[tor-talk] Automatic vulnerability scanning of Tor Network?

Fabio Pietrosanti (naif) lists at infosecurity.ch
Wed Dec 21 13:14:50 UTC 2011


On 12/21/11 1:59 PM, Steven J. Murdoch wrote:
> On Tue, Dec 20, 2011 at 07:35:50PM +0100, Fabio Pietrosanti (naif) wrote:
>> Please, get an public IP address, don't announce it, don't do anything.
>> Now please have a look, without even being a Tor Server, how many mass
>> scan your receive.
>>
>> So please, don't bother with that justification, a scan like that would
>> probably just be one scan of 10000 you receive every week.
> 
> The scan which happened yesterday was enough to get the attention of both the
> university network security team, and the sys-admins of the department which
> hosts my Tor server. The last time this happened was 2009.

That's probably the rate used to get fast scanning (-T Insane) that
caused triggering of an IDS alert (number of packets / time).

Apologise for that (it probably sent 1354 packet in 1 second).

Howevr this behaviour could be fixed by reducing the rate of packet
sending, spreading the portscan during a long time.

The "-F" of nmap scan 1-1024 port + /etc/services.
Nmapping from a debian system they are 1354 port.

If we would send "1 packet" every minute, it would take about 22hours to
complete the scan, bypassing almost any portscan detection system.

That way it would still be possible to map the opened ports / service
version, but without creating alarm or abuse complain.

What do you think?

-naif


More information about the tor-talk mailing list