[tor-relays] Intrusion Prevention System Software - Snort or Suricata

oconor at email.cz oconor at email.cz
Thu Oct 6 12:45:40 UTC 2016


It's apparent, that you're definitely not going to solve that ... you're 
more into searching reasons why not to do that, than possibility how to do 
that :) (btw you haven't mentioned you IPS experiences)



I just say facts



- the amount of malicious traffic is rising (during last 5 years it's 
multiplying its volume) - to be exact in last two years we filtered just in 
our network over 300000 various DDOS attack - before we used non automated 
system (tcpdump on backbone routers and iptables) because anything automated
wasn't necessary!, the amount of malicious traffic (not DDoS) against our 
webhosting servers is nowadays ~15% (that's 300Mbit/s), in last year it 
rised 3x.



- I know about every tor server in our VPS segment - it's not difficult - 
the warnings about malicious traffic keeps comming. The amount of reported 
problems grows with the same trend as the amount of the malicious traffic on
the internet.



- The traffic going out of tor exit nodes in our network is even worse that 
the one which is comming out of the internet. Paul who started this thread 
has constant flow over 50kpps. It consists mostly from various DoS attacks +
exploits against many known CMS. I wouldn't wonder if there could come an 
attack against our infrastructure. Anyway it would be really interesting to 
analyze that flow completely.



- The next thing (already mentioned) is that these Pauls tor nodes in our 
case can worse reputation of one /22 and one /21 subnets. That's a crucial 
problem for us, nineties are bye bye, we got just few 21 subnets and we can'
t afford to have IP banned by some widely used authority.



This is the short summary ... the only thing I say as an ISP is, that if 
this is not going to change, we're going to ban tor in our network. The 
amount of resources we have to give for managing something like that, doesn'
t have economical sense for us. I would wonder if there will be an ISP in 3-
5 years who is going to have another oppinion.


---------- Původní zpráva ----------

Od: Ralph Seichter <tor-relays-ml at horus-it.de>

Komu: tor-relays at lists.torproject.org

Datum: 6. 10. 2016 13:39:54

Předmět: Re: [tor-relays] Intrusion Prevention System Software - Snort or 
Suricata


"On 06.10.16 12:57, oconor at email.cz wrote:



> You probably will invest your time, but the ISP won't. The amount of

> the problems is multiplying. Tor should evolve, or it will extinct

> like dinosaurs.



I don't think that Tor has a problem. It works as designed. One might

say that service providers have a problem dealing with Tor, because of

the effort involved, or that complaining parties have a problem with

Tor, because they don't understand or care that a Tor exit is not the

real source of "bad traffic", or that they can block Tor based traffic

by using the already existing information provided by the Tor project

(see https://www.torproject.org/docs/faq-abuse.html.en#Bans).



Pointing fingers is not going to help, and neither is implementing

automated self-censorship on Tor exits. If somebody wants me to block

his destination IP on my Tor exit nodes, he'll have to explicitly tell

me so, and explain why he's not blocking my exit nodes instead.



-Ralph



_______________________________________________

tor-relays mailing list

tor-relays at lists.torproject.org

https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays"
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.torproject.org/pipermail/tor-relays/attachments/20161006/650e5b88/attachment.html>


More information about the tor-relays mailing list