[tor-relays] Intrusion Prevention System Software - Snort or Suricata
oconor at email.cz
oconor at email.cz
Thu Oct 6 12:45:40 UTC 2016
It's apparent, that you're definitely not going to solve that ... you're
more into searching reasons why not to do that, than possibility how to do
that :) (btw you haven't mentioned you IPS experiences)
I just say facts
- the amount of malicious traffic is rising (during last 5 years it's
multiplying its volume) - to be exact in last two years we filtered just in
our network over 300000 various DDOS attack - before we used non automated
system (tcpdump on backbone routers and iptables) because anything automated
wasn't necessary!, the amount of malicious traffic (not DDoS) against our
webhosting servers is nowadays ~15% (that's 300Mbit/s), in last year it
rised 3x.
- I know about every tor server in our VPS segment - it's not difficult -
the warnings about malicious traffic keeps comming. The amount of reported
problems grows with the same trend as the amount of the malicious traffic on
the internet.
- The traffic going out of tor exit nodes in our network is even worse that
the one which is comming out of the internet. Paul who started this thread
has constant flow over 50kpps. It consists mostly from various DoS attacks +
exploits against many known CMS. I wouldn't wonder if there could come an
attack against our infrastructure. Anyway it would be really interesting to
analyze that flow completely.
- The next thing (already mentioned) is that these Pauls tor nodes in our
case can worse reputation of one /22 and one /21 subnets. That's a crucial
problem for us, nineties are bye bye, we got just few 21 subnets and we can'
t afford to have IP banned by some widely used authority.
This is the short summary ... the only thing I say as an ISP is, that if
this is not going to change, we're going to ban tor in our network. The
amount of resources we have to give for managing something like that, doesn'
t have economical sense for us. I would wonder if there will be an ISP in 3-
5 years who is going to have another oppinion.
---------- Původní zpráva ----------
Od: Ralph Seichter <tor-relays-ml at horus-it.de>
Komu: tor-relays at lists.torproject.org
Datum: 6. 10. 2016 13:39:54
Předmět: Re: [tor-relays] Intrusion Prevention System Software - Snort or
Suricata
"On 06.10.16 12:57, oconor at email.cz wrote:
> You probably will invest your time, but the ISP won't. The amount of
> the problems is multiplying. Tor should evolve, or it will extinct
> like dinosaurs.
I don't think that Tor has a problem. It works as designed. One might
say that service providers have a problem dealing with Tor, because of
the effort involved, or that complaining parties have a problem with
Tor, because they don't understand or care that a Tor exit is not the
real source of "bad traffic", or that they can block Tor based traffic
by using the already existing information provided by the Tor project
(see https://www.torproject.org/docs/faq-abuse.html.en#Bans).
Pointing fingers is not going to help, and neither is implementing
automated self-censorship on Tor exits. If somebody wants me to block
his destination IP on my Tor exit nodes, he'll have to explicitly tell
me so, and explain why he's not blocking my exit nodes instead.
-Ralph
_______________________________________________
tor-relays mailing list
tor-relays at lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays"
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.torproject.org/pipermail/tor-relays/attachments/20161006/650e5b88/attachment.html>
More information about the tor-relays
mailing list