Recent Events for foo.be MainPageDiary (Blog) Previous Next

2006-08-09 Blocking Tor what to do

Before going into the post, please understand that I'm really a huge fan of anonymizer software in order to protect privacy (a fundamental right in the information society). In the last days, I discovered at least three tentatives to compromise web server or other services like SSH. They were all coming from exit node in the Tor network. I was a little puzzled from that but there is always a tradeoff to accept anonymous communication. You have to allow a little part of bad traffic for permitting the good use like protection privacy. But for what I seen there is much more bad traffic than good traffic (at least on the monitored networks). Bad traffic is often composed of probes to compromise web server and they are relying on Tor to limit the way to trace them. So what to do ? If you take the approach to block all exit node, you have to build a list of all the exit node. A script is available to list all the exit node from a tor network as explained in the tor abuse faq, this is not perfect and only give a partial view of the current tor network and its exit node. I built a basic script to extract the information from the directory services which is part of the tor client. From it, I'm generating an RDF file containing the current node in the network. I counted around 4200 and 4500 nodes in a normal day and a large part of the set is stable (meaning a part of the set is a fixed list of IPs for a period longer than one day). The difficult part is how to block (or limit1 ) the IP lists to reach the targeted networks. Blocking means that the legitimate users (using the tor network or the same machine) can't access your network and the respective services. You can update the list by injecting a nullroute for the source networks into your border router. This works but could cost a lot to update as the list is quite floating. Other ways like urpf could be also considered. Blocking is not a perfect solution but could help you when you have an intensive attack from the tor network. There is no perfect solution but you have to find a balance to live with the various anonymous network around the world.


Footnotes:

1. You could also use the ability to limit the state per rule in PF. source-track is a nifty option.