On Wed, 9 Mar 2011 19:18:34 -0500 cmeclax-sazri cmeclax-sazri@ixazon.dynip.com wrote:
On Wednesday 09 March 2011 17:20:17 Chris Palmer wrote:
On 03/09/2011 01:48 PM, Arjan wrote:
We are saying hello on port 443, and then saying goodbye. Once. Using normal TCP and TLS handshaking, no tricks. For the good of the internet.
That would be enough to get me in trouble with my ISP for performing portscans (if I were running an exit node).
And how would you, or anyone else, differentiate that from normal web browsing?
If a lot of those connection attempts are going to IP addresses with no host present, or hosts not running a webserver, it looks like portscanning. If almost all of the connection attempts are to webservers that have port 443 open, it looks like normal https web browsing.
Are you kidding? Closing a connection upon receipt of the ACK response to the SYN you sent looks like normal HTTPS web browsing? On what planet? Normal web browsing, whether HTTP or HTTPS, involves data transmission occurring in both directions between receipt of that ACK and the closing of the connection by the web browser. Closing the connection upon receipt of the ACK response to the SYN without any intervening data transmission is, OTOH, a characteristic behavior of port scanners. So you had it backwards. Here's a tidbit for you to consider. pf offers an option on filtering rules for inbound SSL connections called "synproxy", which relieves server software of the effort of dealing with bogus connection attempts by handling the SSL exchanges itself before passing the connection on to the server. It also means that a connection from something that doesn't know how to perform the SSL handshaking will sit until the timeout occurs, so the attacker is stuck with an outstanding connection tying up resources until that happens. That delay of a couple of minutes can be a long and wasteful nuisance to an attacker. OTOH, a legitimate application, e.g., a tor client or relay trying to connect to the ORPort of another relay, completes the handshake and begins communicating with its peer with no delay, and the software accepting the connection only deals with the legitimate connections. It works just great! :-) I highly recommend it to anyone running a tor relay on a system that supports pf.
I have only one external address and only a few ports forwarded, so I can't detect portscans. I have noticed that an attempt to guess passwords on SSH is often, but not always, preceded by a connect and disconnect from the same IP address, which is probably part of a portscan. I don't block addresses that scan ports, but I do block addresses that try to guess passwords (not on the Tor box, just on the other one). The block expires in a day.
To each his/her own. Legitimate port scanning operations are typically run by system/network administrators against the machines on their *own networks*. I treat any others as attackers or at least attacker-wannabes, and I keep track of such miscreants indefinitely against the possibility that I might someday provide services other than tor relaying. The miscreants will have no access to such services on general principles and will only have access to the tor node if and when they are currently running a public (i.e., not a bridge) tor node on the system with the IP address from which their tor attempts to connect to mine.
Scott Bennett, Comm. ASMELG, CFIAG ********************************************************************** * Internet: bennett at cs.niu.edu * *--------------------------------------------------------------------* * "A well regulated and disciplined militia, is at all times a good * * objection to the introduction of that bane of all free governments * * -- a standing army." * * -- Gov. John Hancock, New York Journal, 28 January 1790 * **********************************************************************
On Tuesday 29 March 2011 05:06:15 Scott Bennett wrote:
Are you kidding? Closing a connection upon receipt of the ACKresponse to the SYN you sent looks like normal HTTPS web browsing? On what planet? Normal web browsing, whether HTTP or HTTPS, involves data transmission occurring in both directions between receipt of that ACK and the closing of the connection by the web browser.
Opening a web page with lots of images results in lots of connections to web servers. If I hit the stop button before the images are loaded, my browser will close those connections without receiving any data. Web pages do not normally contain lots of HTTP links to sites that aren't running web servers, so a lot of refused connections does not look like anything that can happen in normal web browsing. Port scanning results in lots of connections closed upon opening and lots of connections refused; the distinctor is the lots of connections refused.
cmeclax
On 3/29/11 3:30 PM, cmeclax-sazri wrote:
Opening a web page with lots of images results in lots of connections to web servers. If I hit the stop button before the images are loaded, my browser will close those connections without receiving any data. Web pages do not normally contain lots of HTTP links to sites that aren't running web servers, so a lot of refused connections does not look like anything that can happen in normal web browsing. Port scanning results in lots of connections closed upon opening and lots of connections refused; the distinctor is the lots of connections refused.
Ok, anyone willing to implement a portscan detector using such logic? :-)
I candidate myself to test it with the risk of getting Bad-Exited ;P
-naif
Thus spake Fabio Pietrosanti (naif) (lists@infosecurity.ch):
On 3/29/11 3:30 PM, cmeclax-sazri wrote:
Opening a web page with lots of images results in lots of connections to web servers. If I hit the stop button before the images are loaded, my browser will close those connections without receiving any data. Web pages do not normally contain lots of HTTP links to sites that aren't running web servers, so a lot of refused connections does not look like anything that can happen in normal web browsing. Port scanning results in lots of connections closed upon opening and lots of connections refused; the distinctor is the lots of connections refused.
So then when a website or ad server wants to DoS a tor user, they just introduce a tight open+close XMLHTTPRequest loop in some JS?
Ok, anyone willing to implement a portscan detector using such logic? :-)
I candidate myself to test it with the risk of getting Bad-Exited ;P
At the point where you are implementing stuff there's no reason to risk anything. As I've said before, we can safely signal to clients in real time that they should go elsewhere with their traffic. The Tor Protocol supports this.
There is no need to break stuff for unsuspecting users. Srsly: https://lists.torproject.org/pipermail/tor-relays/2011-March/000675.html
On Tuesday 29 March 2011 21:11:33 Mike Perry wrote:
Thus spake Fabio Pietrosanti (naif) (lists@infosecurity.ch): So then when a website or ad server wants to DoS a tor user, they just introduce a tight open+close XMLHTTPRequest loop in some JS?
With the URLs being a bunch of different IP addresses that don't run webservers. But as you said, the exit node will send a "closed for policy reasons" back to the client, who will pick another exit node, which maybe doesn't have this policy.
cmeclax
tor-relays@lists.torproject.org
-
cmeclax-sazri -
Fabio Pietrosanti (naif) -
Mike Perry -
Scott Bennett