Hi everybody,
my ISP keeps on receiving abuse reports from shadowserver.org. They claim that an IRC bot operates from the IP that belongs to my tor exit.
The strange thing is that my exit policy only allows web and mail ports. Furthermore, the IPs of the shadowserver honeypots have a ptr entry for *.sinkhole.shadowserver.org.
So, I could block their servers either by means of the exit policy or with iptables. Which one would you prefer?
I additionally wanted to ask here if there is any experience with shadowserver in this regard?
Explaining the issue to my ISP failed. They keep on getting nervous.
Talking to shadowserver also failed, because subscription to their public mailing list is moderated and my direct mails have been ignored for several months now.
Any advice?
regards
Alex
On 3/19/2011 07:28, Alexander Bernauer wrote:
So, I could block their servers either by means of the exit policy or with iptables. Which one would you prefer?
If you're going to block them, use the exit policy (and then use iptables if you want). If you just block them with iptables you're likely to be labeled as a bad exit.
Best, Sam
Thus spake Alexander Bernauer (alex-tor@copton.net):
my ISP keeps on receiving abuse reports from shadowserver.org. They claim that an IRC bot operates from the IP that belongs to my tor exit.
The strange thing is that my exit policy only allows web and mail ports. Furthermore, the IPs of the shadowserver honeypots have a ptr entry for *.sinkhole.shadowserver.org.
Hrmm. Based on your snippets of mails you pasted on or-talk, it appears that a subset of the shadowserver folks are ideological zealots and crazed vigilantes. We've dealt with their flavor of lunacy before, in the form of the various "bribe me to get off my list or I will blackhole your entire netblock" DNSRBLs.
It is quite possible that lunatics like these will just make up abuse reports and send them to ISPs that look like they might cave. It is very interesting that our higher bandwidth exits that *do* exit to IRC are not hearing from them right now.
History has shown that the Internet as a whole usually learns to ignore nutballs. AFAIK, all of the "collateral damage" DNSRBLs are completely unused these days. Of course, that doesn't stop the nutballs from being really annoying in the short term :/.
So, I could block their servers either by means of the exit policy or with iptables. Which one would you prefer?
What is their network topology like? Do they cycle through their honeypots? iptables is especially bad if you have the situation where what was once a honeypot one week turns into a legitimate server the next.
OTOH, exit policy is bad if you end up with a ton of entries in it...
I additionally wanted to ask here if there is any experience with shadowserver in this regard?
Explaining the issue to my ISP failed. They keep on getting nervous.
This may be an issue. If the zealots believe that they can intimidate your ISP to knock you offline, they may keep sending nonsense reports to do so, declaring victory that one more tor node bites the dust...
Not sure what to tell you about this. If they succeed, perhaps it's just new ISP time? There are a lot of crazies out there, not just these guys..
Mike Perry wrote:
Thus spake Alexander Bernauer (alex-tor@copton.net):
my ISP keeps on receiving abuse reports from shadowserver.org. They claim that an IRC bot operates from the IP that belongs to my tor exit.
The strange thing is that my exit policy only allows web and mail ports. Furthermore, the IPs of the shadowserver honeypots have a ptr entry for *.sinkhole.shadowserver.org.
Hrmm. Based on your snippets of mails you pasted on or-talk, it appears that a subset of the shadowserver folks are ideological zealots and crazed vigilantes. We've dealt with their flavor of lunacy before, in the form of the various "bribe me to get off my list or I will blackhole your entire netblock" DNSRBLs.
It is quite possible that lunatics like these will just make up abuse reports and send them to ISPs that look like they might cave. It is very interesting that our higher bandwidth exits that *do* exit to IRC are not hearing from them right now.
History has shown that the Internet as a whole usually learns to ignore nutballs. AFAIK, all of the "collateral damage" DNSRBLs are completely unused these days. Of course, that doesn't stop the nutballs from being really annoying in the short term :/.
So, I could block their servers either by means of the exit policy or with iptables. Which one would you prefer?
What is their network topology like? Do they cycle through their honeypots? iptables is especially bad if you have the situation where what was once a honeypot one week turns into a legitimate server the next.
OTOH, exit policy is bad if you end up with a ton of entries in it...
I additionally wanted to ask here if there is any experience with shadowserver in this regard?
Explaining the issue to my ISP failed. They keep on getting nervous.
This may be an issue. If the zealots believe that they can intimidate your ISP to knock you offline, they may keep sending nonsense reports to do so, declaring victory that one more tor node bites the dust...
Not sure what to tell you about this. If they succeed, perhaps it's just new ISP time? There are a lot of crazies out there, not just these guys..
Last year my VDS-provider received an idiotical abuse report from them. Because the emloyees of that ISP were idiots too I was to change my vds-provider. It seems to me, that 'shadowserver.org' is an evil group that deliberately send unfounded abuses against tor-nodes and etc.
Hi
thanks for your support.
On Sun, Mar 20, 2011 at 03:58:10AM +0000, Orionjur Tor-admin wrote:
It seems to me, that 'shadowserver.org' is an evil group that deliberately send unfounded abuses against tor-nodes and etc.
No, I think this goes overboard. Some of them are pretty fanatic and might indeed work with such tricks occasionally. But others sound pretty reasonable. And in the end, internet crime is existant and must be dealt with, isn't it?
regards
Alex
On 20.03.2011 11:49, alex-tor@copton.net wrote:
It seems to me, that 'shadowserver.org' is an evil group that deliberately send unfounded abuses against tor-nodes and etc.
No, I think this goes overboard. Some of them are pretty fanatic and might indeed work with such tricks occasionally. But others sound pretty reasonable. And in the end, internet crime is existant and must be dealt with, isn't it?
I have been in contact with blacklists from the one spectrum and from the other. One particular one even called me back because Tor is very important to them and they want to work on a way to make this easier for Tor operators.
In the end, it just again shows that there is something wrong with ISPs. Even if I were to receive 100 information letters per day, they are still just information letters.
I have no problem receiving all Spamcop reports. To the contrary, I believe spam shows one of the flaws in the current implementation of the Internet, and it has to be dealt with. Even if the war against spam has to be fought with the same technically flawed methods.
In Germany, we nowadays call such a thing "Brückentechnologie" (bridging technology): We acknowledge that something has huge flaws, but we're not willing to give up other properties of the system to really fix the problem. Instead, we try to find constant workarounds.
Tor is in the same category.
Hey Mike,
thank you for your support.
On Sat, Mar 19, 2011 at 06:16:45PM -0700, Mike Perry wrote:
It is quite possible that lunatics like these will just make up abuse reports and send them to ISPs that look like they might cave. It is very interesting that our higher bandwidth exits that *do* exit to IRC are not hearing from them right now.
I still don't understand why they report an IRC bot if the target port is port 80.
What is their network topology like? Do they cycle through their honeypots?
I don't know. How could we find out?
iptables is especially bad if you have the situation where what was once a honeypot one week turns into a legitimate server the next. OTOH, exit policy is bad if you end up with a ton of entries in it...
Yes, I agree. Up to now it's only the 8 IPs that Damian obtained from robtex. I block them both via exit policy and iptables (just to be sure...)
This may be an issue. If the zealots believe that they can intimidate your ISP to knock you offline, they may keep sending nonsense reports to do so, declaring victory that one more tor node bites the dust... Not sure what to tell you about this. If they succeed, perhaps it's just new ISP time?
I think, the larger problem then is that "one more ISP bites the dust".
Let's see what happens.
regards
Alex
tor-relays@lists.torproject.org
-
alex-tor@copton.net -
Alexander Bernauer
-
Mike Perry -
Moritz Bartl -
Orionjur Tor-admin -
Sam Whited