On 12/21/11 1:59 PM, Steven J. Murdoch wrote: > On Tue, Dec 20, 2011 at 07:35:50PM +0100, Fabio Pietrosanti (naif) wrote: >> Please, get an public IP address, don't announce it, don't do anything. >> Now please have a look, without even being a Tor Server, how many mass >> scan your receive. >> >> So please, don't bother with that justification, a scan like that would >> probably just be one scan of 10000 you receive every week. > > The scan which happened yesterday was enough to get the attention of both the > university network security team, and the sys-admins of the department which > hosts my Tor server. The last time this happened was 2009.
That's probably the rate used to get fast scanning (-T Insane) that caused triggering of an IDS alert (number of packets / time). Apologise for that (it probably sent 1354 packet in 1 second). Howevr this behaviour could be fixed by reducing the rate of packet sending, spreading the portscan during a long time. The "-F" of nmap scan 1-1024 port + /etc/services. Nmapping from a debian system they are 1354 port. If we would send "1 packet" every minute, it would take about 22hours to complete the scan, bypassing almost any portscan detection system. That way it would still be possible to map the opened ports / service version, but without creating alarm or abuse complain. What do you think? -naif _______________________________________________ tor-talk mailing list [email protected] https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
