[tor-talk] torslap!
Lucia Liljegren
lucia at rankexploits.com
Thu May 2 18:19:59 UTC 2013
>
> Message: 1
> Date: Thu, 02 May 2013 11:03:52 +0200
> From: Moritz Bartl <moritz at torservers.net>
>
> [...]
> The second and most common type of blocking happens after someone has
> been "attacked" once, or twice, via Tor, or an active "attack" is
> ongoing. I use quotation marks here because most things that happen
> would not be considered real attacks. Many IDS, and nowadays even blog
> software etc, detects "unlikely behaviour" such as port scanning,
> crawling, trying some script kiddie SQL injections, looking for common
> exploitable CMS and the like. Most of these "behaviours" are *not*
> targetted at specific sites, many are just using some bad or worse
> scanning tool.
I've had this happen at my blogs. Whether or not 'attack" is the correct word and whether or not the action is targetted at my specific site, when it happens it is relentless. These "not-attack" behaviors (i.e. scanning, fingerprinting, attempts at SQl injections, RFI and to some extent just plain old rapid scraping) all consume my resources. Given the ever present possibility of a zero-day vulnerability at a wordpress blog, present a danger that the scanning tools will find something I was unaware of and wreak havoc. But even if they don't find a vulnerability, they just hammer away generally rapidly and relentlessly.
>
> This second type of blocking would be very much helped with something
> like torslap.
How? I guess I don't understand because I don't know how someone is imagining this would be implemented. These vulnerability scanners are generally guessing hundreds to thousands addresses that don't exist.
Because these "not attackers" are guessing addresses they tend to hit my 404 page which is dynamic and does some checks. When I detect an IP doing this sort of stuff, I use Cloudflare's API and ban the IP 7 days . I don't check if the IP is Tor. I don't care if the IP is Tor, an open proxy, a server, a zombie drone or what not. It's gone. When the scanner is using proxies or Tor (both get used), they come back on a new IP after a short pause. I ban that IP.
It's true that in this process, many Tor IPs could end up banned. Note also: When I do see sustained 'not-attacks' using Tor and they just keep coming back endlessly , I do pre-emptively ban all Tor for 7 days.
What's the proposal under Torslap? I check the IP that's fingerprinting, and if it's TOR, I make it pass a "proof or work", and then let it continue to scan? That can't be what you are suggesting. So what are you suggesting.
> Sites "under ongoing attack" could easily deploy them, maybe even
> together with a timeout, and thus get rid of the one attacker without
> having to block all Tor users (even temporarily, a mechanism which they
> rarely lift again because they have no incentive to do so).
How would the Torslap make the "not-attacker" who is hunting for vulnerabilities go away?
>
> Sites that sometimes get hit by random scans and the like, not currently
> under active attack, could also obviously benefit from torslap. I
> haven't read the whole thread, but (Re)CAPTCHA could be considered a
> cheap and powerful "proof of work", too.
I don't see how ReCaptcha addresses the random scan "not-attacks". It may be proof of work. Systems to submit captchas to a humans in low income countries already exist; that might make the scanning operation more costly. But someone running a server would need to have rocks in their head to permit scanning complete with attempts at RFI, SSH, brute force attacks on wp-login.php and such merely because someone submitted a 'proof of work' for that IP.
>
> I would love to see something as simple as an iptables bucket for Tor
> users where they can be first sent to a different webserver/site, and
> after they "do something there" the exit IP is temporarily removed from
> the bucket. A second interesting approach would be something more
> specific for the software used, like a Wordpress plugin that blocks
> admin logins via Tor, puts Tor users under more "supervision" (moderated
> postings/registration, only "guest Tor post" without the ability to log
> in at all, read-only access, etc) etc.
You could easily write a wordpress plugin that checks the tor exit nodes on certain wordpress actions giving it the functionality you think is desirable. You could host the webserver/site where users are sent do perform their proof of work.
I don't think this plugin would help the people experiencing the "not-attack" type scanning/fingerprinting/RFI/ etc. behaviors described above. For the most part, that sort of 'not-attack' has been the biggest Tor related nuisance I've experienced. For me, Tor and comment spam is not a big problem. I have plenty of ways to deal with comment spam. But maybe other Wordpress bloggers would use the service. There are many useful Wordpress services; each blogger has their own difficulties and their own preferences.
>
> David Vorick david.vorick at gmail.com
> Thu May 2 14:21:31 UTC 2013
>
> What if you had something like exit nodes that required proof-of-work or
> bitcoin-to-use in order to be used, as per-choice of the person running the
> node? You would have a bunch of 'unsafe' exit nodes that behave like exit
> nodes today, and then a bunch of 'difficult' exit nodes that require user
> effort (maybe even per-packet) to use, on a scale small enough that its
> just like adding 20s to your ping, but enough that it puts off abusive
> users. You could also make it so all hashes have to be computed real-time
> (require a timestamp within 5 mins, for example), so that an attacker
> couldn't use an ASIC for a day and store up 50GB worth of packet-abuse.
>
> I think the goal would be to make abusing these nodes annoying enough to
> use abusively that other options (unrelated to tor) are more attractive to
> abuse users.
If Tor had a way of keeping abusive users off, this might help.
After all: if you read the above, if I see fingerprinting/ RFI injections and so on from an IP, I'm going to ban that IP at Cloudflare. I'm not going to make an exception for Tor. The way Cloudflare works if many people ban that IP, Cloudflare may end up giving it a high threat level and depending on the security level selected by a cloudflare user, that IP could be blocked because its threat level is too high. Similar things happen with various black lists, forum spam filters and so on. These groups aren't going to keep statistics and create ratings for IPs and then carve out an exception for Tor IPs. If Tor wants their IPs to stay off these lists, Tor needs to find a way to inhibit the behaviors that get their IPs listed. If there is someway to get the fingerprinters/RFI injectors/scrapers etc. off Tor, that might benefit Tor users who don't fingerprint/ RFI inject/ scrape and so on.
More information about the tor-talk
mailing list