not include more fine grained time information)
destination IP address: IPv4 or IPv6 address (mandatory)
destination port (if available)
feed-name (if available) example value: shadowserver-drone
email address:
sinkhole-malware-alerts riseup net
[1] https://www.shadowserver.org/wiki/pmwiki.php/Services/Botnet-Drone-Hadoop
--
https://twitter.com/nusenu_
https://mastodon.social/@nusenu
Attachment:
signature.asc
Description: OpenPGP digital signature
--
tor-talk mailing list - tor-talk@xxxxxxxxxxxxxxxxxxxx
To unsubscribe or change other settings go to
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk