Re: [tor-relays] Intrusion Prevention System Software - Snort or Suricata
> On Oct 4, 2016, at 7:48 AM, pa011 wrote: > > One of my main ISP is going mad with the number of abuses he gets from my > Exits (currently most on port 80). > He asks me to install "Intrusion Prevention System Software" or shutting down > the servers. > He personally recommends Snort or Suricata. > > As far as I understand implementing such a software is not going together > with Tor - am I right? > Somebody having same or any experience? Yes, no, and maybe. Yes, you can run IPS on a Tor relay, but you have to be very careful doing it, because a standard implementation of IPS would end up blocking Tor exits, which would obviously be problematic. You really need to exclude the (dynamic) Tor exit node list from IPS monitoring—which ends up not solving your problem…so, no, IPS won’t really help you. Maybe IPS would be a fantastic thing to integrate into Tor, because it would answer the primary overall objection to Tor, which is that it enables abusive internet behavior. We market the “attractive” uses of Tor—personal privacy, protecting dissidents & whistleblowers, gathering intelligence—but when abuse issues arise (brute force SSH attacks, DOS attacks, HTTP/PHP hacks, copyright infringements, etc. etc.), we shrug them off as “the cost of freedom” and cite statistics to justify the status quo. The end result is that major players—even in the free world—completely block access to/from Tor nodes. Abuse issues create a very strong public perception that Tor has a high cost vs. benefit. If we’re fine with the status quo, no problem. But if we want broader adoption/acceptance of Tor, we need to address the abuse issue somehow. The technical problem is that implementing IPS in Tor would be massively non-trivial. In order for IPS to function properly within Tor, while maintaining strict anonymity, a Tor node detecting an IPS trigger would have to pass the event back up the relay chain until the entry relay (the only node that “knows” the actual initiating host) was finally able to block the offending host/port. The political problem is, what gets blocked by TIPS and what doesn’t? Who gets to decide? What if some of those brute-force SSH or DOS attacks are “good guys” trying to crack the “bad guy” servers? Is that legitimate Tor traffic? Who gets to decide who are the good/bad guys? Could we agree on a base level of protection, perhaps by relay operator consensus? Etc. These problems are not insurmountable, but they are significant. Jon ___ tor-relays mailing list tor-relays@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
Re: [tor-relays] Handling abuse - like to get your help please
On Jun 20, 2016, at 4:19 AM, pa011 wrote: > > Hi all, > > thanks again for your hints - in my case they obviously find Tor less > fancy - their response today is following: > > "Hello. > You need to take steps to ensure that the complaint would be no longer > received. > This software is only allowed if there are no complaints on the server." > > As I cant close Port 80 and the next attack would be a different target > I guess there is not much room for response :-( > > Rgds > > Paul Paul, This is a recurring issue that will not go away, because protecting malicious traffic is part of the foundational Tor philosophy. Tor very intentionally has no ability (beyond rudimentary port/host blocking) to control the type of traffic it carries, there are no plans to add any sort of IDS functionality, and filtering exit relay traffic is frowned upon by the Tor community. This is why abuse reports happen, and it's the primary reason that Tor relays are blocked by so many services—typically not because folks are against personal privacy, but because they simply take a very practical approach to network security. So, if you (or your ISP) determine that the benefits of Tor aren’t compelling enough to turn a blind eye to malicious Tor traffic and the abuse reports it generates, then your only real options are to either not run an exit, or not run Tor at all. That’s just the way it is. Jon ___ tor-relays mailing list tor-relays@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
Re: [tor-relays] Handling abuse - like to get your help please
If you know your ISP, the best thing to do is try to schedule a face-to-face meeting with their management and security personnel. Be prepared to explain Tor, its essential function, and both the pros and cons of running an exit. Then listen to their concerns, and try to address them. Ultimately, if they’re not on board with the basic idea of running an exit, none of your other questions matter—because they’re not going to get paid for the hassle of running Tor. They have to be willing to host your exit purely for the sake of the warm fuzzy feeling of knowing they might be helping some oppressed soul somewhere, or at least annoying the NSA and its international counterparts. Or, find an online “faceless” ISP that specifically permits Tor exits in its AUP. ___ tor-relays mailing list tor-relays@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
