[tor-relays] Intrusion Prevention System Software - Snort or Suricata
Roger Dingledine
arma at mit.edu
Tue Oct 4 19:42:34 UTC 2016
On Tue, Oct 04, 2016 at 10:21:14AM -0500, BlinkTor wrote:
> The technical problem is that implementing IPS in Tor would be massively non-trivial.[...]
>
> The political problem is, what gets blocked by TIPS and what doesn???t? Who gets to decide? What if some of those brute-force SSH or DOS attacks are ???good guys??? trying to crack the ???bad guy??? servers? Is that legitimate Tor traffic? Who gets to decide who are the good/bad guys? Could we agree on a base level of protection, perhaps by relay operator consensus? Etc.
Another challenge here is that many lawyers have told us that you change
your legal situation if you start choosing which traffic to allow
through. Specifically, if you just pass bytes back and forth, you're
essentially in the common carrier situation, like backbone telcos and
backbone Internet providers. But if you make a list of topics or messages
or patterns to block, then it becomes your responsibility to make that
list perfect, and your fault if you leave something out of your list.
So it would seem that using an IPS is fundamentally dangerous for relay
operators.
I've heard that this logic applies both in the US and in Europe. But
it's been a while since we've had an actual lawyer look at the topic.
Maybe this is a great question for each of the torservers.net umbrella
orgs to ask their friendly nearby lawyers who are wanting to help them?
There is also the separate but related question of wiretapping: blocking
some traffic based on patterns in the request content implies looking at
the traffic, which relay operators typically do not have permission to
do. While ISPs typically make their customers sign an agreement that they
will be surveilled (and I guess they ignore the concept of jurisdictions
that require consent from both sides), Tor relay operators do not have
that agreement -- and they can't really get it, because their 'users'
are all the Tor users.
In summary, I totally get why hosting providers would want to ask relay
operators to monitor their traffic and block certain activities by
examining connection payloads, and that's to make their lives easier,
not for any legal requirement. But it would appear there are some legal
reasons why Tor relay operators might (should?) hesitate to deploy
an IPS on their traffic, and those legal reasons are probably not as
well-understood as they could be.
Do any of the torservers umbrella orgs want to pick this one up and do
something with it? I remember hearing Pepijn cite a specific EU law that
says European relay operators aren't liable for their traffic so long
as they don't mess with it.
One of the goals would be for relay operators to better understand the
tradeoff they should consider when deciding whether to do the thing
that their ISP asks for. Another goal would be for the ISP to better
understand what they're asking from the relay operators.
--Roger
More information about the tor-relays
mailing list