[tor-relays] How to protect yourself from network scanning

Fabio Pietrosanti (naif) lists at infosecurity.ch
Wed Aug 1 07:27:34 UTC 2012


On 8/1/12 9:24 AM, Administrator wrote:
> 
> an easy way is to limit the amount of tcp connections at the same time on a edge router. this is usualy done to get rid of script kiddies which try to break into ssh by trying every possible password for root. if tcp init is however rate limited then its like a slow connection for opening sessions. this could affect outgoing http though so its smarter to exclude port 80 and 443 from it.

That way you will not catch scanning that goes across an entire netblock
on port 80 to look for a possible specific vulnerable web applications
(portscanning + application vulnerability check).

You need to look at very specific portscanning pattern, finely tuned so
that it would not risk to match also good tor traffic.

-naif


More information about the tor-relays mailing list