[tor-relays] So long and thanks for all the abuse complaints

Zack Weinberg zackw at cmu.edu
Mon Dec 4 16:38:37 UTC 2017


On Mon, Dec 4, 2017 at 10:57 AM, Ralph Seichter <m16+tor at monksofcool.net> wrote:
> On 04.12.17 11:59, James wrote:
>
>> As a private individual, after just receiving my 4th abuse complaint
>> in as many days it's time to stop running my exit node.
>
> I've had an ongoing debate with a hosting service over a fresh exit node
> being abused for network scans (ports 80 and 443) almost hourly for the
> last few days. I can understand that they are pissed off, and the whole
> thing resulted in this particular exit being shut down by the hoster. If
> I could detect and prevent these scans, it would go a long way to avoid
> having my exit nodes shut down by hosting services.

With my exit node operator hat on, I too would like to see some sort
of port-scanning prevention built into the network.  In my case, I had
to turn off exiting to the SSH port because we were getting daily
complaints about abusive scanning for devices with weak admin
passwords.  Which is a shame, since there are plenty of legitimate
uses for SSH-over-Tor.

The tricky part is designing some sort of exit-node-controlled
new-connection rate limiting that's content-blind and won't interfere
with legitimate uses.  And "legitimate uses" include things like a web
browser generating a burst of TCP connections to the same HTTP/1.1
server cluster, exitmap connecting to the same test server repeatedly
via every exit node in the network, and so on.  I would want to see
any proposal document include a long list of known non-abusive traffic
scenarios and an argument that the mechanism would not interfere with
each.

zw


More information about the tor-relays mailing list