subject:"Re\: \[tor\-relays\] Abuses for non\-exit relay"

Re: [tor-relays] Abuses for non-exit relay

2018-04-08 Thread Roger Dingledine

On Sun, Apr 08, 2018 at 12:23:32PM +0200, Felix wrote:
> Since November my ISP and I received a hand full of abuses for a
> non-exit. It is about scanning ports and addresses of a certain let's
> say victim ISP. I received one other abuse with another server.
> 
> For now I kindly want to ask if some operator received similar abuses
> for non-exits ? [1]

Yes, I get periodic abuse complaints to moria1 (my directory authority).

People complain that I connect to them over and over for weeks or months,
doing port scans.

What's really happening is that they are connecting to me -- meaning they
are running a Tor client -- and they are using some confusing firewall
tool that makes them misunderstanding what's going on.

Once we collect enough tcpdump style logs from them, it becomes clear
that they are seeing the "syn ack" from my computer, and since their
outgoing connections to my relay use a fresh (high-numbered) port each
time, they think it is port scanning.

They never connect my computer with Tor in their minds. They just run
a firewall tool and send complaints to the places they see in its logs.

--Roger

___
tor-relays mailing list
tor-relays@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays

Re: [tor-relays] Abuses for non-exit relay

2018-04-08 Thread teor


> On 8 Apr 2018, at 20:23, Felix  wrote:
> 
> Happy today
> 
> Since November my ISP and I received a hand full of abuses for a
> non-exit. It is about scanning ports and addresses of a certain let's
> say victim ISP. I received one other abuse with another server.
> 
> For now I kindly want to ask if some operator received similar abuses
> for non-exits ? [1]
> 
> Under my perspective it could be:
> - ip-spoofing. A third entity uses my ip and sends sync requests to the
> victim. There will never be a statefull connection, but the victim feels
> offended. As result the only one who gets trouble is me.
> - I got hacked (Uhh, don't like these words) which I suspect is not the
> case. Then statefull connections are possible and by scanning etc the
> attacker interfers the victim. We should not discuss this here.
> - There is some way out of the code which enables an attacker to perform
> solicited or unsolicited interference. Like [2] or not known or
> whatever. It is difficult to discuss with my ISP because the world
> expects the non-exits connect only inside the Tor network and onion
> services.

Yes, people can use non-exit relays to port scan.

I'll quote my original email, which you have as [2]:
> Receiving unsolicited TCP connections is a normal part of running
> a server on the Internet. And anyone who sends unsolicited spammy
> emails in response lacks a sense of irony.
But maybe we could change the Tor relay code to make failed circuits
less useful for scanning?

We should check that we are returning the same reason for every
non-relay port and IP, regardless of whether the IP exists, the port is
open, or the port does TLS.

We could delay failure responses for a random interval.

> Some facts:
> - The victim ISP hosts no relay
> - The relays are guards and potentially fallbacks (fallback and
> non-fallback share an ip)
> - I firewall blocked (outbound) all victim ISPs subnets. I logged some
> outbound trials but this could not stop the abuses. Why? May-be the
> victim ISP has changing ip ranges which usually happens from time to
> time or I do not know their subnets completely. Interesting was that one
> destination ip was x.x.x.0 which is subnet zero.

Now the subnet routing is classless, zero is a valid address.
It's typically used for the gateway or network address, but that's not
required:

https://en.wikipedia.org/wiki/Classless_Inter-Domain_Routing#IPv4_CIDR_blocks

> - Currently I firewall block (inbound) all victim ISPs subnets and found
> log entries scanning (syn) my server on a non Tor port. Before blocking
> inbound, was there a way that someone from the vicitm ISP ip range can
> drive my relay (not server) to act like an offender back to the victims ISP?

They can run a tor client, connect to your relay, and tell it to connect to
another IP address as if it is a relay. That's a standard part of the tor
protocol via your relay's ORPort.

So there's no need to block inbound, and it won't solve this issue.

> Pretty weired stuff but please swarm help! I apologize for my may-be
> foolish thoughts and please don't hit me too hard, though.
> 
> [1]
> [tor-relays] abuse email for non-exit relay (masergy)
> https://lists.torproject.org/pipermail/tor-relays/2017-September/013030.html
> 
> [2] Re to [1]
> https://lists.torproject.org/pipermail/tor-relays/2017-September/013041.html

T___
tor-relays mailing list
tor-relays@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays

Re: [tor-relays] Abuses for non-exit relay

Re: [tor-relays] Abuses for non-exit relay

2 matches

Site Navigation

Mail list logo

Footer information